Page 1 of 1

Shoddy Security At Wells Fargo Bank

Posted: Sat Mar 16, 2013 3:08 am
by Tom T.
Background:

Anyone in the US is entitled by law to a free copy of their credit file, commonly referred to as a "credit report", once every twelve months, via

Code: Select all

https://www.annualcreditreport.com

(Beware of similar addresses that are *not* the official site.) However, credit scores, which are three-digit numbers that rank one's credit by proprietary algorithms, and which are used by lenders in considering applications for any type of credit -- loans, credit cards, etc. -- are not readily available to consumers without paying a fee to the provider.

Wells Fargo is is currently running a promotion that offers customers both their credit report *and* their credit score at no charge.
Branch offices hand out brochures with an access code (each one unique) and a web site to obtain one such proprietary score, from the credit agency Experian.


What Is Wrong With This Picture:


The brochure points one to

Code: Select all

wellsfargo.com/creditscore
but upon going there, the browser warns of a redirect attempt to

Code: Select all

https://adfarm.mediaplex.com/some/random/cr*p
My HOSTS file service wouldn't let the browser go there anyway, due to poor site reputation. I had to remove the blocking HOSTS file to complete the investigation. The parent company of mediaplex, ValueClick, has a history of installing adware and spyware, and settled wtih the Federal Trade Commission on charges of false and misleading advertising. So, to get to the desired site, you must go through a site with a very bad reputation. And those who don't use NoScript, or who use Allow Globally, will be exposed to scripting and encrypted cookies from this ill-reputed site.


It Gets Worse:

I called their customer service to complain. The rep could not reproduce the issue (from his company workstation): he was taken to a link that did not involve the ad agency, despite using the URL I gave him from the brochure. WF probably uses IE, with no redirect warnings; the successive redirects may be invisible in such cases. In addition, the rep said that they had been given "a little slip of paper" with a Web address, so that they could go through the process of getting the score and be familiar if customers complained. The address was *not* the one above with the evil redirect. Perhaps they don't want their employees to know of the shoddy practices to which customers are subjected.

I asked him if I could have the address they were given, to see if I could obtain the information without going through the ad agency. He said that he didn't think he was allowed to give that out. I asked if I could have the address to which he was redirected, and he did give it:

Code: Select all

https://www.wellsfargo.com/jump/home_equity/creditscore
This page did contain a link directly to the Experian/Wells Fargo HTTPS site dedicated to this promotion. WF customers can obtain the brochure with access code at any branch, and use this path to bypass the ad agency and obtain an Experian report number. Then Experian's site will let you enter that number and view the score.

You can also bypass the ad agency by calling WF's customer service to obtain the required Experian report number:
1. Call and speak to a live agent to verify your identity and to get your credit score and credit report.
Toll-free number 1 855 339 7876
Days and Hours of Operation Monday - Friday 8:00 AM - 8:00 PM (Central)
Epilogue:
The rep said that IF he could reproduce the ad-agency redirect on his home computer, *then* he would report this to higher levels. I suggested also asking family and friends who are WF customers, but not employees, on the off-chance that employee IP addresses, cookies, etc. are recognized from their home computers.

In any case, I urge all Wells Fargo customers to register their complaints about this shoddy practice and serious breach of security and privacy.

Re: Shoddy Security At Wells Fargo Bank

Posted: Sat Mar 16, 2013 11:43 am
by Thrawn
I can reproduce the redirection (which first redirects to HTTPS, btw). RP blocks it.

Redirections will usually be invisible, yeah; the browser won't start rendering a page until it has followed the chain, so you won't see anything. I came across one a few months ago at a site I won't mention by name (because they haven't fixed it), where a redirection included a HTTP response body, containing a debug page, with all kinds of interesting information about their server software version, configuration, paths, etc. Without RP or something like Tamper Data, you'd never see it, of course.

Re: Shoddy Security At Wells Fargo Bank

Posted: Tue Aug 12, 2014 6:03 am
by jacobwhite08
Thanks for this useful information. Most people these days have grown accustomed to the convenience of simply finding a bank machine in whatever city they find. However, would you use an ATM that tracks your routines? Wells Fargo is introducing a personalized ATM that does just that.