Posted on by Sean Rabbitt

Wells Fargo doesn’t trust its own tech

Today’s unanswered question: Why does Wells Fargo not trust its own technology?  Specifically here, why does Wells Fargo not trust its Card Free ATM Access and the Apple Pay card at its own ATMs?

I don’t carry an ATM card in my wallet, and neither should you.

Besides the fact that there are ATM skimmers absolutely everywhere, ATM cards do not offer the same type of protection against fraud as your credit card.  If someone skims your ATM card and starts using it on a spending spree, that’s actual cash coming out of an account.  Proving the fraud is even more difficult with the cameras added to the skimmer, grabbing your PIN at the same time.  If your card and PIN were used for that $1500 bill at the Spearmint Rhino, how do you prove it wasn’t you? It may take a while for that cash you need to pay your rent to end up back in your account.  Wells Fargo may claim it has a zero-liability protection, but go read the fine print where it says you may need to file police reports and more before they consider giving the cash back.

Credit cards, however, are a bit more of “fake money.”  It’s money you owe to someone, in this case the bank.  The bank then shifts the liability down to the merchant, screwing them when the robbery happens with a fake or stolen card; you don’t pay bank, bank doesn’t pay merchant, merchant ends up eating the loss.

Long and short: Steal an ATM card – get real cash.  Steal a credit card, it’s fake money, screw a merchant.

So what actually happened?

Backstory: On the weekend of August 10, I went to an ATM in Garden Grove, CA, a city right next to the Disneyland and inconveniently the only Wells ATM near my hotel.  Drove up to the ATM and went to the Wells app to get the two-factor code for Card Free ATM, authenticated to the phone, authenticated to the app, got the code, typed it in, typed in my PIN, and asked for $150.

And I immediately got my account locked, though I wouldn’t know it.  Just got a “Please call (800) 869-3557” message.  Okay….  Maybe their system went down?  I had just done this exact same process with Andrew’s number a few moments ago. Try again with my Apple Pay ATM card.  Authenticate to the phone, go to Wallet, pick the card, authenticate FaceID again, hold near the reader, type in my PIN, ask for $150.  Bonk.

Now, by this time, I had gotten a SMS I guess based on the first transaction.  Was this you?  Reply with a Y and try your transaction again.  Okay.  Responded, tried again.  Bonk.

By this time, I’m blocking the drive-up ATM and decided to get out of the way.  Pulled into the lot and called up Wells Fargo.  First thing the system asks is what is my Wells Fargo ATM card number.  Now, as we discussed above, I do not carry my ATM card.  But, thankfully I have 1Password.  Finally whack 0 enough times to get to a real live person who again asks for my card number.  I inform him that I have Apple Pay and don’t have the full card number, just to see what happens.

What we get to validate with is instead disturbing.  Account number (sure, I have that in 1Password) as found in plain text on any physical check or online payment check ever sent.  Last four of social security number, exposed by Equifax thankfully.  Mailing address, easily seen online through any public property record search for pretty much any state.  And I’m in.

“Okay, I’m going to send a text message to verify your identity.”  So you want to send an SMS to the phone I’m using to create the two-factor codes to get into my own account that you know I have because I’m calling you on that line. Sure.  Because SIM card hacks and fraud never happens.

30 minutes later into the conversation, we’ve got an account unlocked and I’m instructed to stay on the line to walk over to the the cash.  It finally works.

Why this is insanely stupid

Apple Pay Wells Fargo ATM Card

Consider the difference between these three options:

A) A physical card with the account number written on it.  To use it, you need to know a 4 digit number.

B) An electronic device with a persistent network connection that can be erased remotely if lost or stolen.  Validation to get into the device is used with facial recognition or the use of a long passcode / password.  Furthermore, to get into the account, you need to validate with a second password specific to the bank.  After getting a Temporary One Time Password (TOTP) which is limited to use for only 30 minutes (Wells’ choice for the length of time there… seems a bit long to me), you then need to add in a known additional 4 digit number.  The software to provide the TOTP code knows that the device has been encrypted and secured with a biometric code. It also has the ability to follow your travel with location services and knows if the device has been traveling.

C) An electronic device with a persistent network connection that can be erased remotely if lost or stolen with a rotating code built in that can be invalidated even if the device loses network connection.  To get to the code, you need to authenticate with a biometric and hold in the vicinity of a reader.  Then you need to know an additional 4 digit code to continue.

We’re talking about an ATM card, the Wells Fargo application, and Apple Pay in these three cases.  Which do you think is more secure?

If your answer from the Wells Fargo representative is “Well, the ATM card is the most secure,” then you’ve got the chops to be in OpSec at a major bank, I guess.

Long and short, Wells’ trust algorithm doesn’t trust its own technology.  One more reason to not trust them.