Secure Email by Wells Fargo Advisors Andrew: This is the latest and greatest. It is only a hassle the first time. Every secure email I send after that is comes to you without having to use your password. I cannot send confidential information to you via email without using our secure channel. Just play along it will be fun.
Is this required? Because, respectfully, could you please get your security guru to explain to me exactly how I can trust an insecure email's links in the first place? I mean email's not secure. Unless encrypted (See SMIME), email is sent in the clear and travels through many servers on its way to its destination. Along the way anybody can capture and alter it (that's one reason SMIME was invented but nobody seems to use it). So the links provided in that email could have been altered to http://identitytheft.com or whatever. Worse yet the email actually tells you to save an attachment to your file system and then open it! Saving attachments are a very insecure practice. Somebody could have modified its contents as well. In other words you can't secure a channel using an insecure channel.
Also, I see this bad practice of personal security images. Anybody
familiar with Man-in-the-middle
attacks knows that this can easily be spoofed thus it provides no real
additional security.
What could WF do? Well they could have
done this on their web site itself and instructed me to go there to go
through the process. This is a tried and true security practice, like
when somebody calls you up from some financial place and says you owe
money or something like that you say "Thanks, I will call <company
X> and get this straightened out" but you never give the
person calling you any financially sensitive information. If you call
<company X> directly and they know nothing about this then you
just avoided being phished. WF should have done that. WF should still
offer that!
If instead the email said "Go to Wells Fargo's web site (Note no direct link) and click on X, Y and Z to set up your secure email" then it would be me going there, verifying my access with my strong crypto password and connecting with SSL so that I am guaranteed there is no Man-in-the-middle snooping.
Speaking of SSL and Man-in-the-middle attacks, I find it distressing that WF has yet to get an Extended Validation Certificate. Most important financial institutions have them. Here are some examples:
Note that EV certs display a large green bar in the URL with the company's name. Also note that details say "Extended Validation SSL CA".
Paypal's slightly better in that is uses TLS 1.1 instead of TLS 1.0.
US Bank uses Entrust which doesn't make it as clear that it's an EV cert except that it says "L1E" but the browser still displays the green EV bar.
Now let's look into WF's security...
Note the lack of the green EV bar! This is not an Extended Validation Certificate. EVs cost between $100 - $1000 per year. Surely Wells Fargo can splurge on that to provide it's customer base with peace of mind.
But even more telling is what is this WellsSecure Certificate Authority?!?
Hmmm....
It seems that Wells Fargo is acting as it's own Certificate Authority!!! To let you know Certificate Authorities or CAs are agencies who vouch for the company that is being issued the certificate. They make sure that the certificate owner is who they say they are and legitimate. They are the lynch pin in the web of trust that consumers use to trust that the cert was issued properly. In other words, I trust Verisign. But I do not trust that WellsSecure (something apparently affiliated with Wells Fargo) will properly vouch for Wells Fargo or Wells Fargo Advisors. At a minimum a CA should be a third party and a trusted third party at that!
In fact I also found this: Bug 449394 - Enable WellsSecure Public Root Certificate Authority root for EV. While highly technical (pass it along) when going to WF sites with Firefox (this is about Firefox) I get that this site is run by unknown and verified by Wells Fargo.
Oh deary, I'm gonna have to send questions to Steve Gibson who does the Security Now! podcast and ask him if this is good or bad. I don't think it's good. And if bad he will expose it to all of his listeners. Maybe that'll help get Wells Fargo to get its security corrected!
Security is a semi hobby for me or at least I keep up on the issues. I've CCed Voltage Security who are the people who did this new "secure email thing". Feel free to pass along this email to any security guys you know in the Wells Fargo domain and tell them they can call or email me to discuss.
While I'm sure this secure email thing has not been forged or man-in-the-middle'd and I normally trust WF's security, as a matter of protest and a matter to attempt to get Wells Fargo to increase it's security and do it right I refuse to go through this process for so called "secure email".
Sorry to harp on this but security is important to me! Man it sure didn't take them long did it? See the attached email that I received this morning. Look familiar? Hey Voltage! They even have your name there! Interestingly looking at the mail headers I see this was received from 213.233.64.166. A whois(1) search reveals this came from, viola! Bucharest, Romania! The attachment one is told to download and has the name "SecureMessage.zip". Gee. Unzip it and we have SecureMessage.exe. I wonder what that might be. Alas, since I only run Linux I can't run Windows executables! This is a a clear phishing attempt modelled after this new fangled, supposedly secure method of sending secure emails! And only 1 day after I got the supposed real email. Now do you believe me?
While security is more of a hobby, and considering I'm not employed right now, I think I can safely say that I'd be a better candidate for employment by WF for handling their security than the current people. Just saying.
Of course maybe we should just search the WF corporate directory and see what this "Amand Key" has to say...
OK so I get a snail mail letter from a T Crowder, a Senior Correspondence Specialist AKA a glorified letter writer. Hey T! This is the 21st century! Most of us use email now a days. You're writing me a "personal" letter is rather unimpressive. Off to the letter so y'all can see it (I got an email list now!):
September 18, 2014
Attn: Andrew P DeFaria
1676 Hope Dr Apt 1915
Santa Clara CA 95054-1721Subject: Information regarding your business card account ending in... <you know>
Dear Andrew P DeFaria:
We want to let you know that your email dated August 30, 2014, was forwarded to Customer Correspondence for research. We appreciate the opportunity to address your concerns (hey how about instead of "addressing" i.e. talking, about my concerns you instead fix your obviously broken system?)
At Wells Fargo, we pride ourselves on developing and maintaining quality financial relationships and strive to deliver the exemplary service we know our customers deserve. (Well this time you failed) Therefore, it was disappointing to learn of the frustration and inconvenience you experienced while trying to change the Personal Identification Number (PIN) on your business card account. We sincerely apologizefor the experience you encountered when you contacted the National Business Banking Center. (I always love it when businesses say this. My response is usually "Great! You apologize. And, of course, you only apologize because your recognize that you screwed up. I mean otherwise an apology isn't really required right? So since your screwed up, please tell me how you're gonna make it up to me... Oh this is where they get silent...)
On August 29, 2014, all reissued business card accounts were upgraded to chip cards except those with Card Design Studio Images. With the chip card you are able to customize your PIN; however, for the security of your account you must be properly authenticated before you are allowed to make the change. At this time, it is necessary for the customer to contact a banker at our National Business Banking Center to answer several verification questions. The questions are to ensure that the PIN is changed by the account owner. Once the verification is completed, the customer is then transferred to the automated service. This verification process is certainly not intended to hassle our customers or to waste time. (However that is exactly what I pointed out - it has the exact effect of hassling your customers and wasting their time)
We appreciate you taking the time to provide your suggestion and comments. (Screw that! Instead of "appreciating my time" how bout ou implement the damn suggestions as they would alleviate this problem!!!) Wells Fargo is constantly reviewing the feedback and needs of it's customers (Damn it stop reviewing the feedback and start implementing it!) The information you provided in your letter (Letter? Really? Please graduate to the 21st century!) has been forwarded to the appropriate area for review. (Again, stop reviewing - start doing! Or you will lose customers)
If you have any questions, please call blah, blah, blah - No thanks. I have better things to do with my time than to sit on hold and answer silly questions to prove I'm me simply so I can ask a damn question.
Thank you for your time. We appreciate your business.
Sincerely,
T. Crowder
Senior Correspondence Specialist
OK that out of the way let me make my suggestions to you. Additionally, please hear where I'm coming from, from this end of the line - i.e. your customer...
You only "address" my concerns really when you implement actions and take steps to make changes to the systems and processes to alleviate the pain points that your customers, like me, experience. Reviewing crap does nothing for me! Changing or fixing problems is what gets me off.
How can you change or make your process better? By allowing your customers to get done what they need to get done in the least amount of time and hassle, that's how. And to stop adhering to and thinking in terms of ancient, last century technologies like letters, telephones, security questions and correspondence specialists. These are not the ways of your customers any more. This is the 21st century after all. There are better ways.
Let me first ask you why? Why do you need to send your valuable business customers to some center for authentication only to send them somewhere else to do what they wanted to do in the first place? IOW why isn't your "authentication team" and your "pin resolution team" one in the same department? Why the transfer from one place to the next? Because as a customer... no as a human, I've experienced many times where I'm given the 3rd degree and have to prove I am who I say I am to group #1 only to be passed to group #2, and, of course after the obligatory 5 minute hold time, to get to group #2 and the first thing out of their mouths are "can your give me your address please?" with the authentication procedure starting up all over again!!! This is not something I look forward to in the morning while drinking my coffee and trying to get this simple thing done before I head to work.
But even more important than that is that you have the silly notion that asking some stranger over the phone stupid questions, many of which are extremely easy for anybody to get like my address and my phone number. Do you recognize how many people on this planet know or can figure out what my address and phone number are?!? This does not prove that I am who I say I am! (Ref: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/).
But look at it this way - with my username and password (and I assure you I use a cryptographically strong password) I can log into your web site and if I were the bad guy, totally drain every account that Andrew P DeFaria has! Why then is this not a strong enough authentication such that I should not be able to go to wellsfargo.com (with strong, extended validation cert included (see http://defaria.com/WF for details)) and login and change my damn pin through your website?!? Are you seriously suggesting my username/password is not "strong enough" to change a 4 digit pin on a credit card, but that same username/password can effectively drain every fucking single dollar that I have? Really?!?
And how hard is it to code up a web page to allow people to do this?!? To change their PIN # - business customer or personal customer? Wait, I know! Because this is one thing I do in my business... About a day or two... (call me if you need it done - I assure you my rates will be quite reasonable considering your exposure).
General point #1: Basically you guys should implement a web page where your customers can easily change their pins. There's no excuses! If their username/passwords are good enough to drain their accounts then they are good enough to change a damn 4 digit code!
Point #2: I like Wells Fargo. All my accounts are there. There are many very good people and divisions there. I want Wells Fargo to succeed. I really do. I want to be able to recommend them without hesitation or reservation. I wish they would pay attention to what I say - I'm no layman WRT to these security issues.
#3: This would make an excellent addition to http://defaria.com/WF. Expect it to be posted there. No, you can't make me take it down. Free speach, 1st amendment - screw you!
Sorry, I need to vent... I only hope that my venting to you gets passed along at least a little deeper than I am able to do myself because I really, really want Wells Fargo to do good. But I find some of their practices, especially toward customers who have many accounts and a lot invested in WF through business and personal accounts a little less than desired.
I lost my business credit card recently so I reported it and received a new one. This is one of those new chip and pin things. Along with the card came a letter that told me my pin and said "If you would like to change your PIN or need any other assistance, please call Wells Fargo's National Business Banking Center at 1-800-225-5935..." so I did. There was absolutely no selections on the menu at all for changing your pin so I fell into the other category and got a human. You know many people would rather just talk to a human but I also find many times the automated system is a bit more intelligent. Anyway after wasting 5'40" or my time they said that they'd put me back into the automated queue! Well I been there, done that and there is no selection for change pin and I had to get to work so I said screw this and hung up.
Today I tried again being careful to note all options on the menu to see if there was some way to get to the automated system. I just wanted to change my pin number to one I like using for financial stuff. Of course there were no options so I got the support droid. She wanted to "clear" me asking all kinds of questions and I told her I want to speak to the manager - I wanted to find out why I could not perform, in this day and age, this simple procedure with much less hassle and wasted time and simply change my pin in an automated fashion. The manager then relayed to me that there was a different automated system that would allow me to change my pin. I pointed her right back to the fact that this number, the one I called, was exactly the one on the paperwork that I was told to call to be able to change my pin. She said, yes but you have to speak to us and then we put you into the other automated system. Really?!? I mean fucking really? You intentionally give your valuable business customers the run around by requiring that they call a number, figure out there's no way to do this quickly with an automated system, decide to talk to a human and then be told "Hey now that you figured that out I'll connect you to the proper place"!?! instead of just giving your business customers the phone number to the correct automated system in the first place!?!
I hope you can pass along this little customer experience to the appropriate people. Meantime I think I'll amend this little ditty to http://defaria.com/WF so when my business associates ask me about Wells Fargo I could just point them there...