Monday, March 29, 2010

More on New Text Alert System...

So, there it was this morning, the email from Wells about this transaction that took place last Thursday.

The only comment that I would make about this new mobile text alerting system from Visa that Wells has now deployed is that it should have been automatic that when I enrolled for that, the previous (and mostly useless) email alerting enrollment should have been cancelled or at least I should have been able to modify/cancel it.

My guess is that I was actually enrolling for the mobile alerts on a Visa hosted page, branded Wells Fargo. Even if it is not hosted by Visa on Well's behalf, it is clear that the two systems are not in synch. I had to go this morning and de-select the overlapping alerts. The site is; .

Referencing my background dealing with Phishing issues (ie; PassMark Security), the Catch-22 with all of these things is the possibility that something potentially good, like these real-time text alerts, can be just another oppty for phishing attacks. A url like the one above could (or should) make someone like me suspicious of if I am really at a legit Wells Fargo page or not. It is also interesting to note that Wells (or Visa) chose not to invest in a "secure" url for such a sensitive page as this. You know those green urls from Verisign and others called Extended Validation SSL Certificates. While I do not put much stock in these (or any of the "trust" seals), I doubt they cost considerably more and I guess they cannot hurt.

Thursday, March 25, 2010

Fair is Fair....Hats off to Visa...Genuine progress in fraud prevention!

Wells Fargo announced a few days ago that they were taking advantage of a new Visa feature. Of course, I had to immediately enroll. You then receive text message alerts when certain types and size of transactions occur. The idea is that if it isn't you, you can immediately respond and become part of the fraud prevention paradigm. I was somewhat skeptical, as usual, but as it turned out hours later I was picking up my wife's BMW from the shop (ouch $1200!!!) and while I was still standing at the check-out desk, my phone got a text reporting the transaction to me. It was very descriptive, telling me that my "Wells Fargo Card ending in xx was used at xxx Motors in xxx town for $xxxx.xx ....

This is real progress.

I had previously enrolled in their alerting offer but due to the number of different acquirers and issuers and the batch nature of credit card processing, these often did not arrive until days later.

Since, Visa's switch is involved in the authorization of all Visa transactions, these alerts can go out literally in real time.

Of course someone will try and call this a mobile payment! (see my article in Venture Beat!)

Sunday, March 7, 2010


Interesting tidbit in the WSJ yesterday - The Fed is down to one site in Cleveland, Ohio from forty five sites 7 years ago that processed paper checks. I specifically recall sitting with the CEO of the company I worked for back in the early '80s as he proclaimed we would be completely checkless within that decade. And you wonder where I get my skepticism about the pace of change in payments!!!!

Monday, March 1, 2010

FasTrak...example of over the top login protocols

The other day I went to log in to my FasTrak account online. I was amazed at how unfriendly their approach to the simple act of logging in was. It reminded me of how something that should be very standard, has taken on a life of its own and god bless them, but developers and bureaucrats left to their own devices, will get this wrong more often than not.

Instead of a simple username/password, with perhaps some underlying risk based analysis and if suspicious maybe some add'l authentication step, they first make you select one of three different username schemes that you have set up (as if you are going to remember which one you chose) and then once you work through that, they make you pick a 6+ digit password with not only a mix of letters and numbers but one letter has to be capitalized (as if you are going to remember). Then, the icing on the cake, is they force you to enter a CAPTCHA on every log-in.

Now, if I was logging in to NORAD, this approach might be remotely reasonable, but FasTrak?