A few days ago, I got a call from my girlfriend, Olivia. I was so deep in working on my startup, Parse.ly, that I hadn’t checked my bank account statements in several weeks. We just went into private beta last Thursday, after DreamIt Demo Day. She noticed some suspicious charges, and so I looked into them. Indeed, it looked like I had been a victim of fraud: there were three charges that clearly was not me.
I immediately called Chase Customer Service. In order to confirm the details about my account, the representative needed me to identify the fraudulent charges, but also identify charges that were actually valid. For this latter bit, I needed to identify the time/place of a specific transaction. This card was mostly used for online auto bill payments, so this turned out to be impossible for any of my last 20 valid payments. Yet the customer service rep insisted that I name a time and place. I told her, “The time and place was whenever the server for this system decided to automatically bill my account. I don’t know where their server is, I don’t know what time their cron jobs run.”
“Cron jobs?” she said.
Right, I had been hanging around techies at DreamIt Ventures for too long. “Listen, the transaction didn’t take place physically, it took place digitally. I can identify one transaction, which is about a month old, where I actually used the card in-person to buy something.” She finally understood and let me move on.
Burak from Trendsta said he felt bad for me, for how patient I had to be with this person. But that was the least of it. This little technical misunderstanding was nothing compared to what followed.
I was told that in order to get a credit back from my account, they had to collect from me a signed affidavit indicating the charges were fraudulent. This affadavit would be “securely shared” with me via e-mail. OK, “sounds good” I said. I waited around for the e-mail to come in.
Finally, two e-mails arrived in my inbox. The important bits are in red. First:
Message from Chase Customer Claims Secure Document Exchange
From: [email protected]
Welcome to the Chase Customer Claims Secure Document Exchange. You recently contacted Chase regarding your claim number XXXX. Your documents are available for your review.
Per our telephone conversation, you will need to register to our secure website.
Your initial password is: passwordYour initial user name has been sent to you in a separate email.
On your first log in, you will be required to select a new password.
Thank you for using Chase Customer Claims Secure Document Exchange.
To contact Chase for claim related questions or to withdraw your claim, please call 1-866-564-2262.
Any geek reading this will immediately identify some key things wrong with this e-mail that make it look like a total phishing expedition. Namely:
- The e-mail address, rather than being from a chase.com domain, was from a strange domain named “secure-dx.com”.
- Rather than sending a cryptographically secure, expiring activation link, a default password was sent in plain text.
- To make matters worse, the password is the same for all users, and thus anyone who can guess my e-mail address can easily impersonate me on this “secure document” website.
- The default password is “password”. WTF?! I mean, c’mon?
I didn’t quite understand why I needed a “second e-mail” now, but I opened it up. Here it is, excerpted:
Your Chase Customer Claims Secure Document Exchange Electronic Package is available online
From: [email protected]
ANDREW MONTALENTI,
Welcome to the Chase Customer Claims Secure Document Exchange.You recently contacted Chase regarding your claim number XXXX. Your documents are available for your review.
Per our telephone conversation, you will need to register to our secure website by clicking on the link below or copy and paste the link into your browser’s address bar.
https://chase.secure-dx.com/consumerdcx-chase_atm
Your user name is [email protected]
Your initial password has been sent to you in a separate email
On your first log in, you will be required to select a new password. NOTE: This site is different from Chase.com and passwords are not related. Updating your password on Chase Customer Claims Secure Document Exchange will have no impact on established Chase.com passwords.
Once registered, you will be able to access your customer correspondence on our secure website. You may be offered the option to complete and sign the form online if you wish to do so. […]
To say I was confused would be a major understatement. I was downright depressed.
My guess is that the engineers at Chase thought that by separating the “password e-mail” from the “user e-mail”, that somehow made the whole communication more secure. Two e-mails are better than one, right?
The most important thing to point to is the link. The link where this secure communication will happen is not at the chase.com domain Instead, it is at https://chase.secure-dx.com/consumerdcx-chase_atm. There is no way, NO WAY this is a real Chase site, I think.
I click on the link and in Firefox, I see this:
At this point, my paranoid self turns on. Curious, I click through the link anyway. And I see this:
Now I’m really paranoid. Links off secure-dx.com pointing back to chase.com’s privacy policy. A username and password box and a sort of hokey imitation of the Chase.com web design. I realize, holy shit, I’m being duped! Not just small-time credit card fraud, but someone has managed to really take over my life!
Why am I freaking out? The customer service person I talked to, I realize what must have happened. That wasn’t Chase. Someone stole my credit card information and then set up a call forwarding on my cell phone, somehow, to point Chase’s customer service number to some fraudulent interceptor. This person then diligently took my claim only to send me an e-mail that would get yet more information out of me and take me for even more money. I freaked!
Immediately, I double-checked my call logs and compared them to Chase.com customer service numbers. I made sure to change my DNS server to OpenDNS to make sure no one was somehow intercepting that. Finally, I realized I could look at the number written on the back of my Chase credit cards. It all checked out — the number was good. So I switched phone. I called Chase customer service on both my phone and Olivia’s. I made sure the messages were exactly the same. From Olivia’s phone, I called back Chase again to speak to someone there about this. But then I got even more paranoid — how big could this be? — so I decided to hang up. Instead, I called my local Chase branch in my neighborhood.
With my local branch’s help, I got transferred via a branch office line to the actual Chase customer service. Finally on a secure line, I thought to myself. When they picked up, I was expecting to uncover the scam of the century. I felt like an investigative journalist right on the tail of something truly big.
But then I spoke to the Chase representative, on the secure line, and she explained to me that this is just the normal procedure. secure-dx.com is the website they use for “securely” sharing documents.
I was livid. I explained everything wrong with this setup. I demanded to speak to a supervisor. I spoke to a supervisor. He said he did not know why the system was the way it was. He wasn’t a software guy. He just knew that “with the way the business is changing lately, a lot of systems are in flux.” I said this flux was unacceptable. “I’m a software engineer,” I said. “How can I possibly trust Chase to manage my financial accounts if something as simple as sharing a PDF document is done in the least secure way possible?” What other skeletons might they have in the closet?
I wanted to be forwarded to the department responsible for that. After my explanation to him of what was wrong, he fully understood the problem. To his credit, he admitted it was wrong the way it was set up. He actually tried to track down a supervisor. But there was none that could field IT and software requests.
They promised to call me once they could track someone down to talk about this. No call yet.
My excitement came down a couple of notches. I was not the investigative journalist undercovering an elaborate scam any longer. Instead, I was a software engineer. And some members of my profession have let me down. Big time.
In the meanwhile, I did the research and found the vendor who provided this service to Chase. They are Wolters Kluwer, a “financial services and banking compliance solutions provider”. The product page for “SDX”, Secure Document Exchange, is completely ludicrous. They claim this product includes “industry-leading security, including PKI encryption and multi-level user authentication, to keep communications safe at every step of the process.”
Right, so the password was sent in plain text. The default password is “password”. And, rather than having a chase.com subdomain which points at Wolters Kluwer’s server (e.g. secure-dx.chase.com) and sharing a secure chase.com certificate with them, they decide to host the whole thing outside of the chase.com domain, so that as a user, I have no way of confirming this actually is an e-mail or system originating from Chase. Users are so confused by this that they have already reported it as a phishing scam, even though it is not one.
That’s industry-leading? That’s “safe communication”?
No, that’s a joke. Chase should be ashamed.
Jan 5, 2013 Update: Hi, unexpected /r/programming visitors! Yes, this article is over three years old. Yes, this process has not changed much in the past three years. No, I did not expect a customer support representative to really know what a cron job was.
Many reddit commenters took the position that I was being “overly paranoid” and that I took this whole thing way too seriously. Well, I strongly disagree. As many other commenters rightly pointed out, many individuals share usernames / passwords across systems. It was not paranoid for me to think this was actually a phishing scheme. Why would a phishing scheme send me a password, only to have me reset it when I log in? Answer: out of the hope that some percentage of users would “reset” their password with their actual bank password, of course. Phishing schemes are most effective when they spoon feed users a little trust, and then betray it. I admit that thinking that my cell phone had been hacked was perhaps a leap of true paranoia, but I tried to convey how I actually felt.
Chase did finally introduce their own domain (https://sdx.chase.com) for their “secure” document exchange service, the lack of which which was, by far, the major sore spot in this whole setup. The rest of the silly process remains. For me, the greatest damage this process does is in conditioning novice Internet users that systems like this are trustworthy. In other words, I’m not upset about the hundreds of people who, like me, questioned the legitimacy of this system. I’m upset about the thousands, or possibly millions, who used it without questioning it at all.
For those of you who enjoyed the article and feel as a programmer you would never make the same mistakes, you can take a look at the job opportunities available over at my startup, Parse.ly. A tad opportunistic, but hey, it’s not every day thousands of programmers flock to my blog.
I found this post when I searched for ‘secure-dx’ after having the same emails from Chase (after talking to the claims department). I am not even a software engineer, and I can tell that they are idiots for setting it up this way. Did you ever actually log in and get your documents? I’m not sure I even want to try.
Thanks for this post – found it after making the same call about a compromised account and finding the same messages in my account. Who thought this was a good idea? Now I’m left with a creepy paranoid feeling and a complete distaste for Chase.
I found this post the same way. So far I am still waiting for a response from Chase regarding the incredible timing that a phisher would have to have in order to send me these emails after I actually did file a claim with the claims department. I did the same thing-clicked on the link anyway-but didnt actually log in. Has anyone (you or anyone reading this) actually logged in? I am with you. Paranoia galore. Thinking back to the information I had to give the claims guy was certainly enough info to steal everything in my banking life. I started thinking maybe the number I was transferred to (via Chase) was an inside job and I have just been swindled. I guess it makes me feel better knowing that someone else (on almost the same day) has had the same experience. I am also left with a serious distaste for Chase because whether it turned out to be an inside scam job or that they would seriously be this stupid, how is this secure banking any which way? And why didnt the guy from the claims department tell me to expect this email and that I would need to log-in to view these documents a few days later? WAMU had some great customer service, but that has obviously died with the re-org. Any recommendations on better banks to use after these shenanigans?
holy crap, thank God i stumbled onto this site. it’s not a scam, that is a real website. i called chase today to dispute a charge and i saw this site so i actually logged in. it’s actually a real chase site with my dispute claim form. chase is such a joke. i can’t believe they would actually make a site/email process like that. unbelievable.
Did chase lose a brunch of their customer data? I had few unauthorized transactions on my chase debitcard too. So far, I only use my debitcard as my ATM card. Here is my story.
Last thursday when I logged in my online account, I noticed there was one pending unauthorized transaction($5xx) on my account. I contacted chase the next morning and the customer service person told me they can not do anything at that moment. I have to wait until the transaction is posted.
On the weekend, I had a road-trip to Spokane which is 300 miles away from my home. When I arrived home, I found there were another two pending unauthorized charges($17xx and $6xx) shown up.
On 9/1, I went to chase, they told me the same story blah blah blah… they can not do anything. AND THEN, FINALLY, I REMEMBERED. AT LEAST THEY CAN DO ONE THING FOR ME. which is to close my card and cut my loss.
Now, I am on the same boat with you guys. Having 3000 dollars fraudulent charges on my account, and received few suspicious emails.
Man, I just had this happen to me as well. I missed a call, and they left a voicemail. The guy told me it was from fraud prevention and what-not and to call him back and HAVE MY DEBIT CARD NUMBER READY and left a 866 derp derp derp number. So I was ready to call shenanigans and pulled out my card and called the number, and the person on the line asked for my card number as well! I thought someone did something to my phone, so I told her I didn’t have it with me, then she asked for my social security number, I played dumb and said I couldn’t remember it. She finally suggested she could ask the security questions, which were so darn easy, I mean they asked “do you own property in, A) Montana; B) Oklahoma; C) Washington; or none of the above.” I was thinking this was a big scam, but eventually I got transfered to the Claims department. What did I get? Some guy asking me if I bought x on x day, and then he mentioned sites I never even heard of. He reacted with a “lol u got to many u didnt maek, let’s just cancel.” That gave me a sigh of relief, but then I remembered I didn’t know this guy’s name! When I asked for it I got “Ryan” “…Ryan…Ryan what?” small pause, “Smith.” Ryan Smith! How generic! So the next day (I get off of work late) I go to the bank thinking it was a scam and I fell into it, I got to the teller and she wasn’t a US native, so I struggled with her broken english and she told me the card was still active. I ran to the Customer Service area and spoke with a rep who made a call, right off the bat she gave them my debit card number, I was scared, but she assured me later that it was legit. Turns out Ryan just but a block on my card or something, but it got completely canceled, filled out some paperwork that was faxed over and my money was returned a few days later. Though, I had some pending charges with did go through and I received the email you mentioned, and I have to say the form the website requires you to fill is the same one that was faxed over to the bank I go to. I have confidences that this site isn’t a scam, but it desperately needs to be fixed asap.
Wow! Same exact story here. Just got off the phone with Chase customer service, and found this post when I googled the secure dx link in the email!
Someone could create a clever scam by imitating Chase’s procedure here. Maybe they’d even create a blog post and some fake comments from upset “customers” to convince people that while this seems like a total scam, this is actually the Chase procedure for dealing with fraud. *looks around suspiciously*
Seriously, though, thanks for the post!
Thanks for the post, same thing just happened to me. A fraudulent charge was made on my account, I got a phone call and they ended up sending me these emails. SO SKETCHY LOOKING! I went through with it, though. It works, and the website doesn’t ask for any real important information such as your normal Chase.com username, social, account number, nothing.
Exact same thing just happened to me as well. The customer service people seemed totally clueless when I called them and questioned why the emails and link were from a non-Chase site, and had no idea why I might think that the plain-text default password of “password” was about as insecure a way to share “secure” documents I could think of. The fact that both people I spoke to on the phone were only marginally capable of speaking English may have added to their confusion.
Ironically, the website doesn’t appear to work anyway, as I was caught in some sort of system error loop.
Chase has lost me as a customer because of this. I doubt they particularly care, as consumer banking is a bit of a loss leader for the big guys anyway, but fuck them.
I didn’t recieve my user name.
Like everybody else said: thanks for writing this post, I too found it through Google when my alarm bells were set off, and I too am annoyed that this is the process Chase has set up for people. Sigh. I’ll be writing them a physical letter about this.
Another thanks for this post. After almost an hour on the phone with Chase customer service, I was finally told to just disregard the warning about the phishing site from Firefox. Told by an extremely unhelpful representative of the bank. Amazing that halfway through October, there is still no change to this system. I used to be a WaMu customer, and this is the first time I’ve had to deal with Chase since the merger. I am definitely going to another bank, as I have no faith in a bank who’s fraud and claims departments can’t even create a basic level of security in their own systems.
Yes this is shady. Though the forgery alert from Firefox is only on the Mac. Firefox on PC (3.5.3) doesn’t show the alert and Internet Explorer 8 doesn’t identify it as a threat when checked with the SmartScreen check.
So while yes, this is shady, whatever mechanism Firefox and Safari on the mac are using to notify users of fraudulent websites is actually reporting a false positive, making the situation seem worse that it really is.
Thank you for taking the time to find this one out. I was in the same boat as you, freaking out thinking someone was about to steal all of my money. I want as far to bail out my extra cash from my Chase account into one of my other banks and ran a credit report to see if anything else was going on.
@WildcatTofu: I was having this same thought too. My claim was with my ATM card through Chase that I have never used, not even swiped it once. Yet some how someone was able to get my number and make a charge online?
I am going to write a letter and I strongly considering dropping Chase altogether.
Thanks again monkey. (First time reader but I think Ill have to follow now, looks like some good reads!)
I had a hiccup with Xbox live charging my card while my account was low, putting me into the negatives with a friendly insufficient funds charge. I started to report the fraud after Microsoft clearly stated 3 times the charge was never made by them.
I got the same scenario. I even have the fraud alert in Google Chrome for the website!
Though, I did some work for Chase when they converted from WaMU. We were going to install several PC’s and printers, we had a pamphlet that made it all seem professional with special screws for different devices. They changed the location of the training session without notifying those who were already scheduled, and we went without training. We got there, and half of the peripherals weren’t even going to be installed by us. We just swapped out the card scanners and printers! It was rediculous what we went through to do something so simple. I don’t understand how Chase can be so successful.
Imagine it, there were 5 people in my team to replace three scanners and one printer (and the lead reformatted the drivers, but we had to sit around ’cause its a bank and we can’t just walk outside after it’s closed). We were there for SIX HOURS, although we finished in less than 30 minutes. Still got paid for training that we didn’t do, mileage that we didn’t drive, and 8 hours of work, all at $18.00/hr. One person could have done ALL of this in that 6 hours with no training, just that pamphlet. Instead, five people with 8hours, plus 4hr’s training time and 120 miles @ $0.55/mi.
I wouldn’t complain with the $250 check for 6 hours of work, but WaMu was my bank before, now thats Chase! Chase is so terrible at everything… so unorganized… they have other companies do everything for them. It’s scary that they manage so much money…
I got completely paranoid too – thinking that my phone was being redirected to the scam center. I told them to just mail me the docs. I think that this blog is also part of the scam so that when you google “chase phishing secure-dx” this comes up for reassurance 😉
Thanks for the post. Same story here. Some phishers do a better job than this… which leads me to ask: Is this post part of the scam?? Now that’s intricate! 🙂
same thing happened to me, but when opened page anyway, after putting username and password, the page wouldn’t load or go anywhere.
i don’t understand why so many people have this problem, everything starts on september, that’s when they took my money when i never use my debit card for anything.
am definitely closing my account
Thanks for posting your story!!! I experienced the same thing – When I received the emails, they were suspicious so I did a search on the link and looks like I have a lot of company in dealing with this:(
Same story, different user. Not only has my paranoia about the emails and site gone into over drive but the automated phone system kicked it off. When I called this morning to dispute 3 charges made yesterday I was prompted to enter my card number when I pressed *0 to speak to a cust service rep. This is not my favorite thing, I’d rather they did this another way, but I entered it. Then I was informed by the happy automated attendant that their new procedure is for me to enter my PIN number for this card as well. SERIOUSLY?!?! Then I get the nice people in India who are very apologetic for my troubles but not very reassuring telling me they’ll email me a link with documents to file the fraud claim. FF of course blows up on the secure-dx.com domain, got the plain text email with password as the password… this is a joke. And of course, it happens within 2 weeks of my WAMU account being “finalized” at chase.
I am truly in awe with this whole situation right now. First I get a fraudulent charge on my card and then I was told to go to my email and end up reading everyone is having a problem and has gotten the phiser warning. I think I’ll just go into my local branch to solve this problem. I’m also sick of dealing with people who don’t speak good english, it is very frustrating to keep explaining the same thing over and over again. It’ bad enough to have to deal with it in the first place! Warning everyone it was expedia that charged my card without my permission and has caused all these problems! Do they consider the time it takes out of our lives to fix this? I was on the phone 4 hours with expedia getting the charge to my card reversed because I never wanted their service and chase was nice enough to conference call and help me with that, but now expedia has given my card number to book a room @ the quality inn hotel without my permission and here I am hours later still dealing with it and now this!
I continue to be amazed at how:
1. Chase has not contacted me about this issue, even though I have repeatedly contacted them about it by phone and e-mail over the last couple months.
2. 21 people have posted comments here, and the number seems to be accelerating slowly.
Thanks for stopping by. If you are interested in more JPMorgan Chase shenanigans, check out my latest post on their assessing $39 overlimit fees on my account:
http://amontalenti.com/2009/10/30/jpmorgan-chase-valid-fees-and-humanity
same thing just happened to me. i’m a web programmer, too. i still find it hard to believe.
im in the same boat as everybody here, i get 2 fradulent charges on my account at the end of october…….i call chase, speak with some guy named “gil” in the claims department, he says they’re gonna shut my card down and send me a new one and also send me an afterdafit in my email so i can sign electronically……..
i get the email with “password” being my password smh…….and i click on the link and BOOOMMMM!!!! fraud alert goes off on my firefox……..even on my google chrome…..thank god i found this blog, props to the starter and shaking my head at chase……..why get another company to do the job your suppose to do…..hopefully my claim gets resolved smoother then this
Same happenings. Same thoughts exactly. Ludicrous. F
going through saaame exact thing.
planning on taking time out of my busy schedule to go to a local branch, make my claim from them there, withdraw all my funds from my accounts and get the hell out of chase.
i was charged $100.. i better get it back! i’m a college student for christ’s sake..
Same exact thing happened to me. Thank you for posting your story!
I am on win 7 and the red screen of impending identity theft and permanent financial failure showed up on both chrome and firefox. Someone above posted it was Mac only. Chase is retarded but I want my money back. I hope 5 years from now I hear about a class-action lawsuit involving this and can happily add my signature to split $6.49 with the rest of yous 🙂
I am the newest this this scam. We had an ex-employee who somehow is still managing to withdraw money even though his card is shut down! Apparently he is going to the teller window and even with all the warnings put on the account he managed to withdraw another $700!!!! So again on the phone with Chase and I too get this baloney email indicating a claim number and message inbox. Since I received a message from Firefox I was hesitant to go further, so I did a little research and ended up here. Bottom line…is this for real from Chase or is it a scam?
Hi , I had three pending charges on my account this pass weekend that I did not make, one posted and they sent me the form, and i sent back they did credit the account but the other account I have to wait unitl it post. What is happening I have never had this problem when I was a WAMU. Im very afraid I have cancelled my card.
Well I’m in pretty much the same boat as a lot of people here… only to make matters worse, I’m currently deployed to Iraq with the military. I received an e-mail from my family back in the States, saying that chase called about some fraudulent charges. My mother did some investigation for me, and said the call was legit, and my had my card shut down on me. I did some calling around from over here, which has been a headache as well because I can only make calls back to the US for 15 minutes at a time. My debit card was indeed closed (even tried to make a purchase with it just to confirm), and their claims department said they would e-mail me with information to get my money back. So I waited… and nothing. I called again several times, and finally when I got a hold of who I needed to they said they would send the stuff again, and finally it came through. I open the link, and the fraud warning came up on firefox, like most other people here. So that scares me to death. I go ahead to the site but don’t log in, and the address looks fishy to me, so I try to find some link to the site from chase’s main page. Can’t find anything from there… so I’ll definitely be calling Chase before I proceed with anything.
Does anyone know of any links through Chase’s main page? If so, please share. I don’t like this one bit, and it doesn’t help being several thousand miles from home when I’ve got enough to worry about on top of all this…
Wow. I got the same emails after disputing two back-to-back $503 ATM withdrawals. The website set alarms off like crazy, in Firefox, and in my head. Thanks for posting this.
found this post when i searched for “secure-dx.com chase” … obviously feeling the same worry and suspicion as everyone else.
this is such a broken process on chase’s end. I can’t believe someone on the “web” side of Chase actually thought using a non chase.com URL for a security site would be acceptable.
sidenote:
the very first and only time i used my debit card (at a chase ATM), it was showing fraud charges within 24 hours. That’s not a fun experience.. and now i’m dealing with this broken process to try and retrieve the money that was stolen. I think i’m done with chase… I miss Wamu.
Secure-dx.com is a VALID system. It is used by hundreds of thousands of people every month for a whole variety of document delivery reasons. Do you question a postal delivery from FedEX even though the content inside the package was sent by a bank!
Some Firefox (and Chrome) browsers may fire off a phishing alert but that is because the people running their anti-phishing systems never follow up on false alarms even when told about them. Microsoft, AOL, Yahoo and the rest know secure-dx.com is legit because they bother to verify anti-phishing alerts.
I want to add my thanks for the info and affirmations here.
I went through the same thing three days ago when I discovered a fraudulent charge on my account. My call to the 800 number that used to announce that you had reached WAMU now said welcome to Chase. I proceeded with the same concern and was told I would be sent the necessary forms via email which I would have to sign and return before my account could be adjusted.
Since the fraudulent activity had already taken a good chunk of change from my account, and worried about the fallout if checks started bouncing, I deciding it was better to hurry to the nearest branch.
As it turned out, one of two fraudulent checks had already been “cleared” and a copy of the check was available:
Well, I guess the good news is that I don’t have to bother filling out and signing an affidavit?
Why? Because although the phony check displayed my bank’s routing number and account number at the bottom, it was imprinted with another branch’s address, with a different person’s name, address and had a signature that didn’t remotely resemble mine.
I’m not sure the naively constructed internet security at this bank concerns me as much as the “security” within the bank itself? The bogus check stood out like a sore thumb when compared with every check I have written on that account for the past 12 years. Since other banks can now offer you photocopies of your atm deposits as part of your receipt, it seems in theory at least, that the bank could minimally recognize a blatant forged signature, electronically, if not by personal observation.
I do find it funny reading some of the posts on here. Beth, you show a concern that when you phone WAMU it now says Chase, have you been asleep for the last year. WAMU went bust because of their own practices and stupid lending. Chase saved them! And you mention “naively constructed internet security” but you didn’t actually use the product as you went straight to your branch!
Ok, I understand your amusement! May I clarify?
First, (lol), of course I am aware of the Wamu-Chase transition. Hello, I’ve watched the cute new little outfits appear on the tellers, seen the new deposit slips appear and watched the construction crew erecting the CHASE logo to the branch just down the street – over many months. (Not to mention, more to the point I guess, the ongoing failure of the link that was supposed to transition me from WAMU online banking to the CHASE credit card site.)
Whatever. The point I failed to make was that I called the number I had long ago memorized from my dealings with WAMU, so I was reasonably certain that I was talking to someone legitimately connected with Wamu-Chase. It was a telephone banker there that directed me to retrieve the affidavit from my email and return it electronically. It was only when the warnings popped up that I looked further. Finding the fake looking Chase logo at the next step, I closed my browser and headed to the branch.
My statement that Chase’ internet security is “naive” was in response to the many stories posted here, which if true, support that Chase’ vulnerability is not just obvious to IT professionals or internet forensics specialists, but also to average yahoos like me.
One more thing: Rather than “blatant forged signature” I should have written “blatant forgery.” There was nothing about that check that resembled my own. You could see from ten feet away that it wasn’t mine.
🙂
Wow, months later and this system is still in place _and_ they’ve contributed nothing to this conversation among dozens of angry customers.
Total social media failure, on top of total IT failure. I’m floored.
I had the same thing happen to me with a fraudulent charge on my Chase debit card. The fraud department sent me e-mails that looked like phishing e-mails, so I forwarded the e-mails to [email protected]. I never got the automated receipt reply they promised on the website. I went into the branch and explained the scenario. They were able to get the fraud dept to fax the claim to them. I signed it and was reimbursed two days later. I explained to them that the mails from Chase fraud are being intercepted as well as the phone calls. Its their business to follow up on it. Who looks into the fraud happening in the fraud department?
Love it. This hasn’t happened to me (I saw this linked from Metafilter), but you can be certain that I’ll never, _never_, bank with Chase for anything.
The sad part, though, is that I was going to interview with them for a Java Architect position after one of their recruiters contacted me, but this is making me question that…
Just happened to me as well and Firefox kept blocking the site. About the same time, I got another email from Wells Fargo to “update my information.” Have never banked with WF and the Chase “insecure” emails were obnoxiously phishy. Card has never left my wallet, wallet has never left my side – how does someone in San Bernardino, CA withdraw $100 from my account at an ATM with NO CARD when I live in TX?
The banks get bailed out for billions and they can’t keep $100 straight?? About time to buy a safe and a gun.
Same thing just happened to me, which is how I stumbled upon this site. I can’t believe that a publicly traded company could be so incompetent about a security issue like this for such an extended period of time. Do they not care how horrible this makes them look during a time where they should be working their hardest to attract customers and appear like a solid company that can be trusted with handling client’s money securely. You would think that they have gotten many, many calls and e-mails about this issue considering what pops up when you Google the web address “https://chase.secure-dx.com/consumerdcx-chase_atm”. This has been going on for months, seemingly without any improvement!
I am surprised that at this point they don’t at least warn you that this website will pop up as fraudulent when you are speaking with the fraud department and they explain to you that they are sending you a PDF doc to fill out. Clearly they don’t care all that much about appearing like they are a highly secure and competent company, but can’t they at the very least let customers know that they are aware of an issue ahead of time? It would probably save them quite a bit of customer service rep hours spent listening to people complaining about what is happening when they try to go to the site. It would at least have saved me from having the slight heart attack I had when I saw what was popping up when I tried to go to the site.
Ideally, they would just fix the problem in a timely manner. But maybe security isn’t at the top of the list of priorities for Chase.
OMG WTF. You guys, isn’t this so fucking weird? This just happened to me. Same google. A few years back, I fell for a Paypal email a few years back and have been suspicious ever since. I’m missing $1000, they called me. I remember the multiple choice questions and feel that that would’ve been tough to invent. I remembered how the claims people I was connected to didn’t have as much info as I expected (typical though for a bank).
IN FACT I AM SO PARANOID that I am reading all these comments to be sure they are real.
Shit, they’ve made an un-trusting lot out of us all, haven’t they. (They being, you know, the smooth criminals). I feel like being paranoid about my significant other cheating because the last one did, or something like that.
LOL.
Went through the exact same thing yesterday. I only received one email though with the login info. The other email with the initial password never arrived. I didn’t consider trying something as stupid as “password” though. Haha. At this point, I’m only surprised the inital login wasn’t “admin”. Freakin’ amateurs.
Software Engineer here also.
I’ve heard a lot about people getting fraudulent charges on their checking accounts here in California lately. The people that I know that I’ve talked to were all Wamu-Chase customers I’m starting to wonder if all these other people being affected by fraudulent charges are also Wamu->Chase customers.
Something very wrong going on here…
@John,
“I’ve heard a lot about people getting fraudulent charges on their checking accounts here in California lately. The people that I know that I’ve talked to were all Wamu-Chase customers I’m starting to wonder if all these other people being affected by fraudulent charges are also Wamu->Chase customers.”
This is very intriguing to me. A few other people on this thread have indicated that they have no idea how these fraudulent charges might have come about. In my case, the card that Chase claims was “stolen” was still in my wallet when the fraudulent charges occurred, and I never leave my wallet anywhere except by my bed or in my pocket. So it seemed strange to me.
I wouldn’t be surprised if Chase lost a whole lot of customer information, and rather than make an announcement about it (and further tarnish their brand) they figured they would just handle it on a case-by-case basis.
The card is in my wallet too. I tried going through the emails they sent me even despite the warnings, and couldn’t get into the site, Firefox just would not let me in. I guess I will try and call again tomorrow and have them mail them to me. As much as I am paranoid, the phone calls were Chase, there’s no way it could’ve been a scam, and they didn’t get any information from me, they didn’t ask for my social or anything, just confirmation of info they already had.
I’m unemployed and this is literally almost all the money I have that is gone now, allegedly withdrawn from an ATM in the Bronx, nowhere near where I or anyone I know lives.
oh also I have been with Chase since 2004, not WaMu ever.
I just went through all this crap but the website is real and I got my money back the next day. It was a huge hassle but I feel good now knowing that I have my money back.
Just got this as well, about the only difference is the password isn’t “password” – everything else appears to be the same!
Holy Cow…what is the deal with Chase…i just hit with over $900 in fradulent charges at a 3 Walmarts in NH/MA. Have yet to call claims, but this is making me nervous.
This just happened to me also and I’m in California. I freaked out too, everything looked so suspicious. After reading these posts though, I figured I would give it a try. I did manage to get to the webpage, put in my username and password and then it brought me back to the Reported Web Forgery page. It just kept going in a loop. I finally gave up and called them. They are faxing the form over to me at this very moment. Why couldn’t they have done this in the first place?
I think the thing that really bothered me was when I first contacted them about my fraudulent charges, the person I spoke with told me there were other charges besides the $150 that had actually been declined, like an $1800 for arline tickets and $20 for railway tickets. She told me to call back the next day as she could not do anything until the $150 actually posted. So, I call the next day and come to find out that she didn’t even bother to cancel the card and then this new rep asked me a bunch of questions with the most important one being did I contact the merchant to try to get them to reverse the charge. I said no and was told that this is their policy for the customer to try and do that first. I asked how in the world could I call them when I don’t know who they are or have contact info (plus would they even reverse it just because I said so). He also asked if I had authorized this charge or if I had allowed someone else to use my card. Well if I did wouldn’t I have hunted down the person and water tortured them until they confessed. The Rep also asked me if I would know how my credit card info was stolen if I still had my card in my position? Uh…if I knew that wouldn’t I have started off my conversation with that instead of going through all these other questions. I think their process is absolutely ridiculous! I also bank with Bank of America and they have their own problems, but this is something they are actually great at. They would have automatically closed that card, sent me a new one, and handled all of the dealings with the fraud charges. As it shoudl be!
Anyways I totally miss it being WAMU, even walking into the branches now bugs the hell out of me. It seems so cold and impersonal, the tellers don’t even smile they always look like they rather be somewhere else or that you are bothering them. Even their attempts at small talk is painful. They should also stop asking me if I would like to replace my WAMU card with a Chase one. Heck no, I can’t stand Chase!!! Thanks so much for your blog!