I was amused today when I logged into my business account bank (Wells Fargo) and they had me set up a new set of security questions. The variety wasn’t bad and the questions were reasonably original. After setting them, I was asked to confirm my contact information.
A few minutes later, I received this email:
Thank you for taking the time to set up your security questions. If we ever need to confirm your identity, your ability to give the correct answers to these questions will help us verify it’s you. If you did NOT set up security questions recently, please call Wells Fargo Online Customer Service immediately at 1-800-956-4442. Please do not reply to this email.
It went right to the email address I could have updated after setting up the security questions. Anyone else notice the problem?
Now there’s a chance that had I changed the email address on that screen after the security questions, I would have received notification at the old address. As a test, I changed my email a couple of times using the regular interface- but no notifications yet.
UPDATE: Got the email, but at the wrong account (the one I changed to, not from).
Is this an exploitable security flaw? Nope, but it’s amusing for us paranoid/cynical types.
(For the record, they’ve been a great bank for the business, no complaints at all.)