Initial add of defaria.com

[clearscm.git] / defaria.com / wellsfargo / index.php

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
   "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  <link rel="stylesheet" type="text/css" media="screen" href="/css/Letter.css">
  <title>Wells Fargo Security</title>
  <?php include "site-functions.php"?>
</head>

<body>
<iframe width="854" height="480" src="https://www.youtube.com/embed/fPoT24YdoJE" frameborder="0" allowfullscreen></iframe>

<h2>And they cashed the check!</h2>
<img src="Check.jpg" />

<p></p>

<div class="moz-cite-prefix">On 05/15/2013 02:48 PM,
      <a class="moz-txt-link-abbreviated" href="mailto:jon.vance@wellsfargoadvisors.com">jon.vance@wellsfargoadvisors.com</a> wrote:<br>
    </div>
    <blockquote class=" cite"
id="mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp"
cite="mid:3535311528C9EF49803D20A61A391B918A8A107DD4@MSGCMOXM1007.ent.wfb.bank.corp"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <title>Secure Email by Wells Fargo Advisors</title>
      <style>#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp p.MsoNormal,
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp li.MsoNormal,
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp div.MsoNormal { margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: "Times New Roman","serif"; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp h2 { margin-right: 0in; margin-left: 0in; font-size: 18pt; font-family: "Times New Roman","serif"; font-weight: bold; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp h3 { margin-right: 0in; margin-left: 0in; font-size: 13.5pt; font-family: "Times New Roman","serif"; font-weight: bold; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp a:link,
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.MsoHyperlink { color: blue; text-decoration: underline; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp a:visited,
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.MsoHyperlinkFollowed { color: darkblue; text-decoration: underline; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp p { margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: "Times New Roman","serif"; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp p.standout,
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp li.standout,
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp div.standout { margin-right: 0in; margin-bottom: 7.5pt; margin-left: 0in; line-height: 9.75pt; font-size: 9pt; font-family: "Verdana","sans-serif"; color: rgb(153, 51, 51); font-weight: bold; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp p.code,
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp li.code,
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp div.code { margin-top: 3.75pt; margin-right: 30.6pt; margin-left: 30.6pt; background: none repeat scroll 0% 0% rgb(255, 255, 234); border: medium none; padding: 0in; font-size: 12pt; font-family: Courier; color: black; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp p.terminal,
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp li.terminal,
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp div.terminal { margin-top: 3.75pt; margin-right: 30.6pt; margin-left: 30.6pt; background: none repeat scroll 0% 0% black; border: medium none; padding: 0in; font-size: 12pt; font-family: Courier; color: white; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.formdescription {  }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.apple-converted-space {  }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.Heading2Char { font-family: "Cambria","serif"; color: rgb(79, 129, 189); font-weight: bold; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.Heading3Char { font-family: "Cambria","serif"; color: rgb(79, 129, 189); font-weight: bold; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.EmailStyle26 { font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125); }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp .MsoChpDefault { font-size: 10pt; }
#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp div.WordSection1 { page: WordSection1; }
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">

<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Andrew:&nbsp;
            This is the latest and greatest.&nbsp; It is only a hassle the
            first time.&nbsp; Every secure email I send after that is comes
            to you without having to use your password.&nbsp; I cannot send
            confidential information to you via email without using our
            secure channel.&nbsp; Just play along it will be fun.</span></p>
      </div>
    </blockquote>

<p>Is this required? Because, respectfully, could you please get your
security guru to explain to me exactly how I can trust an insecure
email's links in the first place? I mean email's not secure. Unless
encrypted (See <a
href="http://en.wikipedia.org/wiki/SMIME">SMIME</a>), email is sent in
the clear and travels through many servers on its way to its
destination. Along the way anybody can capture and alter it (that's
one reason SMIME was invented but nobody seems to use it). So the
links provided in that email could have been altered to <a
class="moz-txt-link-freetext"
href="http://identitytheft.com">http://identitytheft.com</a> or
whatever. Worse yet the email actually tells you to save an attachment
to your file system and then open it! Saving attachments are a very
insecure practice. Somebody could have modified its contents as
well. In other words you can't secure a channel using an insecure
channel.</p>

<p>Also, I see this bad practice of personal security images. Anybody
familiar with <a
href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man-in-the-middle</a>
attacks knows that this can easily be spoofed thus it provides no real
additional security.<br> <br> What could WF do? Well they could have
done this on their web site itself and instructed me to go there to go
through the process. This is a tried and true security practice, like
when somebody calls you up from some financial place and says you owe
money or something like that you say "Thanks, I will call &lt;company
X&gt; and get this straightened out" but you <b>never</b> give the
person calling you any financially sensitive information. If you call
&lt;company X&gt; directly and they know nothing about this then you
just avoided being phished. WF should have done that. WF should still
offer that!</p>

<p>If instead the email said "Go to Wells Fargo's web site (Note no
direct link) and click on X, Y and Z to set up your secure email" then
it would be me going there, verifying my access with my strong crypto
password and connecting with SSL so that I am guaranteed there is no
Man-in-the-middle snooping.</p>

<p>Speaking of SSL and Man-in-the-middle attacks, I find it
distressing that WF has yet to get an <a
href="http://en.wikipedia.org/wiki/Extended_validation">Extended
Validation Certificate</a>. Most important financial institutions have
them. Here are some examples:</p>

<img src="BofA.png">

<p>Note that EV certs display a large green bar in the URL with the
company's name. Also note that details say "Extended Validation SSL
CA".</p>

<img src="Paypal.png">

<p>Paypal's slightly better in that is uses TLS 1.1 instead of TLS 1.0.</p>

<img src="USBank.png">

<p>US Bank uses Entrust which doesn't make it as clear that it's an EV
cert except that it says "L1E" but the browser still displays the
green EV bar.</p>


<p>Now let's look into WF's security... </p>

<img src="WF.png">

<p>Note the lack of the green EV bar! This is not an Extended
Validation Certificate. EVs cost between $100 - $1000 per year.&nbsp;
Surely Wells Fargo can splurge on that to provide it's customer base
with peace of mind.</p>

<p>But even more telling is what is this WellsSecure Certificate
Authority?!?</p>

<p>Hmmm....</p>

<img src="Cert General.png">

<p></p>

<img src="Cert Detail.png">

<p>It seems that Wells Fargo is acting as it's own Certificate
Authority!!! To let you know Certificate Authorities or CAs are
agencies who vouch for the company that is being issued the
certificate. They make sure that the certificate owner is who they say
they are and legitimate. They are the lynch pin in the web of trust
that consumers use to trust that the cert was issued properly.  In
other words, I trust Verisign. But I do not trust that WellsSecure
(something apparently affiliated with Wells Fargo) will properly vouch
for Wells Fargo or Wells Fargo Advisors. At a minimum a CA should be a
third party and a trusted third party at that!</p>

<p>In fact I also found this: <a
href="https://bugzilla.mozilla.org/show_bug.cgi?id=449394">Bug 449394
- Enable WellsSecure Public Root Certificate Authority root for
EV</a>. While highly technical (pass it along) when going to WF sites
with Firefox (this is about Firefox) I get that this site is run by
unknown and verified by Wells Fargo. </p>

<p>Oh deary, I'm gonna have to send questions to Steve Gibson who does
the Security Now! podcast and ask him if this is good or bad. I don't
think it's good. And if bad he will expose it to all of his
listeners. Maybe that'll help get Wells Fargo to get its security
corrected!</p>

<p>Security is a semi hobby for me or at least I keep up on the
issues.  I've CCed Voltage Security who are the people who did this
new "secure email thing". Feel free to pass along this email to any
security guys you know in the Wells Fargo domain and tell them they
can call or email me to discuss.</p>

<p>While I'm sure this secure email thing has not been forged or
man-in-the-middle'd and I normally trust WF's security, as a matter of
protest and a matter to attempt to get Wells Fargo to increase it's
security and do it right I refuse to go through this process for so
called "secure email".</p>

<p>Sorry to harp on this but security is important to me! Man it sure
didn't take them long did it? See the attached email that I received
this morning. Look familiar? Hey Voltage! They even have your name
there! Interestingly looking at the mail headers I see this was
received from 213.233.64.166. A whois(1) search reveals this came
from, viola! Bucharest, Romania! The attachment one is told to
download and has the name "SecureMessage.zip". Gee. Unzip it and we
have SecureMessage.exe. I wonder what that might be. Alas, since I
only run Linux I can't run Windows executables! This is a a clear
phishing attempt modelled after this new fangled, supposedly secure
method of sending secure emails! And only 1 day after I got the
supposed real email. Now do you believe me?</p>

<p>While security is more of a hobby, and considering I'm not employed
right now, I think I can safely say that I'd be a better candidate for
employment by WF for handling their security than the current
people. Just saying.</p>

<p>Of course maybe we should just search the WF corporate directory
and see what this "Amand Key" has to say...</p>

<a name="businesscc"><h2>But wait! There's more!</h2></a>

<h2>Introduction</h2>

<p>OK so I get a snail mail letter from a T Crowder, a <i>Senior
Correspondence Specialist</i> AKA a glorified letter writer. Hey
T! This is the 21st century! Most of us use email now a days. You're
writing me a "personal" letter is rather unimpressive. Off to the
letter so y'all can see it (I got an email list now!):</p>

<blockquote>
  <p>September 18, 2014</p>

  <p>Attn: Andrew P DeFaria<br>
  1676 Hope Dr Apt 1915<br>
  Santa Clara CA 95054-1721</p>

  <p>Subject: Information regarding your business card account ending in...
  <font color="#c0c0c0">&lt;you know&gt;</font></p>

  <p>Dear Andrew P DeFaria:</p>

  <p>We want to let you know that your email dated August 30, 2014, was
  forwarded to Customer Correspondence for research. We appreciate the
  opportunity to address your concerns <font color="#c0c0c0">(hey how about
  instead of "addressing" i.e. talking, about my concerns you instead fix your
  obviously broken system?)</font></p>

  <p>At Wells Fargo, we pride ourselves on developing and maintaining quality
  financial relationships and strive to deliver the exemplary service we know
  our customers deserve. <font color="#c0c0c0">(Well this time you failed)
  </font> Therefore, it was disappointing to learn of the frustration and
  inconvenience you experienced while trying to change the Personal
  Identification Number (PIN) on your business card account. We sincerely
  apologizefor the experience you encountered when you contacted the National
  Business Banking Center. <font color="#c0c0c0">(I always love it when
  businesses say this. My response is usually "Great! You apologize. And, of
  course, you only apologize because your recognize that you screwed up. I mean
  otherwise an apology isn't really required right? So since your screwed up,
  please tell me how you're gonna make it up to me... Oh this is where they get
  silent...)</font></p>

  <p>On August 29, 2014, all reissued business card accounts were upgraded to
  chip cards except those with Card Design Studio Images. With the chip card
  you are able to customize your PIN; however, for the security of your account
  you must be properly authenticated before you are allowed to make the change.
  At this time, it is necessary for the customer to contact a banker at our
  National Business Banking Center to answer several verification questions.
  The questions are to ensure that the PIN is changed by the account owner.
  Once the verification is completed, the customer is then transferred to the
  automated service. This verification process is certainly not intended to
  hassle our customers or to waste time. <font color="#c0c0c0">(However that
  is exactly what I pointed out - it has the exact effect of hassling your
  customers and wasting their time)</font></p>

  <p>We appreciate you taking the time to provide your suggestion and comments.
  <font color="#c0c0c0">(Screw that! Instead of "appreciating my time" how bout
  ou implement the damn suggestions as they would alleviate this problem!!!)
  </font> Wells Fargo is constantly reviewing the feedback and needs of it's
  customers <font color="#c0c0c0">(Damn it stop reviewing the feedback and start
  implementing it!)</font> The information you provided in your letter <font
  color="#c0c0c0">(Letter? Really? Please graduate to the 21st century!)</font>
  has been forwarded to the appropriate area for review. <font color="#c0c0c0">
  (Again, stop reviewing - start doing! Or you will lose customers)</font></p>

  <p>If you have any questions, please call blah, blah, blah - <font
  color="#c0c0c0">No thanks. I have better things to do with my time than to sit
  on hold and answer silly questions to prove I'm me simply so I can ask a damn
  question.</font></p>

  <p>Thank you for your time. We appreciate your business.</p>

  <p>Sincerely,<br>
  T. Crowder<br>
  Senior Correspondence Specialist</p>

</blockquote>

<h2>My turn...</h2>

<p>OK that out of the way let me make my suggestions to you. Additionally,
please hear where I'm coming from, from this end of the line - i.e. your
customer...</p>

<p>You only "address" my concerns really when you implement actions and take
steps to make <b>changes</b> to the systems and processes to alleviate the pain
points that your customers, like me, experience. Reviewing crap does nothing for
me! Changing or fixing problems is what gets me off.</p>

<p>How can you change or make your process better? By allowing your customers to
get done what they need to get done in the least amount of time and hassle,
that's how. And to stop adhering to and thinking in terms of ancient, last
century technologies like letters, telephones, security questions and
correspondence specialists. These are not the ways of your customers any more.
This is the 21st century after all. There are better ways.</p>

<p>Let me first ask you why? Why do you need to send your valuable business
customers to some center for authentication only to send them somewhere else to
do what they wanted to do in the first place? IOW why isn't your "authentication
team" and your "pin resolution team" one in the same department? Why the
transfer from one place to the next? Because as a customer... no as a human,
I've experienced many times where I'm given the 3rd degree and have to prove I
am who I say I am to group #1 only to be passed to group #2, and, of course
after the obligatory 5 minute hold time, to get to group #2 and the first thing
out of their mouths are "can your give me your address please?" with the
authentication procedure starting up all over again!!! This is not something I
look forward to in the morning while drinking my coffee and trying to get this
simple thing done before I head to work.</p>

<p>But even more important than that is that you have the silly notion that
asking some stranger over the phone stupid questions, many of which are
extremely easy for anybody to get like my address and my phone number. Do you
recognize how many people on this planet know or can figure out what my address
and phone number are?!? This does not prove that I am who I say I am! (Ref:
<a href="http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/">http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/</a>).</p>

<p>But look at it this way - with my username and password (and I assure you I
use a cryptographically strong password) I can log into your web site and if I
were the bad guy, totally drain every account that Andrew P DeFaria has! Why
then is this not a strong enough authentication such that I should not be able
to go to wellsfargo.com (with strong, extended validation cert included (see
<a href="http://defaria.com/WF">http://defaria.com/WF</a> for details)) and
login and change my damn pin through your website?!? Are you seriously
suggesting my username/password is not "strong enough" to change a 4 digit pin
on a credit card, but that same username/password can effectively drain every
fucking single dollar that I have? Really?!?</p>

<p>And how hard is it to code up a web page to allow people to do this?!? To
change their PIN # - business customer or personal customer? Wait, I know!
Because this is one thing I do in my business... About a day or two... (call me
if you need it done - I assure you my rates will be quite reasonable considering
your exposure).</p>

<h2>Parting thoughts...</h2>

<p>General point #1: Basically you guys should implement a web page where your
customers can easily change their pins. There's no excuses! If their
username/passwords are good enough to drain their accounts then they are good
enough to change a damn 4 digit code!</p>

<p>Point #2: I like Wells Fargo. All my accounts are there. There are many very
good people and divisions there. I want Wells Fargo
to succeed. I really do. I want to be able to recommend them without hesitation
or reservation. I wish they would pay attention to what I say - I'm no layman
WRT to these security issues.</p>

<p>#3: This would make an excellent addition to <a href="http://defaria.com/WF">http://defaria.com/WF</a>.
Expect it to be posted there. No, you can't make me take it down. Free speach,
1st amendment - screw you!</p>

<div class="moz-cite-prefix">On 08/30/2014 12:40 PM, Andrew DeFaria wrote:<br></div>

<blockquote type="cite">
  <p>Sorry, I need to vent... I only hope that my venting to you gets passed
  along at least a little deeper than I am able to do myself because I really,
  really want Wells Fargo to do good. But I find some of their practices,
  especially toward customers who have many accounts and a lot invested in WF
  through business and personal accounts a little less than desired.</p>

  <p>I lost my business credit card recently so I reported it and received a new
  one. This is one of those new chip and pin things. Along with the card came a
  letter that told me my pin and said "If you would like to change your PIN or
  need any other assistance, please call Wells Fargo's National Business Banking
  Center at 1-800-225-5935..." so I did. There was absolutely no selections on
  the menu at all for changing your pin so I fell into the other category and
  got a human. You know many people would rather just talk to a human but I also
  find many times the automated system is a bit more intelligent. Anyway after
  wasting 5'40" or my time they said that they'd put me back into the automated
  queue! Well I been there, done that and there is no selection for change pin
  and I had to get to work so I said screw this and hung up.</p>

  <p>Today I tried again being careful to note all options on the menu to see if
  there was some way to get to the automated system. I just wanted to change my
  pin number to one I like using for financial stuff. Of course there were no
  options so I got the support droid. She wanted to "clear" me asking all kinds
  of questions and I told her I want to speak to the manager - I wanted to find
  out why I could not perform, in this day and age, this simple procedure with
  much less hassle and wasted time and simply change my pin in an automated
  fashion. The manager then relayed to me that there was a different automated
  system that would allow me to change my pin. I pointed her right back to the
  fact that this number, the one I called, was exactly the one on the paperwork
  that I was told to call to be able to change my pin. She said, yes but you
  have to speak to us and then we put you into the other automated system.
  Really?!? I mean fucking really? You intentionally give your valuable business
  customers the run around by requiring that they call a number, figure out
  there's no way to do this quickly with an automated system, decide to talk to
  a human and then be told "Hey now that you figured that out I'll connect you
  to the proper place"!?! instead of just giving your business customers the
  phone number to the correct automated system in the first place!?!</p>

  <p>I hope you can pass along this little customer experience to the
  appropriate people. Meantime I think I'll amend this little ditty to
  <a href="http://defaria.com/WF">http://defaria.com/WF</a> so when my business
  associates ask me about Wells Fargo I could just point them there...</p>
</blockquote>

<div class="moz-signature">-- <br>
<a href="http://defaria.com">Andrew DeFaria</a><br>
<small><font color="#999999">Funny, I don't remember being absent
minded.</font></small>
</div>
</body>
</html>