1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
2 "http://www.w3.org/TR/html4/strict.dtd">
5 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
6 <link rel="stylesheet" type="text/css" media="screen" href="/css/Letter.css">
7 <title>Wells Fargo Security</title>
8 <?php include "site-functions.php"?>
12 <iframe width="854" height="480" src="https://www.youtube.com/embed/fPoT24YdoJE" frameborder="0" allowfullscreen></iframe>
14 <h2>And they cashed the check!</h2>
15 <img src="Check.jpg" />
19 <div class="moz-cite-prefix">On 05/15/2013 02:48 PM,
20 <a class="moz-txt-link-abbreviated" href="mailto:jon.vance@wellsfargoadvisors.com">jon.vance@wellsfargoadvisors.com</a> wrote:<br>
22 <blockquote class=" cite"
23 id="mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp"
24 cite="mid:3535311528C9EF49803D20A61A391B918A8A107DD4@MSGCMOXM1007.ent.wfb.bank.corp"
26 <meta http-equiv="Content-Type" content="text/html;
28 <meta name="Generator" content="Microsoft Word 14 (filtered
30 <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
31 o\:* {behavior:url(#default#VML);}
32 w\:* {behavior:url(#default#VML);}
33 .shape {behavior:url(#default#VML);}
35 <title>Secure Email by Wells Fargo Advisors</title>
36 <style>#mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp p.MsoNormal,
37 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp li.MsoNormal,
38 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp div.MsoNormal { margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: "Times New Roman","serif"; }
39 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp h2 { margin-right: 0in; margin-left: 0in; font-size: 18pt; font-family: "Times New Roman","serif"; font-weight: bold; }
40 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp h3 { margin-right: 0in; margin-left: 0in; font-size: 13.5pt; font-family: "Times New Roman","serif"; font-weight: bold; }
41 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp a:link,
42 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.MsoHyperlink { color: blue; text-decoration: underline; }
43 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp a:visited,
44 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.MsoHyperlinkFollowed { color: darkblue; text-decoration: underline; }
45 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp p { margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: "Times New Roman","serif"; }
46 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp p.standout,
47 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp li.standout,
48 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp div.standout { margin-right: 0in; margin-bottom: 7.5pt; margin-left: 0in; line-height: 9.75pt; font-size: 9pt; font-family: "Verdana","sans-serif"; color: rgb(153, 51, 51); font-weight: bold; }
49 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp p.code,
50 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp li.code,
51 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp div.code { margin-top: 3.75pt; margin-right: 30.6pt; margin-left: 30.6pt; background: none repeat scroll 0% 0% rgb(255, 255, 234); border: medium none; padding: 0in; font-size: 12pt; font-family: Courier; color: black; }
52 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp p.terminal,
53 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp li.terminal,
54 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp div.terminal { margin-top: 3.75pt; margin-right: 30.6pt; margin-left: 30.6pt; background: none repeat scroll 0% 0% black; border: medium none; padding: 0in; font-size: 12pt; font-family: Courier; color: white; }
55 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.formdescription { }
56 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.apple-converted-space { }
57 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.Heading2Char { font-family: "Cambria","serif"; color: rgb(79, 129, 189); font-weight: bold; }
58 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.Heading3Char { font-family: "Cambria","serif"; color: rgb(79, 129, 189); font-weight: bold; }
59 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp span.EmailStyle26 { font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125); }
60 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp .MsoChpDefault { font-size: 10pt; }
61 #mid_3535311528C9EF49803D20A61A391B918A8A107DD4_MSGCMOXM1007_ent_wfb_bank_corp div.WordSection1 { page: WordSection1; }
62 </style><!--[if gte mso 9]><xml>
63 <o:shapedefaults v:ext="edit" spidmax="1026" />
64 </xml><![endif]--><!--[if gte mso 9]><xml>
65 <o:shapelayout v:ext="edit">
66 <o:idmap v:ext="edit" data="1" />
67 </o:shapelayout></xml><![endif]-->
68 <div class="WordSection1">
70 <p class="MsoNormal"><span
71 style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Andrew:
72 This is the latest and greatest. It is only a hassle the
73 first time. Every secure email I send after that is comes
74 to you without having to use your password. I cannot send
75 confidential information to you via email without using our
76 secure channel. Just play along it will be fun.</span></p>
80 <p>Is this required? Because, respectfully, could you please get your
81 security guru to explain to me exactly how I can trust an insecure
82 email's links in the first place? I mean email's not secure. Unless
84 href="http://en.wikipedia.org/wiki/SMIME">SMIME</a>), email is sent in
85 the clear and travels through many servers on its way to its
86 destination. Along the way anybody can capture and alter it (that's
87 one reason SMIME was invented but nobody seems to use it). So the
88 links provided in that email could have been altered to <a
89 class="moz-txt-link-freetext"
90 href="http://identitytheft.com">http://identitytheft.com</a> or
91 whatever. Worse yet the email actually tells you to save an attachment
92 to your file system and then open it! Saving attachments are a very
93 insecure practice. Somebody could have modified its contents as
94 well. In other words you can't secure a channel using an insecure
97 <p>Also, I see this bad practice of personal security images. Anybody
99 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man-in-the-middle</a>
100 attacks knows that this can easily be spoofed thus it provides no real
101 additional security.<br> <br> What could WF do? Well they could have
102 done this on their web site itself and instructed me to go there to go
103 through the process. This is a tried and true security practice, like
104 when somebody calls you up from some financial place and says you owe
105 money or something like that you say "Thanks, I will call <company
106 X> and get this straightened out" but you <b>never</b> give the
107 person calling you any financially sensitive information. If you call
108 <company X> directly and they know nothing about this then you
109 just avoided being phished. WF should have done that. WF should still
112 <p>If instead the email said "Go to Wells Fargo's web site (Note no
113 direct link) and click on X, Y and Z to set up your secure email" then
114 it would be me going there, verifying my access with my strong crypto
115 password and connecting with SSL so that I am guaranteed there is no
116 Man-in-the-middle snooping.</p>
118 <p>Speaking of SSL and Man-in-the-middle attacks, I find it
119 distressing that WF has yet to get an <a
120 href="http://en.wikipedia.org/wiki/Extended_validation">Extended
121 Validation Certificate</a>. Most important financial institutions have
122 them. Here are some examples:</p>
126 <p>Note that EV certs display a large green bar in the URL with the
127 company's name. Also note that details say "Extended Validation SSL
130 <img src="Paypal.png">
132 <p>Paypal's slightly better in that is uses TLS 1.1 instead of TLS 1.0.</p>
134 <img src="USBank.png">
136 <p>US Bank uses Entrust which doesn't make it as clear that it's an EV
137 cert except that it says "L1E" but the browser still displays the
141 <p>Now let's look into WF's security... </p>
145 <p>Note the lack of the green EV bar! This is not an Extended
146 Validation Certificate. EVs cost between $100 - $1000 per year.
147 Surely Wells Fargo can splurge on that to provide it's customer base
148 with peace of mind.</p>
150 <p>But even more telling is what is this WellsSecure Certificate
155 <img src="Cert General.png">
159 <img src="Cert Detail.png">
161 <p>It seems that Wells Fargo is acting as it's own Certificate
162 Authority!!! To let you know Certificate Authorities or CAs are
163 agencies who vouch for the company that is being issued the
164 certificate. They make sure that the certificate owner is who they say
165 they are and legitimate. They are the lynch pin in the web of trust
166 that consumers use to trust that the cert was issued properly. In
167 other words, I trust Verisign. But I do not trust that WellsSecure
168 (something apparently affiliated with Wells Fargo) will properly vouch
169 for Wells Fargo or Wells Fargo Advisors. At a minimum a CA should be a
170 third party and a trusted third party at that!</p>
172 <p>In fact I also found this: <a
173 href="https://bugzilla.mozilla.org/show_bug.cgi?id=449394">Bug 449394
174 - Enable WellsSecure Public Root Certificate Authority root for
175 EV</a>. While highly technical (pass it along) when going to WF sites
176 with Firefox (this is about Firefox) I get that this site is run by
177 unknown and verified by Wells Fargo. </p>
179 <p>Oh deary, I'm gonna have to send questions to Steve Gibson who does
180 the Security Now! podcast and ask him if this is good or bad. I don't
181 think it's good. And if bad he will expose it to all of his
182 listeners. Maybe that'll help get Wells Fargo to get its security
185 <p>Security is a semi hobby for me or at least I keep up on the
186 issues. I've CCed Voltage Security who are the people who did this
187 new "secure email thing". Feel free to pass along this email to any
188 security guys you know in the Wells Fargo domain and tell them they
189 can call or email me to discuss.</p>
191 <p>While I'm sure this secure email thing has not been forged or
192 man-in-the-middle'd and I normally trust WF's security, as a matter of
193 protest and a matter to attempt to get Wells Fargo to increase it's
194 security and do it right I refuse to go through this process for so
195 called "secure email".</p>
197 <p>Sorry to harp on this but security is important to me! Man it sure
198 didn't take them long did it? See the attached email that I received
199 this morning. Look familiar? Hey Voltage! They even have your name
200 there! Interestingly looking at the mail headers I see this was
201 received from 213.233.64.166. A whois(1) search reveals this came
202 from, viola! Bucharest, Romania! The attachment one is told to
203 download and has the name "SecureMessage.zip". Gee. Unzip it and we
204 have SecureMessage.exe. I wonder what that might be. Alas, since I
205 only run Linux I can't run Windows executables! This is a a clear
206 phishing attempt modelled after this new fangled, supposedly secure
207 method of sending secure emails! And only 1 day after I got the
208 supposed real email. Now do you believe me?</p>
210 <p>While security is more of a hobby, and considering I'm not employed
211 right now, I think I can safely say that I'd be a better candidate for
212 employment by WF for handling their security than the current
213 people. Just saying.</p>
215 <p>Of course maybe we should just search the WF corporate directory
216 and see what this "Amand Key" has to say...</p>
218 <a name="businesscc"><h2>But wait! There's more!</h2></a>
220 <h2>Introduction</h2>
222 <p>OK so I get a snail mail letter from a T Crowder, a <i>Senior
223 Correspondence Specialist</i> AKA a glorified letter writer. Hey
224 T! This is the 21st century! Most of us use email now a days. You're
225 writing me a "personal" letter is rather unimpressive. Off to the
226 letter so y'all can see it (I got an email list now!):</p>
229 <p>September 18, 2014</p>
231 <p>Attn: Andrew P DeFaria<br>
232 1676 Hope Dr Apt 1915<br>
233 Santa Clara CA 95054-1721</p>
235 <p>Subject: Information regarding your business card account ending in...
236 <font color="#c0c0c0"><you know></font></p>
238 <p>Dear Andrew P DeFaria:</p>
240 <p>We want to let you know that your email dated August 30, 2014, was
241 forwarded to Customer Correspondence for research. We appreciate the
242 opportunity to address your concerns <font color="#c0c0c0">(hey how about
243 instead of "addressing" i.e. talking, about my concerns you instead fix your
244 obviously broken system?)</font></p>
246 <p>At Wells Fargo, we pride ourselves on developing and maintaining quality
247 financial relationships and strive to deliver the exemplary service we know
248 our customers deserve. <font color="#c0c0c0">(Well this time you failed)
249 </font> Therefore, it was disappointing to learn of the frustration and
250 inconvenience you experienced while trying to change the Personal
251 Identification Number (PIN) on your business card account. We sincerely
252 apologizefor the experience you encountered when you contacted the National
253 Business Banking Center. <font color="#c0c0c0">(I always love it when
254 businesses say this. My response is usually "Great! You apologize. And, of
255 course, you only apologize because your recognize that you screwed up. I mean
256 otherwise an apology isn't really required right? So since your screwed up,
257 please tell me how you're gonna make it up to me... Oh this is where they get
258 silent...)</font></p>
260 <p>On August 29, 2014, all reissued business card accounts were upgraded to
261 chip cards except those with Card Design Studio Images. With the chip card
262 you are able to customize your PIN; however, for the security of your account
263 you must be properly authenticated before you are allowed to make the change.
264 At this time, it is necessary for the customer to contact a banker at our
265 National Business Banking Center to answer several verification questions.
266 The questions are to ensure that the PIN is changed by the account owner.
267 Once the verification is completed, the customer is then transferred to the
268 automated service. This verification process is certainly not intended to
269 hassle our customers or to waste time. <font color="#c0c0c0">(However that
270 is exactly what I pointed out - it has the exact effect of hassling your
271 customers and wasting their time)</font></p>
273 <p>We appreciate you taking the time to provide your suggestion and comments.
274 <font color="#c0c0c0">(Screw that! Instead of "appreciating my time" how bout
275 ou implement the damn suggestions as they would alleviate this problem!!!)
276 </font> Wells Fargo is constantly reviewing the feedback and needs of it's
277 customers <font color="#c0c0c0">(Damn it stop reviewing the feedback and start
278 implementing it!)</font> The information you provided in your letter <font
279 color="#c0c0c0">(Letter? Really? Please graduate to the 21st century!)</font>
280 has been forwarded to the appropriate area for review. <font color="#c0c0c0">
281 (Again, stop reviewing - start doing! Or you will lose customers)</font></p>
283 <p>If you have any questions, please call blah, blah, blah - <font
284 color="#c0c0c0">No thanks. I have better things to do with my time than to sit
285 on hold and answer silly questions to prove I'm me simply so I can ask a damn
288 <p>Thank you for your time. We appreciate your business.</p>
292 Senior Correspondence Specialist</p>
298 <p>OK that out of the way let me make my suggestions to you. Additionally,
299 please hear where I'm coming from, from this end of the line - i.e. your
302 <p>You only "address" my concerns really when you implement actions and take
303 steps to make <b>changes</b> to the systems and processes to alleviate the pain
304 points that your customers, like me, experience. Reviewing crap does nothing for
305 me! Changing or fixing problems is what gets me off.</p>
307 <p>How can you change or make your process better? By allowing your customers to
308 get done what they need to get done in the least amount of time and hassle,
309 that's how. And to stop adhering to and thinking in terms of ancient, last
310 century technologies like letters, telephones, security questions and
311 correspondence specialists. These are not the ways of your customers any more.
312 This is the 21st century after all. There are better ways.</p>
314 <p>Let me first ask you why? Why do you need to send your valuable business
315 customers to some center for authentication only to send them somewhere else to
316 do what they wanted to do in the first place? IOW why isn't your "authentication
317 team" and your "pin resolution team" one in the same department? Why the
318 transfer from one place to the next? Because as a customer... no as a human,
319 I've experienced many times where I'm given the 3rd degree and have to prove I
320 am who I say I am to group #1 only to be passed to group #2, and, of course
321 after the obligatory 5 minute hold time, to get to group #2 and the first thing
322 out of their mouths are "can your give me your address please?" with the
323 authentication procedure starting up all over again!!! This is not something I
324 look forward to in the morning while drinking my coffee and trying to get this
325 simple thing done before I head to work.</p>
327 <p>But even more important than that is that you have the silly notion that
328 asking some stranger over the phone stupid questions, many of which are
329 extremely easy for anybody to get like my address and my phone number. Do you
330 recognize how many people on this planet know or can figure out what my address
331 and phone number are?!? This does not prove that I am who I say I am! (Ref:
332 <a href="http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/">http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/</a>).</p>
334 <p>But look at it this way - with my username and password (and I assure you I
335 use a cryptographically strong password) I can log into your web site and if I
336 were the bad guy, totally drain every account that Andrew P DeFaria has! Why
337 then is this not a strong enough authentication such that I should not be able
338 to go to wellsfargo.com (with strong, extended validation cert included (see
339 <a href="http://defaria.com/WF">http://defaria.com/WF</a> for details)) and
340 login and change my damn pin through your website?!? Are you seriously
341 suggesting my username/password is not "strong enough" to change a 4 digit pin
342 on a credit card, but that same username/password can effectively drain every
343 fucking single dollar that I have? Really?!?</p>
345 <p>And how hard is it to code up a web page to allow people to do this?!? To
346 change their PIN # - business customer or personal customer? Wait, I know!
347 Because this is one thing I do in my business... About a day or two... (call me
348 if you need it done - I assure you my rates will be quite reasonable considering
351 <h2>Parting thoughts...</h2>
353 <p>General point #1: Basically you guys should implement a web page where your
354 customers can easily change their pins. There's no excuses! If their
355 username/passwords are good enough to drain their accounts then they are good
356 enough to change a damn 4 digit code!</p>
358 <p>Point #2: I like Wells Fargo. All my accounts are there. There are many very
359 good people and divisions there. I want Wells Fargo
360 to succeed. I really do. I want to be able to recommend them without hesitation
361 or reservation. I wish they would pay attention to what I say - I'm no layman
362 WRT to these security issues.</p>
364 <p>#3: This would make an excellent addition to <a href="http://defaria.com/WF">http://defaria.com/WF</a>.
365 Expect it to be posted there. No, you can't make me take it down. Free speach,
366 1st amendment - screw you!</p>
368 <div class="moz-cite-prefix">On 08/30/2014 12:40 PM, Andrew DeFaria wrote:<br></div>
370 <blockquote type="cite">
371 <p>Sorry, I need to vent... I only hope that my venting to you gets passed
372 along at least a little deeper than I am able to do myself because I really,
373 really want Wells Fargo to do good. But I find some of their practices,
374 especially toward customers who have many accounts and a lot invested in WF
375 through business and personal accounts a little less than desired.</p>
377 <p>I lost my business credit card recently so I reported it and received a new
378 one. This is one of those new chip and pin things. Along with the card came a
379 letter that told me my pin and said "If you would like to change your PIN or
380 need any other assistance, please call Wells Fargo's National Business Banking
381 Center at 1-800-225-5935..." so I did. There was absolutely no selections on
382 the menu at all for changing your pin so I fell into the other category and
383 got a human. You know many people would rather just talk to a human but I also
384 find many times the automated system is a bit more intelligent. Anyway after
385 wasting 5'40" or my time they said that they'd put me back into the automated
386 queue! Well I been there, done that and there is no selection for change pin
387 and I had to get to work so I said screw this and hung up.</p>
389 <p>Today I tried again being careful to note all options on the menu to see if
390 there was some way to get to the automated system. I just wanted to change my
391 pin number to one I like using for financial stuff. Of course there were no
392 options so I got the support droid. She wanted to "clear" me asking all kinds
393 of questions and I told her I want to speak to the manager - I wanted to find
394 out why I could not perform, in this day and age, this simple procedure with
395 much less hassle and wasted time and simply change my pin in an automated
396 fashion. The manager then relayed to me that there was a different automated
397 system that would allow me to change my pin. I pointed her right back to the
398 fact that this number, the one I called, was exactly the one on the paperwork
399 that I was told to call to be able to change my pin. She said, yes but you
400 have to speak to us and then we put you into the other automated system.
401 Really?!? I mean fucking really? You intentionally give your valuable business
402 customers the run around by requiring that they call a number, figure out
403 there's no way to do this quickly with an automated system, decide to talk to
404 a human and then be told "Hey now that you figured that out I'll connect you
405 to the proper place"!?! instead of just giving your business customers the
406 phone number to the correct automated system in the first place!?!</p>
408 <p>I hope you can pass along this little customer experience to the
409 appropriate people. Meantime I think I'll amend this little ditty to
410 <a href="http://defaria.com/WF">http://defaria.com/WF</a> so when my business
411 associates ask me about Wells Fargo I could just point them there...</p>
414 <div class="moz-signature">-- <br>
415 <a href="http://defaria.com">Andrew DeFaria</a><br>
416 <small><font color="#999999">Funny, I don't remember being absent
417 minded.</font></small>