Grade

84/100

B

Grade Breakdown

Username and Password Limitations

Wells Fargo users log in with a custom username and a password. Wells Fargo has the following password requirements:

• Between 8 and 32 characters
• 1 letter
• 1 number

5/5

Multi-factor Authentication

Wells Fargo supports SMS and email MFA for its online accounts. They also provide the option of using a dedicated RSA SecurID device for certain kinds of transactions. However, it is unclear if this service can be used for regular transactions with any account, as it seems targeted towards small business using their "advanced online payment" services.

4/5

"Forgot Login" Flows

Wells Fargo has one flow for forgotten login info. The first step asks for the either a username, SSN, or account number. If one of these is entered correctly, it goes through the MFA flow.

If the MFA is successful, this leads to a password reset page that displays the username.

In short: for an attacker to break into a Wells Fargo account using this flow, they would need to have the user's SSN, username, or account number, as well as access to their MFA method.

5/5

Account Change Notification

Wells Fargo sends a notification via email when the password is changed. They also send notifications when the contact information is changed, but from testing it seems that there is a threshold for triggering this. For example, when I just changed my account's email address, there was no notification. However, when I then changed the phone number as well, it sent a notification about both changes and also locked me out of my account, requiring me to call their customer support and reset my account.

The screen that appeared after changing multiple pieces of contact information; I was not allowed to log in or use the regular MFA flow until calling them.

Based on this, it is safe to say that a bad actor cannot easily take over a Wells Fargo account by changing the contact information.

5/5