Banks are too big to fail (at social media)
November 25, 2009 6:33 PM   Subscribe

A software engineer blogs about the inept and insecure way in which a bank asks customers to file a claim when they're the victim of fraudulent transactions. Dozens of customers chime in with similar experiences, over the course of months. The bank in question contributes nothing to the conversation, and the system remains both insecure and broken today [that last link is probably blocked by your browser or operating system, but don't worry - the form on the page doesn't work anyway].
posted by subpixel (28 comments total) 8 users marked this as a favorite
 
Sorry, here's the url for the 2nd link, should you like to experience it yourself:

https://chase.secure-dx.com/consumerdcx-chase_atm
posted by subpixel at 6:36 PM on November 25, 2009


Since the last link is "http://" in the html, I imagine it won't work for most people. :) (did metafilter cut it out?)

Not too surprising to me, sadly. First, even most programmers are pretty bad at security. Second, banks tend to consider the web stuff of secondary importance, the only part they care about is transaction processing, and even that is having issues (pay insufficient to attract new engineers to COBOL/mainframe systems, so their existing engineering force is retiring without competent replacements). So I can't even imagine what tier of programmers they put on something like this, probably ones I would reject after 5 minutes on a phone screen.
posted by wildcrdj at 6:39 PM on November 25, 2009


Chase doesn't care about customer service. None of the big banks do. They do not care about being good corporate citizens either. They care about one thing only - the bottom line, and they will happily screw the world to improve their profit margin.
posted by Flood at 6:41 PM on November 25, 2009 [3 favorites]


I think this guy is over-reacting a little. Yeah, the phishing warning is a pretty epic fuckup.

But secure-dx.com isn't registered to chase.
[Querying whois.internic.net]
[Redirected to whois.tucows.com]
[Querying whois.tucows.com]
[whois.tucows.com]
Registrant:
iSentry Group
9 ChurchField Road
SUDBURY, SUFFOLK CO10 2YA
GB

Domain name: SECURE-DX.COM


Administrative Contact:
Evans, Gareth gevans@isentry.com
9 ChurchField Road
SUDBURY, SUFFOLK CO10 2YA
GB
+441787315800
Technical Contact:
Evans, Gareth gevans@isentry.com
9 ChurchField Road
SUDBURY, SUFFOLK CO10 2YA
GB
+441787315800


Registration Service Provider:
Fasthosts Internet Limited, domains@fasthosts.co.uk
+44.8708883600
+44.8708883760 (fax)
http://www.Fasthosts.co.uk
So Chase simply hired some random "security" company (iSentry) to handle file uploads, and that little provider fucked up. Chase will probably hire someone else to do this in a bit, you can't blame this on "Old COBOL programmers" or whatever.

But anyway, is this really that big of a deal? All they need is an upload of the PDF, which they don't want to do over email for some reason, everything will be worked out over the phone later on, once they get the file.

My guess is that someone got a bug up their ass about using "Insecure" email to upload the files, without understanding much about security, and they decided to hire this 3rd party -- who were equally clueless.

But ultimately this isn't that huge of a security hole, an attacker can't use this to transfer funds or anything like that, it's only used to confirm what's already been expressed over the phone. But not only that, the phone system is also totally insecure. Anyone could have called up the company and pretended to be him to dispute some charges or whatever they wanted, as long as they had the right information.
posted by delmoi at 7:00 PM on November 25, 2009 [3 favorites]


I told her, “The time and place was whenever the server for this system decided to automatically bill my account. I don’t know where their server is, I don’t know what time their cron jobs run.”

What? Why is he trying to explain cron jobs to the bank's customer service?


Someone stole my credit card information and then set up a call forwarding on my cell phone, somehow, to point Chase’s customer service number to some fraudulent interceptor.

Really?


Interesting article, but he seems a bit over the top.
posted by niles at 7:19 PM on November 25, 2009 [2 favorites]


None of the big banks do

The small banks might not either. Don't forget the recent event where Rocky Mountain Bank sued Google to take control of an account to which it had accidentally sent sensitive information. Leave alone the fact that with a lawyer and an "accident" you can take gain access to an email account for a minute -- this stuff shouldn't have been sent via email at all.

And yet I wonder if it's illustrative of something about the banking industry. They've naturally had an awful lot of clout legally and politically and so perhaps they're very used to dealing with problems that way. It might not be particularly more expensive to hire some good security conscious developers to get their systems right than it would be to do some lobbying for harder penalties, more attention from specialized law enforcement, and some kind of public insurance against this kind of theft and fraud, but I suspect they're a lot more practiced at the latter approach than the former.

It's going to be interesting to see what happens. It's pretty clear that as far as online crime goes, the west is getting more wild, not less, and I don't see a lot of indication that as a sector banking is really keeping up.
posted by weston at 7:21 PM on November 25, 2009 [2 favorites]


It's a huge cron job.
posted by fixedgear at 7:21 PM on November 25, 2009 [5 favorites]


So Chase simply hired some random "security" company (iSentry) to handle file uploads, and that little provider fucked up. Chase will probably hire someone else to do this in a bit, you can't blame this on "Old COBOL programmers" or whatever.

Er, I wasn't blaming the programmers (how did you get that?). I'm blaming management that doesn't understand how the Internet or security works. This is based on what I've been told by the programmers there. My point was that banks put zero resources into computer and security issues like this.

Of course anyone could have called them up, and that's part of his story really. He didn't have to give them any secure information on the phone, then they used this process which is ridiculously vulnerable to attack and should have been considered a phishing attack by him (which is what he thought, quite reasonably).
posted by wildcrdj at 7:21 PM on November 25, 2009


hat? Why is he trying to explain cron jobs to the bank's customer service?

He was using it to explain why he didn't know any transaction details. Which means they let him off the hook for that verification step based on his talking about cron jobs, which is another insecure step in the process if you can avoid that question in this way.
posted by wildcrdj at 7:22 PM on November 25, 2009


This actually happened to me last month.

I was certain it was a phishing scam - "Securedx?" The password is "password?" How dumb do I look? - so I printed the e-mails and walked them to the Chicago headquarters.

A banker examined the printouts, agreed that they were almost certainly a scam, and complimented me on my discernment. If I didn't mind hanging around a bit, he'd ring up the claims department to alert them to the trouble and make sure that the initial fraud incident had been cleared up to my satisfaction.

I didn't mind. He made the call, asked the other end if perhaps they'd heard of something called securedx...? While listening to the response, his face moved from incomprehension to disbelief to weary annoyance before fixing into a little don't-lose-the-customer smile.

Yes, he told me, hanging up, those communications actually had been about the resolution of my fraud claim; he apologized for any confusion and offered to fill out the necessary forms himself. Might he suggest that, for security's sake, I keep a greater proportion of my funds in my savings account in the future? And might he also suggest a way to bump up the interest rate on said savings account that might have previously escaped my attention?

So I'm still a Chase customer for the time being. But I intend to avoid their online services if I can at all help it.
posted by Iridic at 7:38 PM on November 25, 2009 [5 favorites]


I don't know how separate the two are, but I have had a credit card with Chase with 20+ and they have been great. One time they called when somebody tried to buy some electronics and porn in Asia with my CC, I had fraudulent charges once, called them up, wrote the affidavit and it was done with. Recently I spent a couple hundred bucks on some art from an online auction, they called about 5 minutes later to verify it was me.

Now I wish those fraudulent charges had been out there in the first place, but I feel pretty confident they are looking out for me.
posted by marxchivist at 7:45 PM on November 25, 2009


I had a card with Chase 20+ years
posted by marxchivist at 7:47 PM on November 25, 2009


"Chase doesn't care about customer service. None of the big banks do. They do not care about being good corporate citizens either. They care about one thing only - the bottom line, and they will happily screw the world to improve their profit margin."

I have a real problem with statements that broadly paint everyone in a certain class or all companies in a certain business as 'bad' or 'good' or whatever, any wide cast net that fails to take into account the nuances and variations and very real differences that led themselves to a great deal of complexity in real life situations.

...y'know, normally. Not here. Just sayin' generally.
posted by Smedleyman at 8:44 PM on November 25, 2009


He was using it to explain why he didn't know any transaction details.


Well, right. I know that's why. But why?
posted by niles at 9:04 PM on November 25, 2009


I think we'd all be really depressed if we knew how much iSentry was making off this.
posted by geoff. at 9:06 PM on November 25, 2009 [2 favorites]


Ok, so maybe I'm missing the big giant deal here, but isn't this guy just downloading some generic forms?
I'm not even sure why'd you need a "super secure" website to do that.
Wouldn't it just be easier for Chase to just email him a .pdf of the affidavit?

Or is this some sort of online affidavit (doesn't sound that way from his description), in which case, sure, I suppose it'd be easier to send a link.

So, in summary:
Not having a chase.com domain - not a smart move.
Sending a username/password in email - eh, depends on what you're actually logging into
Default password - not the best idea, but again, depends on what's on the other side of the login.
Web forgery - That's a firefox thing, it has nothing to do with Chase.
Switching phones for a "secure line" because your cell phone was redirected. - Dude. Really?
Plugging your startup, your VC and your marketing folks in a blog post - Awesome.
posted by madajb at 9:07 PM on November 25, 2009 [1 favorite]


No, this looks to me like a pretty big deal. And you don't need to be a software engineer or a security expert to understand it. It's about trust.

Trust is a pretty big deal with banks: you are trusting them with your money, they are trusting you to be honest with them about who you are. When you walk into a branch, you are first trusting it to really be a branch, then you are trusting the people behind the counter with your account details; in return, for large transactions, opening accounts, big deals and so forth, you need to provide ID so they know who you are, and also so you know no-one else can go in and pretend to be you. When you ring them up, you are first trusting that the number really does put you through to the bank and to no-one else, then you trusting the people on the other end of the phone in the same way, and they have mechanisms to verify that you are who you say you are, which also helps you know that no-one else can pretend to be you and fuck with your account over the phone.

That's all normal and reasonable, and no-one needs to be an expert in anything to understand it or to use it.

In this case, Chase had a internet-based system for reporting fraud, where the website the user is asked to go to is not a Chase website. That website contained the following: Links off secure-dx.com pointing back to chase.com’s privacy policy. A username and password box and a sort of hokey imitation of the Chase.com web design.

This is twenty-four carat grade A fucking stupid beyond credence and totally unforgivable. Hokey imitations of official sites are exactly what online frauds look like. The key giveaway is very often that the domain is wrong, something other than yourbank.com.

Here Chase had been too lazy to sort out putting their fraud reporting system on chase.com somehow. It doesn't matter that they'd outsourced that part of their system to another company. It should not have gone live until it was fraudreport.chase.com or some such pointing at that other companies server.

No wonder the guy went first paranoid and then ballistic when he realised that this really was Chase. No wonder he took some convincing to realise it really was them.

That's not how banks are supposed to handle their trust relationship with you.
posted by motty at 9:15 PM on November 25, 2009 [9 favorites]


madajb: "Sending a username/password in email - eh, depends on what you're actually logging into"

If it is worth having a password for, it is not secure to put it in an email, email is insecure in transit.
posted by idiopath at 9:19 PM on November 25, 2009 [1 favorite]


If it is worth having a password for, it is not secure to put it in an email, email is insecure in transit.

Perhaps. A lot of sites have logins when they don't really need to have one.
Since I'm not quite sure what's on the other end of the login, I couldn't say if that is actually the case here.
posted by madajb at 9:30 PM on November 25, 2009


This kind of thing really doesn't surprise me, companies are always ineptly using domains and email. And look at Verified By Visa's ridiculous implementation.

I've sat in meetings where senior IT people from finance-related companies have proposed these kinds of solutions and dismissed obvious concerns. Never have I so strongly wanted to call someone an idiot to their face.
posted by malevolent at 12:52 AM on November 26, 2009


"Chase doesn't care about customer service. None of the big banks do. They do not care about being good corporate citizens either. They care about one thing only - the bottom line, and they will happily screw the world to improve their profit margin."

I'm also non-concurring with the above. Perhaps my experience is unique, but I've several Chase credit cards, and the customer service is generally helpful and professional. My cards have been compromised a couple of times, and it was sufficient for me to simply name the fraudulent transactions over the phone, and the associated charges were "disappeared" without further ado.
posted by JimDe at 3:37 AM on November 26, 2009


He's not overreacting. This is a stupefyingly bad example of cluelessness.

Sending a username/password in email - eh, depends on what you're actually logging into

This is complete nonsense. A website should NEVER even have a copy of your password stored anywhere, let alone send it to you in email! The only thing a website should ever have is a salted and hashed form of your password, which is a one-way transformation. If a website has any means whatsoever of telling you your password -- over a secure medium or not -- then it is still utterly clueless of security and best practices.

Web forgery - That's a firefox thing, it has nothing to do with Chase.

Firefox reports it as a malicious site because users reported it as such, because it displays all the tell-tale signs of online fraud, even though it's legitimate. Do you not see why that means it has everything to do with Chase?

Switching phones for a "secure line" because your cell phone was redirected. - Dude. Really?

Again, when you are presented with something that has every indication of being the textbook example of a scam, the correct response should be to anticipate and uncover the source of the fraud, not blindly continue on and just assume everything will be alright.

posted by Rhomboid at 4:10 AM on November 26, 2009 [4 favorites]


He shouldn't have ever had to explain "cron jobs" to a customer service rep, because that CSR should have known what a freaking ACH looks like. Having literally done that job I can say from experience, they are typically labeled "ACH" on the internal system. Fairly easy to spot. Of course, the CSRs are the lowest paid people on any totem pole you could possibly imagine, which is why service is poor on that end - can you imagine being paid barely poverty wage to be yelled at for 8 hours a day? Oy.

The forms do not need to be sent in any secure way. They should be available for direct download from chase.com. There is absolutely nothing on a blank fraud claim form that would require such a stupid process. Delivering it back to the bank? That does need to be secure. I'm not sure whether this system addresses that issue, but the idea that you need a secure system to deliver a blank document is ridiculous.
posted by Medieval Maven at 4:49 AM on November 26, 2009


This kind of thing really doesn't surprise me, companies are always ineptly using domains and email. And look at Verified By Visa's ridiculous implementation.

Mastercard use that same verification crap. It drives me mental. The idea is idiotic and insecure and the implementation is clumsy and slow. Still, I suppose it serves its purpose, which is to shift the liability for online fraud to the customer. The free training in how to co-operate with phishers is just an extra bonus.
posted by Jakey at 4:53 AM on November 26, 2009


If it is worth having a password for, it is not secure to put it in an email, email is insecure in transit.

True, but the point is that the password they send in email is no longer valid by the time you actually use the account to DO anything. You use it to log in, you must then immediately change it, and then you upload the secure information to the account. At that point I don't know what form of the password Chase retains, but the fact is that, while the account does, for a time, "exist" with the username "my email" and the password "password", it actually has nothing in it worth stealing until you assign your own password.
posted by The Bellman at 6:45 AM on November 26, 2009


True, but the point is that the password they send in email is no longer valid by the time you actually use the account to DO anything.

That's 'no longer valid by the time the account is used to DO anything'. Because the default password is not merely stupid but now well known and stupid. So a determined attacker (the kind most banks get) could easily login with that default password before you do.

And DO anything.
posted by motty at 7:30 AM on November 26, 2009 [1 favorite]


Chase. Let me tell you about Chase.

Back in early October I got a call from Chase saying that my credit card number was stolen in a big batch of numbers. They cancelled the card and said they would send me a new card with a new number. Three weeks later, I called them saying I hadn't gotten my card. They said my account was listed "cancelled with no new card". She "reinstated" my account, and said they'd send a new card. A few weeks after that I went to my online account (which by now has a new number associated with it) and requested a replacement card. It's now been almost two weeks since then, and I still have no new card. Meanwhile, I've gotten a credit card agreement, so they obviously have the right address for me. So I guess when I get back from Thanksgiving, I'll have to get my credit report and find out what the hell accounts they think I have with them so I can close them.

Wait, is this the Consumerist?
posted by dirigibleman at 7:42 AM on November 26, 2009 [1 favorite]


I went through the Chase credit card fraud process in early August, and they didn't make me do any of this. I just had to talk to customer service on the phone to identify fraudulent charges, and eventually sign a document they mailed to me.

So is this horrible system must be new. That's even more embarrassing.
posted by qxntpqbbbqxl at 7:10 PM on November 26, 2009


« Older Please design a logo for me. With pie charts. For...   |   A Thanksgiving tribute to images of food on film Newer »


This thread has been archived and is closed to new comments