Slashdot Mirror

A customer at Well Fargo actually has to go down to the bank to deposit checks. For me, it's a simple matter of snapping a picture of the checks with my phone.

The Wells Fargo app has that, too.

https://www.wellsfargo.com/chi...

So are those cards not Chip and PIN by virtue of... "Sign *or* enter your Personal Identification Number (PIN) if prompted." ?

Considering Republicans are so against NFC and haven't allowed any bank to invest in this technology

Really?

DD costs companies next to nothing. The Automated Clearing House (which is how they all do it) charges $0.35/transaction.

Wells Fargo for instance charges $10/month + $.50/transactions for non deposits into WF accounts. Not a fortune, but for my previous small-business employer of 8 employees with paychecks every other week, that $.35/transaction really was $1+/transaction.

A couple of other direct deposit providers that I found real quickly:
Quick Books direct deposit is $1.15/check.
US Bank is $28 + .35/transaction

Right, banking websites are only ever made by experts, no coderz or buttards there.

" Hopefully, there would be alternate authentication methods built in"

And then, I would question the security improvement of behavioral authentication. If I'm going to login and I'm an attacker, I'll just use the alternate authentication then.

Reminds me of https://wellsoffice.wellsfargo.com/ceoportal/signon/loader.jsp

Not law but:

Penalties for Non-compliance

25. Are there fines associated with non-compliance of the PCI Data Security Standards?

Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.

26. Are there fines if cardholder data is compromised?

Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:

• Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies).
• All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
• Cost of re-issuing cards associated with the compromise.
• Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

Source: https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25

...how they even *found* numbers in the Antarctic. It's not like you can set up a phone line down there, and I can't imagine many people would have occasion to call the Antarctic.

I don't see how you can't imagine phones in Antarctica. It's not like there aren't dozens are hundreds of researchers down there. It doesn't have to be a physical wired connection. It could be a phone connecting to a satellite. As another example of advanced technology in Antarctica, you can find an ATM down there. It's pretty much a normal ATM which they service every couple years. Think abstractly my fellow /.er

I've incurred overdraft fees based on merchant error a number of times, and every bank I have ever had has done everything they can to screw their customers out of as much money as possible. EA expecting banks to refund overdraft fees is like asking EA to ... I don't know ... behave like a company that cares about its customers.

http://en.wikipedia.org/wiki/Wire_transfer

http://www.bankofamerica.com/deposits/checksave/index.cfm?template=lc_faq_wire

https://www.wellsfargo.com/investing/styles/wt/com_fees/fees

https://online.citibank.com/JRS/portal/template.do?ID=MoneyXfrCompare

This is just to name a few.

Um, except for education. I don't mean places with web addresses ending in .edu or .stateabbreviation.us, but rather education in the verb form. I recently (about 3 months ago) did a training session at the office and attempted to explain web security to people. But as a matter of web security, I was trying to explain how javascript can be harmful. To demonstrate this, I showed three separate instances:

Internet Explorer on the default settings,
Firefox on the default settings,
Firefox with NoScript installed.

Now, I freely admit that I didn't show how to go into IE and reduce all the permitted scripting options, because those aren't tunable by one webpage at a time. I have not heard of a NoScript equivalent on IE. Now, I'll continue my point.

As I was demonstrating how JS worked and how it could be harmful, a lot of people were curious what this Firefox thing was, so the session went two ways, with people understanding that there are more browsers in the world than just IE, and to people understanding that their browsers do a helluva lot more than just show pretty pictures.

Now, I have two women in the office who have adopted Firefox just because I showed it to them, and so they figure that was my end goal (no, it wasn't) and I've told them frequently "I don't WANT you to use Firefox over Internet Explorer, I just want you to be SAFE on the internet. I don't care WHICH browser you use, it's your choice." To this they usually respond that they like the add-ons and then they try and ask me why ActiveX won't work in Firefox (I've tried explaining that one over and over and we devolve back to the "internet works in that other thingy" conversation). And I've got one user who won't use Firefox and doesn't trust it at all. And the boss man is still stuck in IE6 world, so even though he likes the concept, he's not changing. Then again, he considers it a challenge to visit websites and to turn on scripting when he needs it, and off again when he doesn't. And I've a whole 'nother user who uses IETab and Fire.FM, but he knew about Firefox before I showed it to the office.

Now, for the caveats, I am THE guy for IT at the office, and we're a small group, about a dozen people. But, the most security related problem I've had in the past three months (as opposed to the dozen or so virii I've removed in the past year alone from the same people's computers) is whether you can make a site secure by going to the address bar and changing the protocol from http to https.

The sites I've found that are best to demonstrate that that doesn't work are http://search.yahoo.com/ and whatever banking site most people use (https://bankofamerica.com through https://wellsfargo.com./ YMMV.

Has anyone else been answering that same email question from friends family and coworkers? It's even to the point that my parents got that same email in their inbox, about a week after the folks at my office. Yai yai yai.

All I need is your routing number and checking acct number. Even the routing number can be obtained by calling the bank and asking for it. It's nearly public knowledge.

That's too much trouble.

Bank of America.

Wells Fargo Bank.

Search by name. See Wikipedia.

http://usa.visa.com/merchants/risk_management/cisp_overview.html?it=c|/merchants/risk_management/cisp.html|How%20to%20Comply#anchor_2 but this does not mention the amount fined.

Wells-fargo mentions the scope of fines here https://www.wellsfargo.com/biz/merchant/service/manage/associations/news and it seems my information may have been out of date. The fines are still pretty hefty.

This would not end phishing. Most people that get phished are the typical aol user type. They won't know the difference between BOFA.bank.cn and BOFA.com.

Most phishing emails I receive look like legit links: http://www.wellsfargo.com/blah/blah/blah however that is just the URL "text" which is a legit looking URL. If you hover over it the link really goes to somthing like http://wellsfargo.583332.de/ or somthing like that.

This would not stop phishing.

my bank imposes it on me

If your bank cares so little about security that it forces you to use a browser (and OS) riddled with more (and bigger) holes than Mr. Goatse.cx, why do you still have your accounts there? Take your money elsewhere, and tell them why. There are plenty of other banks (such as this one, where I've had my checking account for 17 years) that don't have their heads up their asses.

Wells Fargo being a case in point. Gets the job done. Works in pretty much everything. (I've not actually tried it in Lynx.) I make a point of thanking them for this every time I talk to them on the phone or in email.

Unless you are a big business business. It seems Well's Fargo figures that they only use IE. I went to their commerical portal and clicked on ">CEO Sign On". I'm using Firefox 1.0.7 on Linux and it gave me this:

Browser not allowed. You cannot access the CEO portal with your current browser. Please upgrade your browser or download a new browser now.

If the server does all the work and uses nothing but standard CGI, then the web site will work for everyone. Everyone.

Level 1 service provider ... recently passed PCIDSS v1.0 compliance ... auditor was Cybertrust, an approved auditor, and yes we have the 3rd party scans quarterly, and NO application aware firewall is required, either in the PCIDSS standard, OR the Audit Procedures.... I've got a ROC to prove it. Additionally some flawed items from PCIDSS are that certificates and password is sufficient for 2-factor authentication, that NAT is required as a security feature, and that *Compensating Controls* can be accepted by Visa instead of compliance with the PCIDSS standard ... IE: an additional firewall limiting access to cleartext database server rather than *actually* encrypting or rendering unreadable account # information in the database everywhere on disk or on tape.... see a big processor's example of a compensating control. I know for a *fact* that FDMS and VISA are current in violation of at least a portion of PCIDSS, as the routers and switches VISA deploys as part of a DEX package are not capable of SSH (v1 or v2) and neither is FDMS's equipment.

Mine, Mine, Mine, ... Mine, Mine..... *sigh*. The real problem comes in domain name ownership. I can see it now people asking the question "Am I at http://www.wellsfargo.com/ the bank or http://www.wellsfargo.com/ the Nigerian scam site. What it really boils down to is taxes. The internet is a system that exceeds the lawbreakers(makers whatever) ability to grasp in a manor that they can wrap a tax around.

Mine, Mine, Mine, ... Mine, Mine..... *sigh*. The real problem comes in domain name ownership. I can see it now people asking the question "Am I at http://www.wellsfargo.com/ the bank or http://www.wellsfargo.com/ the Nigerian scam site. What it really boils down to is taxes. The internet is a system that exceeds the lawbreakers(makers whatever) ability to grasp in a manor that they can wrap a tax around.

It sucks to introduce people to Firefox, have them all impressed and then get a call that they can't get through to their Wells Fargo account

Others have reported no problems. Specifically, Firefox 1.0 shows up in the browser test as Mozilla 1.7.5, which is supported.

Join me in letting Wells Fargo know. They've recently changed their credit card website to not accept anything but IE, Netscape or AOL. Denies Mozilla, Firefox, Opera, etc, but it used to work, and their regular online banking website still works with most browsers. I did tell them that I wouldn't use their card until they fix it.

i submitted this story because my bank wellsfargo couldnt seem to stop calling me on my cell. i tried in good faith many times to get them to stop. i received over 5 calls from them. when i contacted my cellphone provider at&t on getting help on getting the numbers of the person calling because under the tcpa solicitations are not allowed to be made to phones. you guesed it though. att was about as much help as, well, dead flash light batteries when the power goes out.

Well, what do you suggest I do when I want to access my bank account (www.netbank.com) and cannot because they have problems with Mozilla not always working right so just decided to disable it entirely?

Another thing, I don't appreciate a piece of software that, after taking as long as it did to be released, makes my PC respond like a PII 400Mhz with PC66 RAM. God help you if you minimize Moz for awhile and do other things, you'd think it died when you restored the window! No other browser acts like that.

Well, okay it's PC100 RAM... Guess I'm busted, then. <G>

My point is, lets come up with solutions to this problem that are a bit more practical than "only use these browsers to view only these sites". Because that is NO solution.

Back on topic: This would not only be extremely annoying, it would go against any sane usability guidelines, and anyone pulling this sort of "wh333 im 4 l33t 5kr1pt k1dd13" BS ought to be drawn and quartered. There's no reasonable use for loading a new page on a mouseover. Shouldn't be that hard to circumvent, tho. I'd even be in favour of denying such functionality as a standard practice in all browsers. In any case, this is nothing new. We're only talking about a

<a href="ugh.html" onmouseover="self.location.href='ugh.html';">

I have a Wells Fargo account, and while I quite like their online banking site, I have them squarely in the "Sinners" column when it comes to browser support. The problem is that their site accepts and rejects browsers based purely on browser strings, without regard to the brower's actual capabilities.

Since my favorite browser, iCab for Mac OS X, is neither Netscape nor Internet Explorer, I have to tweak it's browser string. When I do it connects with only a few glitches. Their denied browser page and browser test page essentailly claim that nothing except Internet Explorer and Netscape meet their "strict security standards." But what they actually enforce is a policy that only allows browsers that claim to be Netscape or Internet Explorer.

I have called the number they provide to point out this problem, but the person on the other end of the call clearly didn't think there was anything that she could do about the problem and told me that I'd be better of expressing my opinion on their Contact Us page.

Lastly, not having lots of web-authoring savvy, I found the following two pages extremely informative on the subjects of browser and object detection:

Browser Detection
Object Detection

I think this guy's main point is that browser detection should be used to make your page more compatible by altering subtle aspects of a page to cater to certain browsers' eccentricities (read "bugs") but it is often used (abused) to make pages less compatible by turning away the browsers the author thinks won't work. To actually detect a browsers capabilities, object detection should be used.

I have a Wells Fargo account, and while I quite like their online banking site, I have them squarely in the "Sinners" column when it comes to browser support. The problem is that their site accepts and rejects browsers based purely on browser strings, without regard to the brower's actual capabilities.

Since my favorite browser, iCab for Mac OS X, is neither Netscape nor Internet Explorer, I have to tweak it's browser string. When I do it connects with only a few glitches. Their denied browser page and browser test page essentailly claim that nothing except Internet Explorer and Netscape meet their "strict security standards." But what they actually enforce is a policy that only allows browsers that claim to be Netscape or Internet Explorer.

I have called the number they provide to point out this problem, but the person on the other end of the call clearly didn't think there was anything that she could do about the problem and told me that I'd be better of expressing my opinion on their Contact Us page.

Lastly, not having lots of web-authoring savvy, I found the following two pages extremely informative on the subjects of browser and object detection:

Browser Detection
Object Detection

I think this guy's main point is that browser detection should be used to make your page more compatible by altering subtle aspects of a page to cater to certain browsers' eccentricities (read "bugs") but it is often used (abused) to make pages less compatible by turning away the browsers the author thinks won't work. To actually detect a browsers capabilities, object detection should be used.

I have a Wells Fargo account, and while I quite like their online banking site, I have them squarely in the "Sinners" column when it comes to browser support. The problem is that their site accepts and rejects browsers based purely on browser strings, without regard to the brower's actual capabilities.

Since my favorite browser, iCab for Mac OS X, is neither Netscape nor Internet Explorer, I have to tweak it's browser string. When I do it connects with only a few glitches. Their denied browser page and browser test page essentailly claim that nothing except Internet Explorer and Netscape meet their "strict security standards." But what they actually enforce is a policy that only allows browsers that claim to be Netscape or Internet Explorer.

I have called the number they provide to point out this problem, but the person on the other end of the call clearly didn't think there was anything that she could do about the problem and told me that I'd be better of expressing my opinion on their Contact Us page.

Lastly, not having lots of web-authoring savvy, I found the following two pages extremely informative on the subjects of browser and object detection:

Browser Detection
Object Detection

I think this guy's main point is that browser detection should be used to make your page more compatible by altering subtle aspects of a page to cater to certain browsers' eccentricities (read "bugs") but it is often used (abused) to make pages less compatible by turning away the browsers the author thinks won't work. To actually detect a browsers capabilities, object detection should be used.

Since I do 95% of my banking online, and use Gentoo Linux on the desktop, it is an essential that my bank in Mozilla compatible. When I was a Bank One they changed some stuff which made their site non Mozilla compatible. I politely sent them an email and asked them to fix it. They did not. So I switched to Wells Fargo where now I enjoy Mozilla compatible online banking. Way to go Wells Fargo! (BTW: Bank One might have fixed this, since it was about 1 year ago.)

The only problem I've ever had with it involved an old version of Opera. I can't well describe what I saw, but it apparently was just a bug in Opera that was later fixed.

Capital One, whats in YOUR browser?

They block Mozilla, but they accept most versions of Nutscrape 4.x...strange. If there's a way to change the user-agent string in Mozilla (it's not exposed anywhere in preferences...ideas, anyone?), maybe you could access their site that way. I was able to use Wells Fargo's online-banking site with Lynx (!) by telling it to send an IE user-agent string. (Wells Fargo used to be much more anal about browsers than it is now. Back when I upgraded from IE 4 to IE 5, I had to wait a couple or three weeks before they decided to allow usage of IE 5. Nowadays, you could use the latest bleeding-edge Mozilla build to log in.)

Go take it up with Opera. There's a redirect that pushes you to the secure version which your browser should then encrypt. It works with NS/Moz and IE. You can see the same bug in action at Wells Fargo's online banking.

And BTW, Mozilla doesn't work with the third party processing company, Bank of America, so don't bother. Blame it on BofA. Mozilla doesn't pass HTTP_REFERRER, which is an optional header. BofA's knumbskull system requires it.

By the way, here's the page at Wells Fargo.

--

While staying in California, I had good experiences with Wells Fargo. Simple web pages, no JavaScript/Java trickery. Worked from Netscape/NT, IE/NT and Netscape/Linux.

I only used their checking/saving account functions, so I have no idea about, say, investment, mortgages, loans and such. Checking account was free in my case, though.

Yeah! (pointless-disgruntled-ex-employee-rant follows, feel free to totally ignore it)... Another example of a high traffic website using Linux (Redhat to be exact) is Wells Fargo. With their online banking, loan apps and internal access (at least when I was there), I think it holds up pretty good... What is ironic ( to me) is that at one particular call center (I can't say where, but it is in the NW), the internal network is on NT and when I worked there, it crashed at least 1-2 times a day, sometimes more. The lowest bidder won when it came to deciding who and what the new network was set up on. I'm done now.

Yeah! (pointless-disgruntled-ex-employee-rant follows, feel free to totally ignore it)... Another example of a high traffic website using Linux (Redhat to be exact) is Wells Fargo. With their online banking, loan apps and internal access (at least when I was there), I think it holds up pretty good... What is ironic ( to me) is that at one particular call center (I can't say where, but it is in the NW), the internal network is on NT and when I worked there, it crashed at least 1-2 times a day, sometimes more. The lowest bidder won when it came to deciding who and what the new network was set up on. I'm done now.