Okay, from a security perspective, this is insane.
Wells Fargo small business banking supports multiple logins for a single bank account. This is great. It’s role based, meaning you can grant each new login privileges that are either full (including withdrawals) or view-only. In turn, small biz owners can hand out view-only accounts to their accountant, tax preparer, office staff, etc. without worrying about embezzlement or fraud.
Now here is where it gets nutty. Wells Fargo will not allow the view-only login holder to change their password!!!
That’s right. The small biz administrator is the person who sets the original password, so two people know the password. Then, to change the password, the view-only login holder must contact the small biz administrator who again gets to see the password before he/she changes it.
Don’t believe me? Here’s what I received back from Wells Fargo customer support, at bottom.
There are seven (or more) reasons why this policy is incredibly dumb (sorry, there’s no other way to put it):
1) We in the security industry want to train individuals to be in the habit of regularly changing their password in case a password ever gets unknowingly compromised. Here we have a bank saying that practice isn’t necessary.
2) The small biz administrator is unlikely to select a strong password — and if the password is weak, the login-holder can’t fix it.
3) There is no audit trail for use of the login, because 2 individuals always know the password for every login.
4) Wells Fargo customer support probably gets “a bunch” of customer tickets from confused login-holders. CS has to read/respond quickly under small biz CS SLA, so the avg cost of a CS support ticket is probably higher than usual offshore support… I’m aware this is easily macro-able, but still…
5) Engineering has to support a bizarre requirement that some accounts are allowed to change password and other accounts aren’t. This leads to (minor) code complexity but more to the point, more complex testing for QA and automation. E.g. I’m sure the main administrator/owner accounts get tested up the wazoo, but the view-only accounts? Probably less love…
6) Increases cost on the small biz owner to support their staff. Makes it more likely the small biz owner will just say, oh, here’s my password, can you login and change it for yourself?
7) The administrator probably gave the view-only login holder the password in writing, and the view-only login holder will probably write the password down because they didn’t make it up themselves. So, the password is on a sticky note pasted to a monitor, or in hackable email…
Unbelievable. To put it differently, when Wells Fargo says “Wells Fargo is partnering with you to help prevent fraud,” I’m not sure I believe it.
Dear Christophe Baer:
Thank you for contacting Wells Fargo. My name is Mara, and it is my
pleasure to assist you today.
I understand that you would like to change your online password. Mr.
Baer, our records show that you are a Wells Fargo Business Online
Banking User, which means that an Administrator manages your online
account access and your User information.
To make changes or updates to your User information, including password,
email address, and username changes, please consult your Administrator.
Your Administrator is the person who originally added you as a User and
granted you online access to view accounts. I apologize for any
inconvenience this may cause you.
If you need further assistance, please call 1-800-956-4442. Business
bankers are available to assist you Monday through Friday from 5:00 a.m.
to 6:00 p.m. and Saturday and Sunday from 7:00 a.m. to 4:00 p.m.,
My goal today was to provide you a complete and helpful answer. Thank
you for banking with Wells Fargo.
Wells Fargo Business Online Banking
Wells Fargo is dedicated to protecting your information. To learn about
our security measures and what we do to protect your accounts online, go
Wells Fargo is partnering with you to help prevent fraud. To learn more,
go to wellsfargo.com/privacy_security/fraud_prevention/
If you have another question about this subject, please click the Reply
button at the bottom of the page. To ask a new question, click the
Contact Us link at the top of the page.