Account Recovery at Wells Fargo

A long time ago, I had to answer a set of three “security” questions for Wells Fargo Bank, and at the time I blogged about it internally at a previous employer, a blog post I no longer have access to. I have contemplated repeating and documenting the process, and asked them once how to do it, and it required that I phone and ask them to clear the answers so it would prompt me again — there was no other way I could change the question/answer choices.  I never followed through with that.

Today I got an email message I was initially suspicious of, telling me that my account had been disabled (this is a common variety of phishing message). I manually scrutinized the message headers and noticed that the message had a good DKIM signature from, and used the special email address that only they use. So it looked legit, and it was: my account had apparently been locked out, probably by multiple tries by someone who thought they had my username.

As instructed, I went to their Username/Password Help page, which displayed the following instructions for this:

Screen Shot 2015-03-24 at 10.23.06 PMWhat’s interesting is that none of this has to do with the questions I had answered several years ago. I’m wondering if they abandoned using them (I hope so).

I entered my username (which is fairly easy to guess, but I’m not going to publish it), my credit card number (barely a secret especially considering that the $50 liability limit wouldn’t apply here), and my ATM PIN (only 4 digits), and that was enough to allow me to set up a new password. Wells Fargo did send me an email message telling my password had been changed, which is good. But the process here is still weaker than a good password would have been. The process they’re using isn’t terrible, but once again, account recovery seems to be the weak spot in the security chain. There may be other factors that aren’t visible to me: for example, I did the reset from an IP address I normally use for banking, and that may have made the process easier for me.

I did also get a reminder of their password rules:

Must be 6-14 characters and contain at least one letter and one number. It cannot contain nine or more numbers.

I suppose that by limiting how many numbers may be in the password, they’re avoiding Social Security Numbers, phone numbers, and the like. But given that the most reliable way to generate a more secure password is to make it longer, why limit it to only 14 characters?


Published by

Jim Fenton

I'm a networking technologist who likes to travel, bicycle, run, and various other things.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s