Crapification, Vanguard Style: Customer Service Rep Bullies Your Humble Blogger into Taking Security Risk

Today we have another small case study in crapification, and this time, from Vanguard, a company that has no excuse.

Asset management is a particularly secure business if management doesn’t screw it up. Admittedly, it does have significant scale economies, which means a dominant player like Vanguard already has huge economic advantages. Retail asset managers also have exceptionally sticky customers. Fund managers like Vanguard that focus on passive strategies aren’t subject to investment pickers having a bad run and customers fleeing as performance flags; they compete based on replicating the index at the lowest cost and providing decent service.

And with the Fed highly attentive to the perceived importance of propping up asset prices, fund complexes like Vanguard suffered only a dip in revenues when asset values fell in March, but even in April, it had net investor inflows. And yes, every company that runs call centers has had to figure out how to minimize Covid-19 risk which has often meant having employees work from home. But Vanguard certainly sorted out its Covid-19 adaptations months ago.

Yours truly has been a Vanguard customer for a very long time, both directly and for the last nearly 15 years also as a limited agent on my mother’s account. I would just about never need any service from Vanguard, and it was usually of the “Where do I find this form on your site?” sort.

Moreover, since those queries were related to my IRAs, I knew the drill. Call during hours when IRA specialists were available. Allow for two normally not-long wait times, since even if you call on the theoretical IRA number, customers get validated first, then passed on to an IRA specialist.

Heretofore, I never had anything to complain about. The waits were never noteworthy. Vanguard phone reps all seemed intelligent and well versed in their various areas of expertise, and would provide regulatory information when germane.

Yesterday, the Vanguard experience made dealing with airlines during a major snowstorm look good. It took four calls that per my phone records took over an hour and a half to have Vanguard identify which form I needed to complete to execute a non-standard instruction (the rep I eventually got admittedly did pre-complete the form for my review and submission). Note what time of year this is: the dead of summer, on a Thursday, not near any IRS filing deadlines.

And the only reason I got through on the fourth attempt was I called on the Flagship (elite customer) line, using my mother’s ID to get through to a human being.1 If my account was not linked to a Flagship account, I doubt I ever would have gotten to anyone.

And when I finally got to an IRA agent, he was arrogant and incompetent about IT security issues that were clearly Vanguard IT issues of a seriousness that I have never seen on any other financial services website. When I said he needed to report them, he told me he wouldn’t.

Specifically, on the first three failed calls, I had first to deal with Vanguard’s horribly designed automated prompt system, which you can’t get past even though they have only five limited, dopey options that were not even close to my situation. Oh, and they wanted my voiceprint, which I had to reject too.2

That guarantees you won’t get to the right rep. Only one time, on the first call, when I chose the least bad fit, I did get a person, who sent me over supposedly to get another person, but that line rang for over twenty minutes before I gave up.

The second two times I tried the automated prompt system, using the same response that had at least gotten me to a human before I went into forward hell, I got put through to dead air and hung up after a few minutes. I’m now about 45 minutes into this ordeal. I then call the Flagship line.

Even with Flagship, I had to wait more than five minutes to get to a first line rep. I complained to him. He said he would stay on the line with me even though it would go silent (he said he would check in periodically), that it looked like it would take another eight minutes. This wait was a tad shorter than that.

When I finally got to the IRA rep, I explained my problem. He said I needed to send in a completed instruction form which it would take Vanguard seven days to execute. The form was a bit complicated so he said he would fill it out, load it in my personal account Messages section, and I could review it and submit it. He said he would stay online while I looked at it, presumably in case it needed to be redone.

This is where the fun started. Safari is my main browser and I keep Firefox open too.

I have Vanguard as a “favorite” in Safari so I clicked on that to go to Vanguard. Instead of going to the address in my browser, “www.vanguard.com,” I was redirected to “https://investor.vanguard.com/corporate-portal/” AND got a security warning, that the certificate expired, and that this site might be imitating “https://investor.vanguard.com/corporate-portal/” to steal my data.

I told the rep what has happened and that I couldn’t proceed and risk exposing my login and password to a possible phishing site. He starts treating me like a dingbat, that this was clearly my problem and had nothing to do with Vanguard.

I then went to Firefox, put “vanguard.com” as the URL and again get redirected, as my Firefox history shows:

I quickly opened Chrome, tried again and got the same result. I told the Vanguard agent the redirect was happening in three different browsers and any who cared about security would be alarmed, particularly given that this was happening in concert with popup alerts from my browsers that these looked like impersonator sites. I also read the URL out to him. He was not interested and made it clear he thought I was an idiot (not so much with his choice of words as with his annoyed and patronizing tone), and added (and this is close to a direct quote) “I don’t have this problem, this is your browser.”3

I told him I could take screenshots and show him how I was getting redirects and security warnings. He again said that he couldn’t receive any e-mails and in any event it didn’t matter, this was my issue, he’d never had any problem like this and he could pull up the Vanguard site just fine.

I try explaining that Vanguard likely has distributed servers to manage the load and what he gets therefore can have nothing to do with what I get. He cut me off and continued to convey that I must be a moron:

Vanguard: “Open Google and search for Vanguard.”

Me: “That won’t change anything.”

Vanguard: “Just do what I say.”

I searched and and of course was proven correct:

I clicked through on the second link, after telling him the first link, the ad, showed “investor.vanguard.com” but not the “corporate portal” bit I kept seeing on my redirects. That continued not to interest him.

The Google “vanguard.com” link took me straight back to “https://investor.vanguard.com/corporate-portal/.” I told him and he was clearly angry. “I just used Bing and I’m not having any issue.” I told him he needed to report this problem and he said he wouldn’t.

He then insisted I find a way to click through to a login page. I informed him again I’d gotten warnings this might be a site trying to steal my credentials. He insisted I go ahead. I never would have done this except my accountant had told me I needed this done this week, which was news to me, and I didn’t have any assurance things would be any better with Vanguard on Friday, let along that I’d be able to get a live IRA person again.

I went back to Safari. I had to override the security warning to click to the next page. I had to override the security warning a second time to log in. And I had to override it a third time, after I had logged in, on the splash page they stuck in my face about signing up for paperless services.

I have been accessing financial services sites for over 20 years, including executing trades at Vanguard, and regularly from non-big-city locations (Alabama and rural Maine). I have never gotten a security warning before, let alone repeated ones in combination with a persistent redirect. Now this all turned out to be OK, even though there’s no good explanation for the redirect. The certificate was likely a stale certificate on a distributed server, but Vanguard should not be stinting on IT to have this happen.

And remember I had come through on an account linked to a Flagship account. Anyone who had gotten my user ID and password could have drained my funds and likely figured out how to go after my mother’s money. And even if this wasn’t a not trivial amount of money, an institution like Vanguard should be operating on the assumption that the funds it holds are a large percentage and maybe all of that customer’s net worth, and should be treated as significant regardless of the dollar amount. That is what being a fiduciary means.

Instead, I was confronted with a bullying rep who dismissed signs in combination that raised genuine red flags of a bona fide, serious security risk. He did not come to his conclusion based on any knowledge of the IT issue (he also cut me off when I told him I had had top Chief Information Officers as clients and was not unknowledgeable) but simply based on his personal experience, which was irrelevant to what I was seeing. He refused to believe what I said and pressed me to take unreasonable risks based on the fact set. It should not have been hard for him to put me on hold and confer with an IT or security expert. Instead, he pushed me to risk my account safety, and by doing so, my and my mother’s money, out of his ego and ignorance.

If you are considering Vanguard, don’t. Find another broker and fund family. I would leave except it would take time I don’t have. And Vanguard knows most people like me have time or hassle reasons that means they’ll tolerate abuse rather than vote with their feet.

____

1 Before you draw the wrong conclusion, virtually all her funds are in an IRA, so it’s pretax. And she is paying for hot and cold running health care aides.

2 What is wrong with these people? There is now technology that can replicate a voice with a clip under ten seconds. Anyone with a voicemail recording is exposed even before you get to people who’ve been on radio, TV, or in a clip on YouTube.

3 I later checked this out with my webhost. He of course confirmed what I knew, that there was no way this was my computer or three browsers all misbehaving in exactly the same way, which is what Vanguard dude kept insisting. My host did say there was a tiny possibility that my ISP was caching pages from Vanguard and the one they had had an expired certificate. I said my ISP was AT&T. My host said, “No way then. AT&T has tons of bandwidth. This isn’t what they do. It’s the sort of thing that could happen with Comcast.”

Print Friendly, PDF & Email

65 comments

  1. Clive

    I checked out their SSL certificate on their webserver (at least the one I got load-balanced onto in Europe, it’s unlikely the US ones will differ, even if they go to the trouble of hosting in Europe and for a US-based provider like Vanguard I doubt very much they’d go to that trouble so I’ll get the same webserver hosts most likely that Yves got landed on) — it was created July 6th. So I’ll bet they were late in installing it on all their web servers or they missed some out of their patching cycle. If they were running with an expired certificate, Yves would have got exactly the error described.

    No way should a financial institution get a report from a customer saying there was a security problem on their site and just, not in so many words, tell you to take a hike. Even at my lumpen, hopeless TBTF, we take customer-reported error messages seriously and they get an incident raised and at least investigated (we ask the customer to take screenshots and send them in). Put it this way, if you’ve been hijacked or spoofed, your customers are probably the first group of users to be aware of it. You almost certainly won’t be, because if it’s your own website, you’ll not get externally routed to it, you’ll get a view of it from within your own corporate network boundary. Not the public internet.

    Sadly this is an example of an increasingly business-as-usual pattern: business hating their customers. Any semblance of customer service is a rarity. If you have the temerity to be a nuisance to the provider of the services you’ve bought and paid for be prepared to be subject to an obstacle-course of microaggressions and disincentives to keep going with your enquiry / service request etc. And it’s especially bad in investment / portfolio / wealth management. Unless — certainly in the UK, I doubt it’s any better in the US and might well be worse — you have £10M in investable assets (where you’ll qualify for white-glove treatment, but at a cost of huge fees), you’ll get a crappy website, offshored “support” or even if support is still onshore, people flung onto the phones with a week or so’s “training”. The training is mostly in how to get rid of callers as quickly as possible.

    Reply
    1. The Bucket Stops on the Top!

      In these times of corporate socialism and bailouts, customers are not needed. They are only people to be fleeced. Expect crappification on all fronts!

      I have a long time ago stopped calling the customer service more than once. I call the customer service first just to get the business case. I know that most likely they do not help. When they do, all is great. When they don’t, I immediately call or email the CEO or his deputies or the 3rd level of responsible for the problem. Describing politely the problem, the dys- or afunctional customer service and ask for their support to solve the problem. The idea is that if you do not make their crappified service their personal problem, things will never change. Also, they are paid top dollar for solving stuff, so there is that too…

      Reply
    2. Charles 2

      – An expired certificate still encrypts the communication between client and server so your credentials were probably safe in traffic. A proper authentication handshake should not expose your password in the clear anyway.
      – Vanguard allows for 2FA authentication. I advise you to activate it. This way someone who steals your credentials through a “man in the middle attack” will still not be able to login. You should change the password at the earliest safe opportunity though.
      – it is handy to have some VPN provider account that you can use to reroute your traffic, not only it secures your communications when using public wifi, but it can also help if your ISP does funny caching/routing.
      – a little googling shows that Vanguard has a fraud alert address ( fraud@vanguard.com), if this happened to me, I would send a screen shot of the security alert together with the recording of your conversation with the rep who advised your to override security warnings. I am quite convinced that they would follow up…

      Reply
      1. Clive

        Customers shouldn’t have to shove security issues with a service provider’s website down their throats using a crowbar to get a response. A customer reporting a potential issue should be welcomed like a wise man bringing the most valuable information to you — not sent away with a flea in her ear like they are being a nuisance.

        Two factor authentication is a useful adjunct but it is no substitute for properly implemented security basics. Not least because it’s potentially hackable https://www.cnbc.com/2019/01/04/how-secure-is-your-account-two-factor-authentication-may-be-hackable.html

        I don’t mind the hassles or making sure VPN can be set up if I have any doubts about buttressing online security. But I still resent the tax on my time keeping an eye on it. And it’s fairly easy for me, being tech-savvy to know what I’m doing and set it up correctly. Trying to get a novice or non IT expert person isn’t straightforward. I gave up trying to get my mother-in-law up and running using VPN (which wasn’t too difficult) but ensuring she activated a VPN session when she wasn’t sure about the validity of a website which she’s not familiar with and might not trust entirely was too,steep,a learning curve for her.

        I’m not sure why we have to make excuses for and put workarounds in to do what is a business’s obligation to do for us. If they can’t put in robust tech, they should have a decent phone servicing offer.

        Reply
        1. Sheldon

          Between this and the CALPERS kick ass, Yves is doing double duty for us.

          Plan ahead and boycott finanical and all medical websites. Only use the United States Post Office. You want our money? Then send me hard copies, and we will reply the same way.

          We have ten years or more of Vanguard statements in three ring binders, plus all the forms we need ready to go. All medical records too. The mail can’t be hacked, and if one has a secure locking mailbox, or P.O. box, it’s about as safe as can be.

          Only use websites or even worse, A.I., in your business?
          Fine, we’ll take our money elsewhere then.

          Reply
          1. Late Introvert

            I was trying to buy recycled TP online and the website was broken. They had a perky email response person right on me when I gave up, and when I asked can I just fill out a paper form and mail you a check? Nope. I was pretty rude about it.

            Reply
          2. drumlin woodchuckles

            Sheldon,

            The US government has spent the last few years working to exterminate the Post Office in order to privatize the profitizable pieces of it and let the non-profitizable pieces of it die off. The Trump Administration is fast-forwarding the process through such means as appointing an “inside job saboteur” to destroy the Postal Service from within and above.

            “Saving the Post Office” was the subject of a desperate post written not long ago. Here is the link.
            https://www.nakedcapitalism.com/2020/08/preserve-our-post-office-before-its-too-late.html

            I left a comment on that thread about what I think is the last desperate only-hope way to try and get a critical mass of currently-in-the-news people to mobilize to save the Postal Service against the government’s fast-forwarded plans to Yeltsinize it. I was dismayed to see that my comment was the very last comment on the thread. Was my comment regarded as being satirical? It was not satirical. It was the only last-best desperate hope I could think of with a straight face to maybe . . . MAYYYYbe . . . get the Postal Service saved.

            I hope someone is inspired to go back to that thread, read my comment, and send it to someone who has contacts within the Black Lives Matter movement. Because my best reading of the situation is that nobody inherently cares about the Postal Service. It is inherently as unsexy as plumbing and wiring and taking out the garbage. Things nobody will miss until there is no more plumbing and wiring and taking out the garbage.
            Currently only an in-the-news group like Black Lives Matter has the eyeball-bandwidth needed to keep its concerns in the public arena.

            If Black Lives Matter decides that the Postal Service matters to Black Lives Matter, then Black Lives Matter can MAKE the Postal Service matter. Without support like that, the Postal Service is just a Dead Service Walking.

            So I hope people will go back to that thread and read my comment with as straight a face as the straight face I wrote it with. And if someone agrees with it, I hope they will shove it across the desks of All The Right People.

            Reply
      2. Yves Smith Post author

        I am extremely conscious about minimizing my data footprint. I effectively do not use a cell phone and do not do text. I do not give anyone my cell phone #s (I have several) and yell at people I happen to call me back on the cell save when I’ve just called them when on the road. They usually get punished anyhow, I don’t get those message for months.

        Plus my dumbphone wipes texts after you look at them, so it’s also terrible for 2 factor authentication, since if you don’t copy the code right away you lose it.

        Reply
        1. KiWeTO

          No idea about vanguard’s 2fa systems, but some websites do also use email as a 2fa system.

          If they do, email reception for you is within seconds of sending it from their 2fa systems? Would reduce the ability for hackers to get in.

          Edit: apparently vanguard’s 2fa policies are still from last last decade. So 2fa isn’t a real option here.

          E.o.M.

          Reply
  2. Amfortas the hippie

    sounds like Texas211.
    (the portal into Texas’ po folks programs)
    around and around and around.
    part of me sometimes thinks that the bad menus and decision trees and the rest of it would take real effort,lol.
    that mere bureaucratic ossification coupled with incompetence just doesn’t account for the amount of Kafka that dwells in these systems.
    The way you describe the crapification, it was pretty sudden, no?
    Seems rather striking that your experience with a middle and upper class system is so similar to my experience with the byzantine texas welfare system.

    Reply
    1. Spring Texan

      It CANNOT be as bad as Texas 211. I had to get some information about my nephew’s Medicaid program a year and a half ago and would have to call back because of odd choices that turned out to be wrong, there were places where they read out long (usually irrelevant) text to you, and then you finally got to an agent who wouldn’t answer a general question about the program but was only equipped to deal with individuals trying to do something or who had an account. Texas 211 is an absolute nightmare. (I finally got answers, but not from Texas 211 -)

      I’m a Vanguard customer and I have had good experiences although certainly what Yves describes now is bad.

      But 211 is in a league of its own. Wish some journalist would cover.

      Reply
      1. Amfortas the hippie

        Yeah.
        pretty remarkable.
        and that was before corona.
        and it is pretty surprising how little coverage this has gotten…although i haven’t done that search in a long while.
        when i was trying to get a hip(2006-2013), i had ample time for such research.(corresponded with these people to try to get a study on this:https://en.wikipedia.org/wiki/Center_for_Public_Policy_Priorities but they were covered up with other things)
        no one cares because it merely inconveniences the poor…and who cares about them?
        Ergo…one of the things i’m watching for now is newly precariatised people encountering such labyrinthine systems for the first time…and their reaction to it. So far, indignation is the order of the day.

        Reply
        1. John Zelnicker

          @Amfortas the hippie
          August 7, 2020 at 8:01 am
          ——-

          I have seen some great investigative reporting from the Texas Tribune.

          Perhaps they could be persuaded to look into these issues. It certainly seems to be in their wheelhouse.

          Reply
          1. Amfortas the hippie

            at the time, i sent a bunch of links and footnotes with a narrative to them and Texas Observer, the Statesman, Austin Chronicle(an indy with a history of at least some muckraking)
            The gal at CPPP that i went back and forth with was as far as it went. she was knowledgeable(they’re a fine outfit), but their focus is more on the nitty gritty.
            User Experience stories were deemed outside their purview.

            Reply
            1. John Zelnicker

              @Amfortas the hippie
              August 7, 2020 at 2:52 pm
              ——-

              Thanks for the update. Too bad you couldn’t get some traction with the story.

              Reply
    2. drumlin woodchuckles

      And yet if a Vanguardsman can do this to a paying customer so suddenly, after having served Yves Smith’s needs well enough for so long; it indicates that a culture of hate-the-customer and active sabotage of the company’s mission and hence long-range viability is now spreading within American businesses.

      Reply
  3. John Mc

    Definitely one of the circles of hell — on hold with arrogant jackass waiting “to help”.

    There should be a movie about Crapification..

    Reply
    1. Hayek's Heelbiter

      As a screenwriter, I recognize a great pitch – the shorter is better, e.g., “MTV Cops,” actually written on the back of a napkin, => Miami Vice.

      The four-quadrant audience identification for a movie titled Crapification
      would be off the charts.

      Reply
  4. jim_cricket

    Sorry this happened. Someone should post this on Bogleheads, that would get their attention.

    Same thing with me 10 years ago when they stubbornly lacked 2-factor authentication, I would call monthly to insist they add this feature. Eventually they got around to it after every other financial institution had had it for years.

    Like you say they are betting on inertia, it’s a good bet.

    They also screwed up my Roth IRA years ago and neglected to tell me, when a simple informative email could have saved me a sizable fine from the government that I had to work to redress.

    They are also very provincial (part of their charm/advantage in not living in a money-obsessed metro area) and like all “out of it” people, when they find out about something new/better/something-they-messed-up, they get flustered and act officiously to buy time/get their act together.

    Reply
    1. TheMog

      Not to mention that I think they still only offer SMS-based 2FA unless that has changed recently. Actually, I just checked on twofactorauth.org and it looks like they’re now also supporting hardware tokens (Yubikeys) but still no authenticator app.

      But hey, we all know that SIM swapping attacks are only figments of collective imagination and SMS-based 2FA is perfectly safe, right?

      Reply
      1. LTL

        They support Yubikeys BUT they have the phone number as a fallback option, making the security of the Yubikey entirely useless…

        Reply
  5. John Beech

    OK, so the tax accountant needed something this very week and you were beaten into submission by a pushy CSR. What can you do about it for next time? Don’t let it happen. Choose instead to commence preparations to move the account(s) . . . or the CSR wins. Basically, follow through with your initial instincts. And don’t give in to arguments you should stay because they just ‘proved’ how greatly they didn’t value your business. Put another way . . . when they tell you who they are, believe them. And if there’s an exit interview, don’t be shy about telling them why you’re voting with your feet – and – no matter what, don’t be persuaded to stay (because that’s precisely the job of the yet another CSR seeing you out the door). Bottom line? They either pay for abusing your relationship, or you grant them carte blanch to continue. Your story puts me in mind of the wife beater who persuades the spouse to stay despite the police being there to escort her to safety. Sigh.

    Reply
    1. TheMog

      Hang on – are you trying to imply that something that should’ve never happened in the first place is somehow the customer’s fault (in this case Yves’ fault)?

      If the CSR “won” or not is not the point. The point is that said CSR requested an objectively bad action based on the security warnings a customer reported to them, and dismissed it out of hand.. That in itself should’ve never happened no matter who the customer was.

      There is also the bigger implication of actively desensitizing customers to security warnings like that, which has ‘interesting’ long term impacts.

      Reply
  6. Synoia

    The Lilly Tomlin rule form Rowan and Martin’s Laugh In:

    “We don’t care because we don’t have to!”

    Reply
    1. philnc

      My 401k has been with Vanguard for over a decade. I’ve never had a reason to call customer service, but did go through the slow atransition from no two factor, to laughably insecure SMS two factor, and recently switched to a quad of U2F keys from Yubico (two each for my wife and I — a precaution in case a key is lost). My experience has been that the whole banking and finance sector have been unforgiveably behind in many aspects of security. It’s as if their management doesn’t take the integrity of your account seriously.

      Of course, why would they when they’ve got so many account owners locked into them by corporate dictate and federal regulation?

      As a former sysadmin for a global company that in the pre-cloud era rode herd over dozens of externally facing webservers (and hundreds on the inside), I know how challenging keeping SSL/TLS certs up to date can be if not handled with proper automation (nowadays that could be a simple shell script). But HTTPS is the absolute floor when it comes to web security. An expired certificate is a significant security issue. There is no excuse for a failure like this. None. Even less for the CSR’s reaction, which to me indicates a serious management problem.

      Reply
      1. flora

        An expired certificate is a significant security issue. There is no excuse for a failure like this. None.

        +1. If they don’t pay attention to this basic IT security requirement what else are they not paying attention to?

        Reply
    2. drumlin woodchuckles

      I remember that quote as being literally: ” We don’t care, we don’t have to. We’re the Phone Company!”

      Reply
  7. Oh

    It looks like the finance industry wants interest-free loans from the government and bail outs but doesn’t give a hoot about service to customers. With all these cumbersome (to say the least) phone messaging software it takes forever to get to talk to a human. And when you do get through, you find one of these know-it-all jerks who argue with you and do not care about customer service.

    Reply
  8. Louis Fyne

    fidelity’s customer service is fantastic (privately owned by one family). IMO

    one’s mileage may vary as one’s awesome can easily be someone else’s awful

    Reply
  9. troutbum

    I recommend you compose a letter documenting ( dates, times and names ) as much as you can and mail ( USPS ) to the President/CEO of Vanguard. You could use the words “customer complaint” and copy the compliance dept. as well.
    In my experience, bad news does not travel up the corporate ladder and the senior executives may not even be aware of the crappy service. In any case, as busy as you are, please don’t walk away from this situation.

    Reply
    1. Stevie Lee

      @troutbum:

      No need for that. All Yves should do is simply forward a copy of her blog post above – which is extremely detailed in her own personal (unsatisfactory) experience with a CSR from Vanguard, and his apparently condescending attitude and complete lack of concern towards one of their “Flagship” member clients.

      I recently had a similar experience with eBay when trying contact a CS agent (neo-oxymoronic) concerning a possible breach in my eBay account via a very well spoofed email. I was treated as if I was a total technical idiot – when in actuality – I’m am a certified computer technician of over 15 years.

      I’m not sure if Yves ever resorted to revealing her extremely formidable reputation as one of the foremost financial journalist on the web to that CSR at Vanguard, but from the way she recounted his obvious disdain and consistently pedantic treatment towards her, I sincerely have my doubts that it wouldn’t have really mattered.

      Reply
  10. TheMog

    I’m not a full-on IT security specialist but a part of my job does indeed involve working with clients on best practices for securing certain types of software, so I have a bit of knowledge in this area.

    While I’d potentially be willing to overlook the redirect issue – which may be more of an issue caused by a missing or expired cookie – a Customer Service Rep should never, ever, absolutely not ever advise a client to override or ignore a security warning like the one you received. No ifs or buts.

    Yes, it may be something as simple as the scenario Clive mentioned – someone forgot to update a TLS security certificate on a server somewhere, which is bad enough already – but even as a security ‘dabbler’ I can come up with several nefarious scenarios that would trigger this warning and actually be dangerous.

    As to recommending to search for Vanguard on Google or the like and using that link (presumably to rule out typos?), that’s also a pretty bad idea. For example, if you or you DNS provider are suffering from a DNS cache poisoning attack that redirects Vanguard hostnames to a scam site, looking for the link in Google is not going to help you at all. Yes, it’s not quite as bad as recommending to override the security warning, but it’s still a suggestion that came from the south end of a north facing cow. Especially when you’re also seeing an unusual redirect already.

    At the very least this is a training failure on part of Vanguard and should ring a bunch of alarm bells over there.

    I would suggest the following if that happens to someone else:
    – Take screenshots (Yves, did you by any chance take screeenshots of the error?)
    – If/when the rep pushes for you to override the security warning, ask the rep if the conversation is being recorded at their end (it probably is) and/or inform them that you’re starting to record the conversation and would she or he mind repeating the recommendation to override a browser security warning?

    Given that Vanguard probably did record the conversation as part of their normal operations, I would attempt to escalate it over there.

    The point here being – if you decide to go ahead and follow the advice of overriding the security warning and proceeding regardless based on what the agent tells you, at least have clear evidence that you acted on their insistence in case your money suddenly takes a one-way trip to Nigeria or another similar foreign location.

    Not what I wanted to read, given that we have a substantial percentage of our retirement savings at Vanguard.

    Reply
  11. soulmatic09

    I’ve had issues with Vanguard’s poor reps for at least 4 years now. I try not to deal with them at all, which I guess is a good thing because it kept me from screwing around and selling at the bottom of a pandemic fueled market crash.

    That being said, Fidelity has been much better over the years. However, they’ve gotten bit by the crapification bug as well recently. Nowhere near as bad as Vanguard, but I’m expecting their customer support to degrade even further in the future.

    It looks to be an industry wide trend that began around the same time as the fee wars. I’d be naive to think they are not unrelated.

    Reply
  12. DSB

    Sorry you had this experience with Vanguard. It is a firm I have recommended for decades because they have always done the right thing – my experience anyway.

    While I have a designated representative and they provide excellent service, my interactions have been entirely online for the past handful of years. I use the Brave browser to logon. Because Brave wipes every time I logout I am always treated like a first time visitor to the website. I receive a text message with a code to logon as my computer is never recognized. I have not had the experience mentioned here, but I too would be concerned if it happened to me.

    Again, these interactions can be aggravating. I am watching the handover to Infosys closely, but will continue to recommend Vanguard and its services widely.

    Not a Boglehead, just appreciate good service.

    Reply
    1. Sthub

      Did not know about the InfoSys changes. For those just catching up like me:

      https://www.inquirer.com/business/phillydeals/infosys-vanguard-outsourcing-20200720.html

      I will be stunned if this actually ends up with top-tier Indian call center reps doing phone support – I can’t imagine your average Flagship customer having a good reaction to a non-native speaker – but I’ll be watching for the weird errors and outages / domestic layoffs to start.

      Too bad.

      Reply
  13. chuck roast

    Crapification Ajit Pai Style:

    Empty your glove compartment and throw away your paper maps did you when you got your new Onstar GPS? Trash your paper coastal charts when you installed your new digital Raymarine GPS Chartplotter? Oooops!

    The FCC has decided that it is in your best interest to privatize what back in the Paleozoic we used to call “an inherently governmental function.” Not willing to forego a grifting opportunity, Pai and his merry band have ignored the pleading of multitudes of government agencies and individual stakeholders and farmed out the new 5G GPS network to Ligado Networks who have shown demonstrable incompetence in the past when known as LightWorks.

    For a better view of this please go to Points East…click on the August issue and find page 21. Or Google: FCC Decision Puts GPS At Risk for a WSJ look.

    Reply
  14. Charles Yaker

    I am haveing some dificulty with Vanguard as well not quite as bad but also form related. However I have not experienced rude agents quite the contrary they have been polite and helpful on the phone although I am not sure they followed through.Since they are working from home there does seem to be a problem getting forms from one location to another. My issue has not been resolved but I understand it is being processed. None the less I am preparing to send snail mail to the Chief Executive if my issue is not resolved. I find snail mail more effective in this regard then email.

    At the risk of generalizing and jumpoing to conclusions despite the fact that Yves can run circles around me with regard to both finance and the internet, I can’t help wondering if she was working with what is commonly known as a “Male Chauvinist pig”. I also think I am less tolerent then Yves and would have asked for a supervisor and /or asked if he prefered that I close my account.
    Here is the address
    Mortimer J. Buckley
    PO Box 982901
    El Paso,Tx. 79998-2901

    Reply
  15. Louis Fyne

    one should also assume that one’s account is “scored” at most big service providers. bigger spenders get better service.

    I absolutely assume that and gird myself for long wait times at anyplace where I’m a basic customer.

    so true buy-hold Bogleheads probably get shunted to a lower priority queue unless the algo sees a bigger account balance (irrespective of customer loyalty) even though Vanguard is presumed to be more pro-client as it’s employee-owned.

    Reply
  16. Kurt Sperry

    I tried accessing the “www.vanguard.com” labeled link from Google in several browsers and in all but one case (the login link) the browser redirected from that TLD to “investor.vanguard.com”, and the login to “customer.vanguard.com”. Of course Google *never* takes you straight to your link without a redirect through a personal data scraping redirect (which is why you can’t copy and paste the URLs from a Google search results page). I didn’t get any security warnings related to the redirects and clicking on a link from the first two Google results is probably as safe as it gets for web surfing, even if it involves opaque redirections.

    I couldn’t reproduce the SSL cert warning on Brave, Firefox. Opera/Chrome, or the native MS browser. I do get these from time to time, but never for a big-name site like Vanguard. I’m not aware of any local or state-level SSL certifications, I recently belatedly changed my website over to https protocol and there were no multiple or regional cert requirements or options. As far as I can tell the basic SSL cert is good globally.

    Hope this helps in some way.

    Reply
  17. LAS

    I’ve also noticed a decided decline in Vanguard service sometime within about the last 6-12 years. They were once excellent! So helpful, informative, and just really great. But no more. Now the coordination stinks and the experts are hard to reach and generally much less saavy.

    It is harder to work with them because they have outsourced much of their service (one rep said while trying to help with what I felt was a really, embarassing simple request that should have been a piece of cake).

    Additionally, I noticed they’re not automatically rolling over some funds that should be deemed “admiral” as opposed to “investor”. They used to do this automatically and it meant lower fees for the account holder. If I do it manually, then I am going to be taxed as selling and re-investing. IMO, this is costing me money. I’m taking vitamins now to fortify for this inquiry and request. I’ve got to man up.

    Reply
  18. unhappyCakeEater

    I came for apocalypse watch, stayed for the infosec.

    It makes me crazy how we have trained people to just click through warnings and such, for all the reasons made clear in your tale. Even madder that every aspiring tech bro on a corporate help desk assumes anyone calling in is a moron.

    Kudos for being a pain in the ass; companies should not be allowed to bully folks in order to maintain their ticket metrics. We pay these companies good money and the arrogance is unwelcome.

    The occasional infosec articles posted in NC links are treasure.

    Reply
  19. JeffC

    I’m with you, Yves. For others:

    Never ever click through on a certificate warning for a financial site! DNS hijacking is a real thing. (Setting your router’s DNS to 9.9.9.9 is not a bad idea. See quad9.net.)

    Also worth trying in this situation is connecting to a VPN server far away and trying “from there.” If there’s an issue specific to a regional server, this may get you around it. I don’t know how much actual transacting Vanguard lets you do from a VPN though. US banks often either disallow access from VPNs completely or disallow mobile deposits from them.

    I wish there were easy advice to give to nontechie family members about VPNs and their choosing, setup, and use. But all VPN providers and apps seem to have their quirks. The only universals are (1) never use a free one (unless you want to be the product) and (2) be very skeptical about VPN review sites. The majors pay for those reviews, which then feed you ridiculously sloppy errors and sometimes outright lies. They exist to make money for moderately techie hack writers, that’s all.

    Reply
  20. Susan the other

    It’s the electronic peter principle. It shorts out somewhere between the computer screen and the person. And does so a thousand times exponentiated. I’m so glad you posted this. It’s better than the antidote today. (Or maybe not, if I’m the tiger.) We’ll it is Friday, after all. Same thing here – similar snafu. Trying to adjust to the bank (the one with a reputation worse than street pizza) summarily closing one account because of alleged hacking and opening up a new one without adjusting for all the auto bill pays for the old one – (oh just call your accounts – OK, called the accounts and they said the bank said the new account was not “verified” but the old one is still working just fine, and on and on) and then cutting up the old card and claiming to verify the new one…. and then we find, upon calling all of our bill-pay accounts, that the new one is “not verified” and no options are offered to do the verifying?? WTF? This timely post just verifies that we’re all entangled. And sadly, I never got a human being on the phone. It’s the digital version of sublime. Naturally I started drinking wine early – there’s a cool breeze so why not? This has to do with my husband’s account – the old, but still wily EE, who is beginning to hide his own easter eggs. He’s still so clever he could actually be hacking himself. It’s all so meta these days. But I never forget a coincidence like this – so now I think it is something much bigger in the internet system. We’ll see. On Monday. “Tomorrow is another day.”

    Reply
  21. Richard Thompson

    I’ve had the same problem with Vanguard and also with the Ca. FTB when trying to make tax deposits. I’ve been using a 4 year old Mac
    laptop that’s loaded with junk emails ( 6 different email addresses). I needed a new laptop so when I bought one 1 only loaded 6 apps which I need to use for business purposes and created 2 new email addresses which I only use for banking and transactions with people I know personally. The problem went away on the new computer but remained on the older one when I tested both. My conclusion is that the older computer was full of who-knows -what -crap. It wasn’t the browser or the site…it was something on my older computer.

    Reply
    1. turtle

      I recently heard of a case at work where a Mac that was not up to date with OS & security updates was getting a certificate error. Sometimes those security updates include new/updated certificate authority information. If your computer wasn’t updated with the latest, it’s possible that it had outdated certificate authority info and could receive certificate errors on websites because it wasn’t recognizing the new CA info.

      But in Yves’ case, someone above mentioned that a new certificate was just issued yesterday, so it really sounds like Vanguard let a certificate expire and Yves happened to hit it before they renewed it.

      Reply
  22. Bee

    When I go to vanguard.com on Firefox, it redirects just the same way. Then if I click on the “personal investor” link on the right, it takes me to investor.vanguard.com/home, and from there everything seems normal. But no excuse for the CSR’s attitude, except maybe he wants to be doctor? I’ve certainly had medical personnel tell me point blank that I wasn’t experiencing what I was experiencing. And I would guess that Vanguard doesn’t have a monopoly on that kind of snottiness.

    Reply
  23. Mike Elwin

    Look, too many of us fell for the BS that computer companies have pushed for decades, that computers are easy to use. They’re not. Never will be because every advance in usability is countered by a bigger advance in complexity. The only epochal advance in software since the Xerox Star is software’s ability to communicate with other software. That has enabled the epidemically growth of massive unregulated, undeterminable computer systems that generate wealth over everything else.

    Remember, software is never guaranteed to work. It can’t be. There are too many unknown untraceble interactions in programs. They cannot be secured against failure. As a result, making and selling software is often less profitable than selling consulting services to companies using the software. Company A build their products around software from company B, but A can’t install or use B reliably, so A hires B’s consultants to correct its problems and maintain workability.

    Oracle company is famous for building this thieving gimmicky into their large systems. Microsoft perfected this approach down to the level of individual users. Back in the day, when you had trouble doing a given task in products like Word and Outlook, the help systems built into the products would return information about that task. Then Microsoft replaced those help systems with ones that return generic information about the products; the information you need might be buried somewhere in all that generic stuff, or maybe not. Why did they do this? Because a helpful help system has to be maintained through constant upgrades; hiring writers who know a product well enough to do that is expensive. As a result, Microsoft’s help is packed with useless obsolete information referencing features dropped, moved or renamed through numerous updates of the products. Microsoft’s online help is the same.

    And, oh yeah, customer service is rarely managed by the product companies anymore. It’s usually contracted out to services whose main selling point is their ability to insulate the product companies from pesky customers like Clive. I’ll bet Vanguard is more than satisfied by Clive’s experience.

    Reply
  24. Seal

    Vanguard stopped payment on a 6 figure check made out to me and tentatively”deposited” in my account. I found out when I went to the gas pump and my cardS wouldnt fly. VANGUARD’S ineptitude and shady dealing is historic. Avoid them at all costs.

    Reply
  25. Kathryn M Tominey

    Bogle’s death seems to have freed Vanguard’s younger bonus oriented mgt free to cut corners. And the 2 factor ID seems obsessed with finger prints. In my case they have never ever worked – not now at 75 and not at 35. And voice ID is a worse mess if I have a cold or my Seasonal allergies act up or the side effect of anastrozole impacting vocal cords.

    I don’t mind a txt msg with a numerical code which seems to be a default option. And Vanguard is moving to get into high risk hedge fund junk – greed on display.

    Reply
  26. Yves G.

    I’m reading this just as I rolled over my 401k to Vanguard because my uncle told me they’re reputable. So far they’re okay, but nowhere near as sophisticated as TD Ameritrade, which also offers IRAs. However, I didn’t want to keep all of my eggs in one financial services basket. I hope I don’t regret it. Plus, I like their funds.

    Reply
    1. turtle

      I rolled over from Fidelity several years ago because I liked the low management costs and the idea that it was an investor-owned brokerage. I’ve also recommended it to relatives for the same reasons. What I’m reading here is really making me have second thoughts now.

      Reply
  27. Bob

    As a long-time Vanguard customer, I find this security issue terrifying, and the rep’s response is completely unacceptable.

    Although I’ve never had this issue (including just now, using Safari 13.1.2 on a 2012 MacBook Pro running Mojave), I’ve long been concerned about Vanguard’s relying on SMS for 2FA and failure to use an authenticator app..

    Maybe it’s time for to switch to Fidelity, or at least begin the process.

    Thanks very much for the report, Yves.

    Reply
  28. OldManInMaine

    You got a jerk. It happens. Every assemblage of humans on the earth has people having bad days. Don’t take it personally. Help Vanguard and yourself. At the first sign of trouble, ask for a supervisor. If you don’t have the moxie to do that, call another time and get another rep. If you are having a technical problem ask for an IT rep.

    Reply
    1. Yves Smith Post author

      Did you read the post?!?! I am chronically time stressed. Even 10 minutes is a lot of time. I needed to get this done by Friday and this was already Thurs. I had had to pull the Flagship card even to get a rep. I most certainly did not have time to go and spend another 45 minutes (which is what the final call took) a second time. The agent had already rejected getting the IT department involved.

      And my experience with financial institutions is even when they are functioning well, the “get a supervisor” routine takes 20+ minutes, and I’ve had people deliberately disconnect me, which this clown seemed capable of doing, as well as have the site automatically terminate the call after a certain wait period.

      It is a sign you don’t know this site at all to talk about “moxie”.

      Reply
  29. Dennis S.

    Using command line/terminal to run a test request with no browser, one finds that all these:
    curl -I http://www.vanguard.com
    curl -I https://www.vanguard.com
    curl -I http://vanguard.com
    curl -I https://vanguard.com

    redirect to:
    https://investor.vanguard.com/corporate-portal

    This CSR is not up-to-date on what the site actually does. Cert looks legit; that is, it does to me, now. (I am using Firefox on a linux machine.) They should not attempt to correct what one is telling them about that kind of experience – just report it to someone who does know something.

    Reply
  30. Jaime Garfield

    I’m worried now. Vanguard has always been so great and reliable. I read Bogels book before opening my account decades ago. I can’t imagine the outsourcing of customer service employees. That’s very worrisome. Bad enough to talk to people in India about my health insurance, although they are usually pretty good, after saying I’m so sorry, mrs….I understand, I will look up, what’s your…etc,etc…after a half hour come to find out a simple explanation. …John Bogle was a gem.

    Reply
  31. square coats

    I’m not sure if this is pertinent but I too took a stab at visiting vanguard’s website and recreating the series of events leading to a security warning, and though I wasn’t able to get a security warning to generate, I did end up poking around the site enough that my eye managed to catch on the following text in their “security center,” which states, “Note: A security alert could indicate that either the date on your computer is incorrect or you’re using an outdated version of your web browser.”

    The link I found to the security center is very tiny and located in the page footer. In general I found navigating the site completely unintuitive and only made my way as far as the footer because I couldn’t find any obvious link to log in or create an account anywhere on the page.

    Not sure if this could be the cause but if so perhaps it could provide some relief for Yves about the security of her account/capabilities of vanguard IT (though IMHO they sorely need to do some legit usability testing), but it so wouldn’t provide any excuse for the unconscionable rep. To me it seems that it requires a mighty amount of absolute nihilism to be dismissive of a user identifying a potential security risk on your company’s website and all the more so when that company is responsible for the security of others’ finances, big or small. Don’t care what kind of bad day someone’s having. If they’re willing to risk others’ livelihoods, whether because they’re in a snit, or trying to cope with some truly calamitous life event, I’d think they should basically recuse themselves for the length of time they can’t fully commit to that responsibility.

    Reply
    1. Yves Smith Post author

      Thanks, but as Clive indicated at the outset, there were stale security certificates and it looks like I came in as they were being updated late. Because Vanguard almost certainly distributes them across the net, even if you had tried on Thursday, as opposed to today, you would have gotten the warning only if you hit a server with an old certificate on it.

      Reply
  32. Anon A Mouse

    I am also flagship. Best results are using site’s function to mail them and either arrange a phone call where your rep calls you, or conduct it entirely over the secure messaging. It’s not as fast, but you will talk directly with a flagship quality rep, and they will be able to think through the problem without time pressure.

    Reply
  33. eg

    That is a disturbing and unpleasant experience, Yves. I own some Vanguard product on behalf of my children, but my purchases are through a separate broker (one of the tentacles in the Canadian banking oligopoly) and I have never had to deal with Vanguard directly.

    Here’s hoping that I never have to …

    Reply
  34. Bob

    WOW. I tried to check my Vanguard accounts just now (Monday morning, August 31), and I can’t log into the web site or mobile app. I tried calling the Flagship Services line, and after it rang for two minutes, I gave up. I tried an older Voyager Select number in my contacts book, and it rang for a couple of minutes and then automatically disconnected.

    I went to the “Contact Us” link on the home page, which itself took a ridiculously long time to load, and it took me to a “Vanguard Support” home page, which contains no contact information.

    To get a phone number, you have to click through the right series of prompts for a particular issue. (Some issues don’t end with a phone number.)

    Unless I missed it, there’s no information about the status of their web site. (I checked other sites, and my [fiber] internet connection is fine.)

    Just before posting this, I returned to the investor.vanguard.com home page, where I had clicked the “Log on” link several minutes ago, and it still hasn’t loaded; it’s showing the same spinning progress indicator (red squares) as before. I clicked “reload”, and Safari threw the message: “Safari Can’t Connect to the Server: Safari can’t open the page “https://investor.vanguard.com/my-account/log-on” because Safari can’t connect to the servers “investor.vanguard.com.”

    If they’re having tech problems, or updating the site, visitors should be sent to a maintenance mode page.

    This is completely unacceptable – and terrifying. As of this posting, I’ve been trying for over 40 minutes.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *