Wells Fargo and 2FA via one-time code generator
As you might know, I have an account at Wells Fargo bank. A very nice bank, from my experience, but there were some issues along the way, most of which I was hoping to avoid having in future by using a two-factor authentication (2FA) with one-time code generator:
But I was amused to learn that it seems to be not possible.
Every time Wells Fargo decides to freeze my card out of “random security check” or for whatever they believe to be a suspicious operation (paying for Apple Music, for example), I have to call them and confirm that I am me, and nothing is wrong with my card.
In order to do that I have to tell them a code which they sent to a phone number registered at my account. Since I don’t have a US phone number (they accept only those), I registered a number of my friend.
But anyway, those SMS codes are not convenient for me, and using SMS for such purpose is simply not secure in the first place, so I was really looking forward to the moment when Wells Fargo will allow its customers to get one-time code generator, like any normal bank does.
RSA SecurID Device
And Wells Fargo finally did it - the RSA SecurID Device. You can order it from your online account:
The thing costs 25 USD and they deliver it to your address (I ordered it to my friend’s) within a couple of weeks. And it’s almost the same thing you get from other banks, except for this one is always on, so its battery will die faster.
First thing you can use this device for is 2FA - when you are logging-in to your online bank:
That indeed adds quite a good security layer for your account, but that wasn’t the main reason I ordered the device for.
Trying to use one-time generator instead of SMS
Via phone-line support
Soon enough I needed to call Wells Fargo to resolve some issue, and they asked me to provide a code from SMS. I asked if I could use a one-time code from the generator instead. They said:
- …what generator?
- You know, this one-time code generator device.
- I don’t know what that is.
- The RSA SecurID Device.
- The what?
- A security device I ordered.
- Ordered from where?
- From Wells Fargo.
- We don’t provide any devices of that kind.
- I am holding it in my hand right now.
- Maybe you you got to be a victim of some fraud? Because…
- I ordered it from my Wells Fargo online account.
- It’s an official security device provided by Wells Fargo.
- …I don’t know anything about the device you are talking about. Are you able to receive an SMS code on you phone?
Yeah, they had no idea. Alright then, I bothered my friend again for a code from their SMS, resolved the issue I was calling about, and then called again on the matter of the RSA SecurID Device specifically. But I had almost the same dialog - they had absolutely no fucking clue what I was talking about so I gave up.
Going to an actual branch
But I didn’t worry too much as I had an upcoming visit to US, and there I was planning to go to an actual Wells Fargo branch.
So here it comes, I got to US (visiting my friend), and went to a Wells Fargo branch. I asked my question from the first employee I saw, but she (как и положено классической маринке) made big eyes and asked “…what device?”. After having the same conversation I had with the support line over the phone and even fucking showing the device to her face, I achieved nothing, so she called for a branch-manager - apparently, the main guy in the building.
But fear not, this guy was clueless as well, so I had to go through all the circles one more time. But to be fair, this guy understood me much faster (he’s not a branch-manager for nothing) and even granted that this actually can be an official Wells Fargo device, even though it happened only after I showed him how it can be ordered from one’s Wells Fargo account.
So, okay, the branch-manager got to the same page with me, but he didn’t know if I could replace SMS codes with the codes from this device. But he wasn’t a branch-manager for nothing as he started trying to help me with my issue by calling their internal call lines. And it was hilarious as he had to wait on the line for an “available specialist” (also listening to their waiting music). And when he got to this specialist he… spent another amount of time explaining to this guy what he just learned a couple of minutes ago himself, because this specialist knew fucking nothing about this device too!
I didn’t hear the entire conversation, but it looked like this specialist switch my branch-manager to another specialist who actually knew something about the existence of 2FA/one-time code generators. But when this next specialist got the question about replacing SMS with codes from the device, he fainted as well. After another some time (while he was reading instructions, manuals or whatever) he said that it is not possible. I was speechless. He asked (through my branch-manager) why do I even need this. I explained. He said: “Well, you can use e-mails instead, so they would send you an e-mail and not SMS”. That was tempting as it would solve my original problem, but I now got determined to make it work exactly with this one-time code generator.
So I said no to this specialist, and we (me and my buddy branch-manager) hung up. I told him, let’s call some proper specialists from the security department, and he told me it was the security department. After a minute I said, let’s call again, I decided that I actually want this e-mail option. So we called again, and waited listening to waiting music again, and then of course we got to a different specialist, so we again spent some time explaining the whole fucking thing to him as well.
The wheel of Samsara was spinning like crazy.
Finally we got to the
final boss point of him telling us that it is not possible to replace SMS codes with one-time codes from generator. We asked him then to replace SMS codes with e-mail codes instead, but he said… that it is not possible. My best friend branch-manager got to the point of a berserk-mode himself and he almost yelled to this specialist: “But we were told that it is possible just some minutes ago!”. However, that didn’t impress this specialist at all and he repeated that SMS codes are the only option available.
My beautiful branch-manager hung up and told me with indignation: “It’s like a lottery, one time you get to a guy who knows, and another time they have no clue!”.
…YEAH, YOU DON’T SAY! I KNOW, RIGHT?
So, this is the end - I achieved nothing but wasted 2 hours (I kid you not) of time in the branch. Well, I got entertained a bit, but I would very much rather solve my problem instead.
Просто поразительно, блядь, как никто в банке ни хуя не знает про такую важную вещь как генератор одноразовых кодов. Я такой некомпетентности не встречал даже среди маринок в самом убогом отделении Сбербанка. Да хрен с маринками, как это, сука, вообще возможно, что в департаменте безопасности (или куда он там на самом деле звонил) в душе не ебут ни про какие такие генераторы кодов? Что за пиздец вообще, а вы точно в банке работаете?
Nevertheless, I still believe that it is actually possible to use one-time code generator instead of codes sent by SMS. For instance, this page says the following:
And also common sense tells me so.
But the only way to overcome the idiots from support-line is to “win the lottery” of getting to a proper specialist, and I simply don’t have that much time for trying.