Shoddy Security At Wells Fargo Bank
Posted: Sat Mar 16, 2013 3:08 am
Background:
Anyone in the US is entitled by law to a free copy of their credit file, commonly referred to as a "credit report", once every twelve months, via
(Beware of similar addresses that are *not* the official site.) However, credit scores, which are three-digit numbers that rank one's credit by proprietary algorithms, and which are used by lenders in considering applications for any type of credit -- loans, credit cards, etc. -- are not readily available to consumers without paying a fee to the provider.
Wells Fargo is is currently running a promotion that offers customers both their credit report *and* their credit score at no charge.
Branch offices hand out brochures with an access code (each one unique) and a web site to obtain one such proprietary score, from the credit agency Experian.
What Is Wrong With This Picture:
The brochure points one to
but upon going there, the browser warns of a redirect attempt to
My HOSTS file service wouldn't let the browser go there anyway, due to poor site reputation. I had to remove the blocking HOSTS file to complete the investigation. The parent company of mediaplex, ValueClick, has a history of installing adware and spyware, and settled wtih the Federal Trade Commission on charges of false and misleading advertising. So, to get to the desired site, you must go through a site with a very bad reputation. And those who don't use NoScript, or who use Allow Globally, will be exposed to scripting and encrypted cookies from this ill-reputed site.
It Gets Worse:
I called their customer service to complain. The rep could not reproduce the issue (from his company workstation): he was taken to a link that did not involve the ad agency, despite using the URL I gave him from the brochure. WF probably uses IE, with no redirect warnings; the successive redirects may be invisible in such cases. In addition, the rep said that they had been given "a little slip of paper" with a Web address, so that they could go through the process of getting the score and be familiar if customers complained. The address was *not* the one above with the evil redirect. Perhaps they don't want their employees to know of the shoddy practices to which customers are subjected.
I asked him if I could have the address they were given, to see if I could obtain the information without going through the ad agency. He said that he didn't think he was allowed to give that out. I asked if I could have the address to which he was redirected, and he did give it:
This page did contain a link directly to the Experian/Wells Fargo HTTPS site dedicated to this promotion. WF customers can obtain the brochure with access code at any branch, and use this path to bypass the ad agency and obtain an Experian report number. Then Experian's site will let you enter that number and view the score.
You can also bypass the ad agency by calling WF's customer service to obtain the required Experian report number:
The rep said that IF he could reproduce the ad-agency redirect on his home computer, *then* he would report this to higher levels. I suggested also asking family and friends who are WF customers, but not employees, on the off-chance that employee IP addresses, cookies, etc. are recognized from their home computers.
In any case, I urge all Wells Fargo customers to register their complaints about this shoddy practice and serious breach of security and privacy.
Anyone in the US is entitled by law to a free copy of their credit file, commonly referred to as a "credit report", once every twelve months, via
Code: Select all
https://www.annualcreditreport.com
(Beware of similar addresses that are *not* the official site.) However, credit scores, which are three-digit numbers that rank one's credit by proprietary algorithms, and which are used by lenders in considering applications for any type of credit -- loans, credit cards, etc. -- are not readily available to consumers without paying a fee to the provider.
Wells Fargo is is currently running a promotion that offers customers both their credit report *and* their credit score at no charge.
Branch offices hand out brochures with an access code (each one unique) and a web site to obtain one such proprietary score, from the credit agency Experian.
What Is Wrong With This Picture:
The brochure points one to
Code: Select all
wellsfargo.com/creditscore
Code: Select all
https://adfarm.mediaplex.com/some/random/cr*p
It Gets Worse:
I called their customer service to complain. The rep could not reproduce the issue (from his company workstation): he was taken to a link that did not involve the ad agency, despite using the URL I gave him from the brochure. WF probably uses IE, with no redirect warnings; the successive redirects may be invisible in such cases. In addition, the rep said that they had been given "a little slip of paper" with a Web address, so that they could go through the process of getting the score and be familiar if customers complained. The address was *not* the one above with the evil redirect. Perhaps they don't want their employees to know of the shoddy practices to which customers are subjected.
I asked him if I could have the address they were given, to see if I could obtain the information without going through the ad agency. He said that he didn't think he was allowed to give that out. I asked if I could have the address to which he was redirected, and he did give it:
Code: Select all
https://www.wellsfargo.com/jump/home_equity/creditscore
You can also bypass the ad agency by calling WF's customer service to obtain the required Experian report number:
Epilogue:1. Call and speak to a live agent to verify your identity and to get your credit score and credit report.
Toll-free number 1 855 339 7876
Days and Hours of Operation Monday - Friday 8:00 AM - 8:00 PM (Central)
The rep said that IF he could reproduce the ad-agency redirect on his home computer, *then* he would report this to higher levels. I suggested also asking family and friends who are WF customers, but not employees, on the off-chance that employee IP addresses, cookies, etc. are recognized from their home computers.
In any case, I urge all Wells Fargo customers to register their complaints about this shoddy practice and serious breach of security and privacy.