Account Recovery at Wells Fargo

A long time ago, I had to answer a set of three “security” questions for Wells Fargo Bank, and at the time I blogged about it internally at a previous employer, a blog post I no longer have access to. I have contemplated repeating and documenting the process, and asked them once how to do it, and it required that I phone and ask them to clear the answers so it would prompt me again — there was no other way I could change the question/answer choices.  I never followed through with that.

Today I got an email message I was initially suspicious of, telling me that my account had been disabled (this is a common variety of phishing message). I manually scrutinized the message headers and noticed that the message had a good DKIM signature from, and used the special email address that only they use. So it looked legit, and it was: my account had apparently been locked out, probably by multiple tries by someone who thought they had my username.

As instructed, I went to their Username/Password Help page, which displayed the following instructions for this:

Screen Shot 2015-03-24 at 10.23.06 PMWhat’s interesting is that none of this has to do with the questions I had answered several years ago. I’m wondering if they abandoned using them (I hope so).

I entered my username (which is fairly easy to guess, but I’m not going to publish it), my credit card number (barely a secret especially considering that the $50 liability limit wouldn’t apply here), and my ATM PIN (only 4 digits), and that was enough to allow me to set up a new password. Wells Fargo did send me an email message telling my password had been changed, which is good. But the process here is still weaker than a good password would have been. The process they’re using isn’t terrible, but once again, account recovery seems to be the weak spot in the security chain. There may be other factors that aren’t visible to me: for example, I did the reset from an IP address I normally use for banking, and that may have made the process easier for me.

I did also get a reminder of their password rules:

Must be 6-14 characters and contain at least one letter and one number. It cannot contain nine or more numbers.

I suppose that by limiting how many numbers may be in the password, they’re avoiding Social Security Numbers, phone numbers, and the like. But given that the most reliable way to generate a more secure password is to make it longer, why limit it to only 14 characters?


Fidelity Investments

When setting up an online account at Fidelity Investments, I was first prompted to set up a single security question, and then to set up three more. Unfortunately I didn’t get an image of the original question and I don’t know what happened to it.

Fidelity is fairly clear how the questions and answers are used. If you press a “Why do I need this” link, the following pops up:

Fidelity: why?although this explanation seems to refer to the single security question, not the set of three later required.

Here are the questions themselves:Screen Shot 2015-02-13 at 11.52.33 AM Screen Shot 2015-02-13 at 11.52.50 AM Screen Shot 2015-02-13 at 11.53.02 AM

The first two sets of questions are fairly standard: most of the prompts involve information that can be determined with just a little research. I have to say that the “favorite restaurant in college” question is creative, but you can look on LinkedIn to find out where many people went to college, and find popular restaurants nearby (although my favorite closed long ago). But the third question is different and quite unusual: All the answers are 4 or 5 digits, and have very low entropy (around 8 bits for mmdd responses, even less for year of marriage [is this option for people who can’t remember their wedding date?]. Hopefully they need answers to all three.

After going through this, the user is congratulated:

Screen Shot 2015-02-13 at 11.58.47 AMMy online account access is even more secure?  No, it’s definitely not more secure if you create an additional way into my account. But it is good to know that I’ll get a confirmation — but why would e-mail take a few days? If a password reset was fraudulent, I would want to know right away.

Contributed by myself (Jim Fenton)