About Us / Contact

We highlight commercial websites that are unreasonably hard to use, don't work properly, or don't actually offer what they promise. It's a way for web developers everywhere to learn what kind of mistakes they should avoid -- and of course, an opportunity for the companies listed here to fix the problems we document.

Big Security Vulnerability

reviewed Nov., 2007

Most of the problems we list on this site merely leave the user annoyed, thwarted, or frustrated. But in this case the problem is more serious: At, customers' financial information is at risk.

Sensitive pages are supposed to use a secure protocol, which means that the information traveling between the user's computer and the server is scrambled, so anyone who steals the info in transit just gets scrambled data that they can't don anything with. You'll know you're on a secure page when the address bar starts with https://, not just http:// (note the "s", which stands for "secure").

But Chase's home page, which includes the login form, is not secure. There's no "s" in the http. That means the customer's login is vulnerable to being stolen.

When the user submits the form the username & password is supposed to be sent to The problem with this is that there's no guarantee that the form will really go to Chase. Since the login page itself is insecure, a hacker could modify the page before it's delivered to the user, changing the form so that it will send the login info to his own server instead of Chase's. He could change the form so that instead of pointing to, it goes to

This problem is serious enough that Netcraft and Microsoft have been telling companies for years not to leave their logins vulnerable the way that Chase does.

It gets worse: Not only is Chase playing fast and loose with customer's login information, they're publicly proclaiming otherwise. A link called "Ways we protect you" under the login form goes to a page (in an annoying popup window) that tells the customer that "Chase Online Banking uses Secure Socket Layer (SSL) technology to encrypt your personal information such as User IDs, passwords and account information over the Internet," and goes on to provide reassurance that Chase's methods mean that customers' financial data is safe. That reassurance is a lie.

Chase's method of security is like being in a house with two doors and locking only one of them. Or, it's like their promising to send an armored truck to your home to pick up a cash deposit, but the truck could be operated by a gang of criminals rather than by the bank. Your money could be carried away "safely", but not by the people you thought you were giving it to.

It gets even worse. We personally informed multiple Chase managers of this problem starting over two years ago, but they haven't bothered to address it.


How Chase can fix this problem

Chase has two different ways it could fix this problem:
  • Put its home page on a secure server (https://)
  • Remove the login form from the home page, and have a link to a secure login page


What Chase customers can do

  • Share your concerns with Chase. Of course, they didn't listen to us, Netcraft, or Microsoft, so you might not fare much better. But if a larger number of customers complain, then Chase might take notice.
  • Bank elsewhere. It's not unreasonable to feel that a financial institution that plays fast and loose with your login information doesn't deserve your business.
  • Find the secure page before logging in. If you decide to remain at Chase, there's a trick you can use to force the site to give you a secure login page. From the home page, enter in a bogus username / password combo. Then you'll be taken to an error page asking you to try again, and that page is secure.