Chase Legal Jeopardy - violating own Privacy Policy -- Report

Security Problem Report SPR-2008-08-16.html

Title : Chase Legal Jeopardy - violating own Privacy Policy
Report : 2008-08-16
Vendor : www.Chase.com
Status : Chase notified August 16th, 2008. No acknowledgement or action as of Sep 8, 08. Their website does not use SSL to encrypt some key content sent to their customers; this contradicts the claims they make in their security policy. This leaves them wide open to legal liability. Identity Theft incidence unknown.
CVE : None

The IT Consulting Group of The Elvey Partnership has discovered a security flaw at www.Chase.com. Although they claim to secure their online communications with SSL, such security is not properly implemented.

I went to https://www.chase.com to log in to manage my credit card accounts, and this message popped up:

Security Warning
You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party.

I notified Chase that I accidentally logged in anyway, from an insecure (public) Wi-Fi connection. My login may have been compromised due to this security vulnerability, by a MiTM attack, see http://my.opera.com/yngve/blog/show.dml/461932 - the section on "Secure pages with unsecure content".

It's very disappointing that Chase Bank's website suffers from security flaws identified in published research, putting Chase in the company of some rather disreputable companies.

I asked Chase to assume my login credentials have been compromised. I asked them to "Please fix the bug."

http://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/privacy_security/protection/page/online_security (Archive: http://www.webcitation.org/5a845Acmd) says: Chase Online Banking uses Secure Socket Layer (SSL) technology to encrypt your personal information such as User Ids, Passwords, and account information over the internet. Any information provided to you is scrambled en route and decoded once it reaches your browser. This is blatantly false, as the warning message shows. Not being truthful with your customers is disrespectful.

https://chaseonline.chase.com/secure/Profile/Privacy/confirmpreferences.aspx says: "All screens are secure."

I complained: You are incurring severe legal liability until you fix this issue!

You'd think they'd pay attention to a warning from someone who SUED TD AMERITRADE FOR A SECURITY BREACH THEY FAILED TO REMEDY, costing them millions. It seems they're not that smart.

As of September 22, 2008, the only content on the home page causing the problem was http://mfasa.chase.com/auth/device.swf, which is some would-be-seizure-induzing promo ad for a credit card.