Thirty minutes ago I closed my account with Wells Fargo because of their lack of security. Last month, they called to validate my identity. I called back, they asked for my mother's maiden name.
Me: "Since that information is on Facebook, I use a big random string starting.."
Them: "That's good enough, so what we want to talk about is.."
Then when I went into the local branch, the receptionist wanted to swipe my debit card in their tablet to add me to the line. Forget that, I'm out.
A few years ago I discovered that the wells-Fargo website would log you in by typing the correct password and some additional n characters after the password. I reported it to the security group and that still worked until I stopped banking with them a year or so later.
And BoA sent out random letters asking for highly personal information, without the recipient having any way to know they were legitimate.
Instead BoA should have sent out letters asking the customer to call them, or log into their BoA account.
BoA just locks accounts because it is easier on BoA than the alternative. The consequences for the customer be damned. That's reason #1,000,000 not to work with BoA or Wells Fargo.
I complained to Wells Fargo last year that they shouldn't be storing user passwords. Their response was to not worry about it because they are the ones responsible for fraud.
My bank recently asked for my password on the phone in order to identify me. They literally wanted me to tell them the password I use for my online banking account. I made a scene of course, then we settled for the birthdate.
I don't know, but it demolishes the last shred of confidence I had that Wells Fargo had anything resembling a clue about technology, and security of web apps in particular.
I've used a few of their services before, and they are all horrible abominations from signup on through.
Really? Wells Fargo isn't mining my search history using a black-box algorithm to decide without transparency whether to close my account or decline a transaction because I might have become a risk of some sort.
A small bank that I use sold itself to a slightly larger bank a few years ago; one of the things that I appreciated about the old bank was that they made this a "short arbitrary secret" field instead of "mother's maiden name" I had given them two randomly-chosen words, stored in my password manager.
Earlier this year, I opened a new account with the (new) bank and discovered that they already had my mother's maiden name, were going to use it for identity verification, and wouldn't allow me to change it to something arbitrary (even another fake name that I sometimes use). Quite frustrating, this security based on insecure information.
I've had plenty of banks ask me to call back later because I didn't meet all of their screening vectors for identity verification simply because I didn't have a certain piece of information available at the time.
Frustrating? Yes. But good security can't be transparent to the user.
I had an interesting experience in Wells Fargo around 2012. I had probably 10 business accounts there, including the main receivable account, as well as an account from which about 7 contractors were paid monthly to the tune of $100,000/mo.
I was the only signatory to the account, the only person with a login. I had my personal accounts attached there as well. A some point I log in into WF from my regular office laptop (static IP) and instead of the account balances I see a warning: your access has been restricted due to security. Please call an 800 number. I log in from my phone via different IP, same result. My attempts to talk to the assigned business banker went nowhere: she repeated the same number. When I called that number, I got treated like a criminal, I got yelled at and I was told that all accounts needed to be renumbered, and the previous accounts would disappear including the account history. With multiple vendors and contractors, renumbering accounts is true hell. When I asked this person about the alternatives and for a reason for this action I was told that this was done "for my safety", and if I needed the details they could only be obtained via a subpoena. I tell her that according to my knowledge, a subpoena can be obtained only during a civil litigation, and I am asking her if she invites her customer to litigate against the bank? She rudely responds that if I do not want my accounts renumbered, she would leave this as as (with the security warning and no account access). Since this is business critical, I acquiesce and she removes the warning, but the accounts are read-only now. She then tells me that I need to go to a branch, killing my workday. At the branch a salesperson tries to sell me their new accounts and packages (that are of course worse than the original ones). When she realizes I am not an easy target, she just asks me if I am ready for the account renumbering. I ask her if my accountants will have access to the CSV - without this we cannot even make quarterly tax payments. She says sure. I ask her that just in case, I want to download the accounts (all 10 plus 4 personal ones). She says go ahead on your laptop (like I am paranoid, I don't need this). I ask her if they have WiFi in the branch. Not for me. No problem, I tether to my phone (for 2012 it was advanced) and download. Then she hits the button- the accounts are completely gone! Only the end balances got transferred to the new accounts. I leave. Then I call Wells Fargo and ask how I can get the CSV histories. A business Banker tells me that she can fax the hard copies of each monthly statement for $12 per statement per account!
When I discuss this later this awful experience with my regular business banker at my branch, I ask her if higher balance accounts get treated the same. She says that my accounts (low 7 digit balance) are too small, but starting from 8 digit, you get a different treatment!
I still cannot understand what kind of "safety" a new account number can provide, because every time I write a check I disclose my account number.
Up until a few years (well, it feels like it) ago wells Fargo had a case insensitive password for accounts. I didn't believe it since my password was upper and lower case and special characters but I tried one day and sure enough got right in.
Unfortunately, even going and seeing your bank in person is no guarantee of getting sensible results.
I've been told I've failed an identity check while on a call from a branch, when that call had been started by a member of staff from that branch who had identified themselves and was standing next to me at the time, while I was in possession of more photo ID and proof of current address than I've ever needed to open any account in my life. And all that member of staff could do afterwards was apologize and share a half-hearted laugh with me as I left.
This happened while signing up for a new service, and ironically I was in the branch in the first place because I'd been unable to answer a security question on a call from my own phone. That was because the only two answers I was allowed to choose were both obviously incorrect, because the subject of that question was also the reason for my call, but again the person on the phone apparently wasn't allowed to accept that and continue.
We had some money fraudulently withdrawn from our Wells Fargo checking account and though we got it back, I had a bunch of questions about bank security. My bank manager arranged a phone call from somebody on the inside to me. I pressed her about their password length restriction saying that as long as they are hashing the password, length doesn't practically matter. The fact that length is limited to a small number of characters makes me think they are storing the clear password in a database. The response was basically don't worry about it because you aren't responsible for fraud.
Banks are as annoying as you can get for this. Imagine being cold-called and being asked some questions to prove you are who you say you are.
Imagine then the correspondence the same bank sends in various forms about keeping the same information to yourself to prevent your account being compromised.
Agreed. No matter how tired and annoyed I was, I'd have stopped dead at the confirmation code that they asked for. There's absolutely no way I'd have given that to them, even if it meant cancelling my account and using a different bank.
That seems a bit extreme, but if their procedures are so crazy as to require circumventing another system's security procedures, I'm not going to bank with them.
I actually had a bank send me an email asking for information that came from another domain, had a header that looked liked it had been badly scanned in, and had links to domains they don't own. When I ignored it, I eventually got a notice that my car loan was in jeopardy because I hadn't provided that information.
They had no clue why I was so upset about that email.
I paid off my loan immediately and never looked back, even though the interest was less than I make off the stock market.
Me: "Since that information is on Facebook, I use a big random string starting.."
Them: "That's good enough, so what we want to talk about is.."
Then when I went into the local branch, the receptionist wanted to swipe my debit card in their tablet to add me to the line. Forget that, I'm out.
reply