Big Security Vulnerability
Chase.com
reviewed Nov., 2007
Most of the problems we list on this site merely leave
the user annoyed, thwarted, or frustrated. But in this case
the problem is more serious: At Chase.com,
customers' financial information is at risk.
Sensitive pages are supposed to use a secure
protocol, which means that the information traveling
between the user's computer and the server is scrambled, so
anyone who steals the info in transit just gets scrambled
data that they can't don anything with. You'll know you're
on a secure page when the address bar starts with
https://, not just http:// (note the "s",
which stands for "secure").
But Chase's home page, which includes the login form,
is not secure. There's no "s" in the http. That means
the customer's login is vulnerable to being stolen.
When the user submits the form the username &
password is supposed to be sent to https://chase.com.
The problem with this is that there's no guarantee that the
form will really go to Chase. Since the login page
itself is insecure, a hacker could modify the page
before it's delivered to the user, changing the form so that
it will send the login info to his own server instead of
Chase's. He could change the form so that instead of
pointing to https://Chase.com, it goes to
https://HackersWebsite.com.
This problem is serious enough that Netcraft
and Microsoft
have been telling companies for years not to leave their
logins vulnerable the way that Chase does.
It gets worse: Not only is Chase playing fast and loose
with customer's login information, they're publicly
proclaiming otherwise. A link called "Ways we protect you"
under the login form goes to a page (in an annoying popup
window) that tells the customer that "Chase Online Banking
uses Secure Socket Layer (SSL) technology to encrypt your
personal information such as User IDs, passwords and account
information over the Internet," and goes on to provide
reassurance that Chase's methods mean that customers'
financial data is safe. That reassurance is a
lie.
Chase's method of security is like being in a house with
two doors and locking only one of them. Or, it's like their
promising to send an armored truck to your home to pick up a
cash deposit, but the truck could be operated by a gang of
criminals rather than by the bank. Your money could be
carried away "safely", but not by the people you thought you
were giving it to.
It gets even worse. We personally informed multiple Chase
managers of this problem starting over two years ago, but
they haven't bothered to address it.
How Chase can fix this
problem
Chase has two different ways it could fix this
problem:
- Put its home page on a secure server
(https://)
- Remove the login form from the home page, and have
a link to a secure login page
What Chase customers can
do
- Share your concerns with Chase. Of course,
they didn't listen to us, Netcraft, or Microsoft, so you
might not fare much better. But if a larger number of
customers complain, then Chase might take notice.
- Bank elsewhere. It's not unreasonable to feel
that a financial institution that plays fast and loose
with your login information doesn't deserve your
business.
- Find the secure page before logging in. If you
decide to remain at Chase, there's a trick you can use to
force the site to give you a secure login page. From the
home page, enter in a bogus username / password combo.
Then you'll be taken to an error page asking you to try
again, and that page is secure.
|
