Monday, March 29, 2010

More on New Text Alert System...

So, there it was this morning, the email from Wells about this transaction that took place last Thursday.

The only comment that I would make about this new mobile text alerting system from Visa that Wells has now deployed is that it should have been automatic that when I enrolled for that, the previous (and mostly useless) email alerting enrollment should have been cancelled or at least I should have been able to modify/cancel it.

My guess is that I was actually enrolling for the mobile alerts on a Visa hosted page, branded Wells Fargo. Even if it is not hosted by Visa on Well's behalf, it is clear that the two systems are not in synch. I had to go this morning and de-select the overlapping alerts. The site is; https://rapidalerts.wellsfargo.com/rapidalerts/ .

Referencing my background dealing with Phishing issues (ie; PassMark Security), the Catch-22 with all of these things is the possibility that something potentially good, like these real-time text alerts, can be just another oppty for phishing attacks. A url like the one above could (or should) make someone like me suspicious of if I am really at a legit Wells Fargo page or not. It is also interesting to note that Wells (or Visa) chose not to invest in a "secure" url for such a sensitive page as this. You know those green urls from Verisign and others called Extended Validation SSL Certificates. While I do not put much stock in these (or any of the "trust" seals), I doubt they cost considerably more and I guess they cannot hurt.

2 comments:

Joseph said...

Interesting note about Wells Fargo's lack of encryption -- my understanding was that most banks were encrypting all of their data points with EV SSL (I actually work for VeriSign as an online evangelist, so I follow this area fairly closely). Navigating to that page, it IS in https, and ends with "wellsfargo.com," so it's likely safe, but it certainly invites suspicion.

Your hesitation towards trust marks is a slightly different issue, but I would take a look at VeriSign's new "VeriSign Trust Seal" before dismissing them entirely. Unlike other trust marks, it performs malware scans for websites on a daily basis in addition to providing authentication, adding an extra layer of security. I agree, though, that not all trust marks can be "trusted," which is a shame.

SKlebe said...

Hi!, thanks for your comment. To be clear, I did not say it was not encrypted, just not using the EV SSL cert.
We can debate the whole trust marks thing another time. But, you hit the nail on the head, if one cannot be trusted, then the whole paradigm is tainted.