Wednesday, June 24, 2009

Vanguard.com Doesn't "Recognize" Me

I upgraded the hard drive on my home computer. The first time I tried to log into my Vanguard account online, it asked me to answer a security question. No problem I thought to myself. The site just doesn't recognize me since I have a new drive. It wants extra information to be sure I'm me. This is part of PassMark "sitekey" functionality. I typed in the answer to the question and was promptly told "sorry, invalid answer". Weird. I tried again. same result. I was 95% sure I was entering the correct answer, but each time I tried, it didn't work. Eventually I got an email telling me I disabled my ability to log in from an unrecognized computer due to repeated wrong answers. Nice. The web site didn't inform me of this - only the email. The email also stated I could now only log in if I used a recognized computer. To log in from an unrecognized computer, I would have to reset my security questions or call Vanguard customer service. Great.

Luckily, I had logged into Vanguard from my work computer, meaning it was "recognized" and I wasn't asked a security question. Using my work computer, I logged in and reset my security questions and answers as required. Now back to my home computer. I was quite confident facing a security question this time. But again, failure! Why does it not accept my answer? I was 100% sure it was correct this time. I just reset them for cryin' out loud.

At this point I concluded that it was a bug in Vanguard's site. Do I call their customer support? Ugh. Instead I took the approach of trying to get the site to "recognize" my home computer. Long story short, I copied a single file from my work computer to my home computer and solved the problem. I knew the PassMark/sitekey solution uses a Flash local shared object to determine whether a computer is recognized. It does not use a persistent cookie as you might first guess. Anyway, I found the shared object file "PassMark.sol" in the following directory on my work computer:

C:\Documents and Settings\[user]\Application Data\Macromedia\Flash Player\#SharedObjects\xxxxxxxx\vanguard.com\passmark\flash\pmfso.swf

where "xxxxxxxx" changes for different users. I copied PassMark.sol over to the corresponding directory on my home computer and it worked like a charm! Vanguard's site suddenly recognized my home computer and I got logged in.

This episode was very frustrating and got me wondering how normal users feel. After all, I was only able to solve the problem with:

  • Luck - I had another computer that was recognized
  • Esoteric knowledge - Vanguard's site uses Flash shared objects to recognize a computer
The vast majority of users are not web application security experts. They must be going crazy, and on the phone with support a lot.

2 comments:

Martin 8/28/2009 5:38 PM  

I have hit the same symptoms for about a year now. I emailed Vanguard, but all they could tell me was that I did not have cookies enabled (incorrect).

I tried what you said (thank you) and it did not work.

I have tried both IE 7 and FireFox with no luck. Luckily Like you I have another computer that recognizers me and I do not have to answer the security question.

I read another article saying they had a bug (fixed I believe) recognizing Flash v10 but I have Flash v9 installed.

So I am stuck not being able to access my account on this PC.
Any help appreciated.

Martin 8/28/2009 5:42 PM  

Oh - I forgot to mention I can get in as me but not as my wife - which gives me an idea - maybe I need to copy that flash file over after logging in on the PC that works with my wife's username....

  © Blogger templates The Professional Template by Ourblogtemplates.com 2008

Back to TOP