Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx)

A few days ago, I got a call from my girlfriend, Olivia. I was so deep in working on my startup, Parse.ly, that I hadn’t checked my bank account statements in several weeks. We just went into private beta last Thursday, after DreamIt Demo Day. She noticed some suspicious charges, and so I looked into them. Indeed, it looked like I had been a victim of fraud: there were three charges that clearly was not me.

I immediately called Chase Customer Service. In order to confirm the details about my account, the representative needed me to identify the fraudulent charges, but also identify charges that were actually valid. For this latter bit, I needed to identify the time/place of a specific transaction. This card was mostly used for online auto bill payments, so this turned out to be impossible for any of my last 20 valid payments. Yet the customer service rep insisted that I name a time and place. I told her, “The time and place was whenever the server for this system decided to automatically bill my account. I don’t know where their server is, I don’t know what time their cron jobs run.”

“Cron jobs?” she said.

Right, I had been hanging around techies at DreamIt Ventures for too long. “Listen, the transaction didn’t take place physically, it took place digitally. I can identify one transaction, which is about a month old, where I actually used the card in-person to buy something.” She finally understood and let me move on.

Burak from Trendsta said he felt bad for me, for how patient I had to be with this person. But that was the least of it. This little technical misunderstanding was nothing compared to what followed.

I was told that in order to get a credit back from my account, they had to collect from me a signed affidavit indicating the charges were fraudulent. This affadavit would be “securely shared” with me via e-mail. OK, “sounds good” I said. I waited around for the e-mail to come in.

Finally, two e-mails arrived in my inbox. The important bits are in red. First:

Message from Chase Customer Claims Secure Document Exchange

From: [email protected]

Welcome to the Chase Customer Claims Secure Document Exchange. You recently contacted Chase regarding your claim number XXXX. Your documents are available for your review.

Per our telephone conversation, you will need to register to our secure website.


Your initial password is: password

Your initial user name has been sent to you in a separate email.

On your first log in, you will be required to select a new password.

Thank you for using Chase Customer Claims Secure Document Exchange.

To contact Chase for claim related questions or to withdraw your claim, please call 1-866-564-2262.

Any geek reading this will immediately identify some key things wrong with this e-mail that make it look like a total phishing expedition. Namely:

  1. The e-mail address, rather than being from a chase.com domain, was from a strange domain named “secure-dx.com”.
  2. Rather than sending a cryptographically secure, expiring activation link, a default password was sent in plain text.
  3. To make matters worse, the password is the same for all users, and thus anyone who can guess my e-mail address can easily impersonate me on this “secure document” website.
  4. The default password is “password”. WTF?! I mean, c’mon?

I didn’t quite understand why I needed a “second e-mail” now, but I opened it up. Here it is, excerpted:

Your Chase Customer Claims Secure Document Exchange Electronic Package is available online

From: [email protected]

ANDREW MONTALENTI,

Welcome to the Chase Customer Claims Secure Document Exchange.You recently contacted Chase regarding your claim number XXXX. Your documents are available for your review.

Per our telephone conversation, you will need to register to our secure website by clicking on the link below or copy and paste the link into your browser’s address bar.

https://chase.secure-dx.com/consumerdcx-chase_atm

Your user name is [email protected]

Your initial password has been sent to you in a separate email

On your first log in, you will be required to select a new password. NOTE: This site is different from Chase.com and passwords are not related. Updating your password on Chase Customer Claims Secure Document Exchange will have no impact on established Chase.com passwords.

Once registered, you will be able to access your customer correspondence on our secure website. You may be offered the option to complete and sign the form online if you wish to do so. […]

To say I was confused would be a major understatement. I was downright depressed.

My guess is that the engineers at Chase thought that by separating the “password e-mail” from the “user e-mail”, that somehow made the whole communication more secure. Two e-mails are better than one, right?

The most important thing to point to is the link. The link where this secure communication will happen is not at the chase.com domain Instead, it is at https://chase.secure-dx.com/consumerdcx-chase_atm. There is no way, NO WAY this is a real Chase site, I think.

I click on the link and in Firefox, I see this:

chase_forgery

At this point, my paranoid self turns on. Curious, I click through the link anyway. And I see this:

chase_sdx

Now I’m really paranoid. Links off secure-dx.com pointing back to chase.com’s privacy policy. A username and password box and a sort of hokey imitation of the Chase.com web design. I realize, holy shit, I’m being duped! Not just small-time credit card fraud, but someone has managed to really take over my life!

Why am I freaking out? The customer service person I talked to, I realize what must have happened. That wasn’t Chase. Someone stole my credit card information and then set up a call forwarding on my cell phone, somehow, to point Chase’s customer service number to some fraudulent interceptor. This person then diligently took my claim only to send me an e-mail that would get yet more information out of me and take me for even more money. I freaked!

Immediately, I double-checked my call logs and compared them to Chase.com customer service numbers. I made sure to change my DNS server to OpenDNS to make sure no one was somehow intercepting that. Finally, I realized I could look at the number written on the back of my Chase credit cards. It all checked out — the number was good. So I switched phone. I called Chase customer service on both my phone and Olivia’s. I made sure the messages were exactly the same. From Olivia’s phone, I called back Chase again to speak to someone there about this. But then I got even more paranoid — how big could this be? — so I decided to hang up. Instead, I called my local Chase branch in my neighborhood.

With my local branch’s help, I got transferred via a branch office line to the actual Chase customer service. Finally on a secure line, I thought to myself. When they picked up, I was expecting to uncover the scam of the century. I felt like an investigative journalist right on the tail of something truly big.

But then I spoke to the Chase representative, on the secure line, and she explained to me that this is just the normal procedure. secure-dx.com is the website they use for “securely” sharing documents.

I was livid. I explained everything wrong with this setup. I demanded to speak to a supervisor. I spoke to a supervisor. He said he did not know why the system was the way it was. He wasn’t a software guy. He just knew that “with the way the business is changing lately, a lot of systems are in flux.” I said this flux was unacceptable. “I’m a software engineer,” I said. “How can I possibly trust Chase to manage my financial accounts if something as simple as sharing a PDF document is done in the least secure way possible?” What other skeletons might they have in the closet?

I wanted to be forwarded to the department responsible for that. After my explanation to him of what was wrong, he fully understood the problem. To his credit, he admitted it was wrong the way it was set up. He actually tried to track down a supervisor. But there was none that could field IT and software requests.

They promised to call me once they could track someone down to talk about this. No call yet.

My excitement came down a couple of notches. I was not the investigative journalist undercovering an elaborate scam any longer. Instead, I was a software engineer. And some members of my profession have let me down. Big time.

In the meanwhile, I did the research and found the vendor who provided this service to Chase. They are Wolters Kluwer, a “financial services and banking compliance solutions provider”. The product page for “SDX”, Secure Document Exchange, is completely ludicrous. They claim this product includes “industry-leading security, including PKI encryption and multi-level user authentication, to keep communications safe at every step of the process.”

Right, so the password was sent in plain text. The default password is “password”. And, rather than having a chase.com subdomain which points at Wolters Kluwer’s server (e.g. secure-dx.chase.com) and sharing a secure chase.com certificate with them, they decide to host the whole thing outside of the chase.com domain, so that as a user, I have no way of confirming this actually is an e-mail or system originating from Chase. Users are so confused by this that they have already reported it as a phishing scam, even though it is not one.

That’s industry-leading? That’s “safe communication”?

No, that’s a joke. Chase should be ashamed.


Jan 5, 2013 Update: Hi, unexpected /r/programming visitors! Yes, this article is over three years old. Yes, this process has not changed much in the past three years. No, I did not expect a customer support representative to really know what a cron job was.

Many reddit commenters took the position that I was being “overly paranoid” and that I took this whole thing way too seriously. Well, I strongly disagree. As many other commenters rightly pointed out, many individuals share usernames / passwords across systems. It was not paranoid for me to think this was actually a phishing scheme. Why would a phishing scheme send me a password, only to have me reset it when I log in? Answer: out of the hope that some percentage of users would “reset” their password with their actual bank password, of course. Phishing schemes are most effective when they spoon feed users a little trust, and then betray it. I admit that thinking that my cell phone had been hacked was perhaps a leap of true paranoia, but I tried to convey how I actually felt.

Chase did finally introduce their own domain (https://sdx.chase.com) for their “secure” document exchange service, the lack of which which was, by far, the major sore spot in this whole setup. The rest of the silly process remains. For me, the greatest damage this process does is in conditioning novice Internet users that systems like this are trustworthy. In other words, I’m not upset about the hundreds of people who, like me, questioned the legitimacy of this system. I’m upset about the thousands, or possibly millions, who used it without questioning it at all.

For those of you who enjoyed the article and feel as a programmer you would never make the same mistakes, you can take a look at the job opportunities available over at my startup, Parse.ly. A tad opportunistic, but hey, it’s not every day thousands of programmers flock to my blog.

212 thoughts on “Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx)”

  1. I have worked 2 hours trying to reset my password with chase. if you ask them for a print out they send you something that does not identify the charges, if you call customer service you get and endless loop message, if you go on line you get a help desk that is no help. I use this site for unemployment debit card. No one seems to know what is going on. Why does the stae of texas use this shitty company

  2. I also freaked out over the secure-DX domain, and thought I was being scammed. Thanks for the blog post – there isn’t a lot of other info on this out there. Shame on Chase for using such a poor security system – if they really need to outsource this, they should arrange for them to use a chase.com subdomain.

  3. I had the same debit card fraud. Someone has used the debit card in California, nearly $1000.0 in motorcycle sport store.

    We have never used this card physically.

    Another point is the 1866 claim dept phone number hardly worked, once we entered the debit card and pin number, it always hang up and cannot connect through. While, this maybe a way the information can be stolen.

    For those of you have trouble to get through, send your claim letter to,
    P.O. Box 620002
    Internal Mail TX1-2551
    Dallas, Texas 75262-9802

    Customer Claim Department
    Phone: (866)564-2262 Fax: (866)701-9886

    But Chase database must have been compromised somehow. This is the conclusion.

  4. How do I know this isnt a fraud cover for the warning I reached when investigating my atm problems…….????

  5. Telling me the website is that of Chase and is safe, in fact I am opening myself to further fraud.

  6. I had the exact same thing. Fraud on card, called, was told about secure document sharing and the whole deal smelled fishy. I got the same paranoia, wondering how big could this be? But, you’ve put my fears to rest. Good grief Chase! My plan is to never use my debit card ever again.

  7. My story’s no different.

    It’s pretty pathetic that Chase’s procedure initially appears to be blatant fraud, but turns out to be legit. An actual fraud would undoubtedly be more clever.

  8. My story is no different .

    I was pretty amazed that someone got a hold of my credit card number in a different country
    I reported the fraud with chase, and they are taking care of the problem.

  9. lost my card sometime during last week got my card back today when i went to put gas in the car the card was declined called up chase to see what the problem was come to find out there was a negative balance of $130 someone had used my card to purchase things chase was nice enough to help me out on the phone now hopefully they can rectify the negative balance that someone made on my account.

  10. Damn, I too found this site via Google search of secure-dx. Google favors you :p

    Anyways, my story is similar to yours. I even went to my local branch in Miami and one of the bank specialist actually told me that secure-dx is in no way related to Chase and that the claim number in the e-mail was not even under my name. I told him that I was going to go to my local police station and file a report, so that they could track whoever owned secure-dx and gang rape them with the FBI.

    After reading this, I’m even more disappointed that it is not a real scam, but just an embarrassing security flaw. A very big one. In fact, Chase should fire its IT guys and security advisers. Out of a cannon. And into the sun!

  11. click on the sdx chase URL in the email they send. click on “forgot my password”. when that comes up click on request new password. The new password they send will be the same as the old password but it will work. at least it did for me.

  12. I just received a package from a company called DHL, and when I opened it I found a letter from a bank. Should I be paranoid and ignore the letter…lol…never read so much paranoid drivel as on this thread!

  13. @Paranoid People

    I think the analogy would be that you received a letter from a company you’ve never heard of, delivered by a company you’ve never heard of. The scenario you stated would be correct if the email contained a link to your bank. The real question for me is whether this site asks for sensitive info or just displays documents to the user.

  14. Also WaMu-to-Chase, here. Going through this right now, with added annoyances.

    After logging into sdx.chase.com, I get the screen that contains the pdf link. The screen says “If the list of transactions contains all the items you wish to dispute, you can fax or mail back the form, simply print the pdf attachment and follow the instructions within the document.”

    Well. There are no instructions within the document. None. Which strikes *me* as a clever way to minimize the number of claims that are actually completed by consumers. I call Chase and have a mostly unhelpful session in which I am repeatedly told “What you have received is a blahblahblah form, notifying you of blahblahblah.” I keep trying to explain that I have received two messages from Chase: one of which is the pdf the CSR refers to, the other which tells me that I am supposed to return the pdf and that the pdf itself is supposed to contain instructions for doing so.

    Ultimately, she told me that because my claim was for less than $100, I do not need to return an affidavit. I see that tidbit nowhere in the information I’ve received.

    Bonus rounds:

    The fraudulent charge was paid to brzsupport.com which is some porn subscription service. Exactly a week earlier I found a pending charge from the same site — brzsupport.com — and immediately emailed Chase. The next morning it was gone. The CSR told me the charge appeared because someone somewhere *mistakenly* provided my card number and that there hadn’t been an actual case of fraud. That they had taken care of it before it went through. And yet, here I am. (For more on brzsupport.com: http://www.complaintsboard.com/complaints/brazzers-support-servces-brzsupportcom-c309068.html )

    Plus, Chase apparently double charged a vast number of people who made purchases on a particular day in January, me included. See: http://www.yelp.com/topic/west-hollywood-if-you-bank-with-chase-please-check-to-make-sure-that-you-werent-double-charged-last-night.

    Aaaaaawesome.

  15. Chase Abuse department told me that this is actually phishing (as is, likely, this website).

    Here’s the letter:

    Thank you for submitting a suspicious e-mail message for
    our evaluation. We have already forwarded it on to our
    fraud area for additional investigation.

    Although the e-mail appears to be from Chase, it is not.
    It has been designed by fraudsters with the intent to
    trick you into providing private information about
    yourself and your accounts. It works like this: Phishers
    target the customers of large companies. They phish
    millions of e-mail accounts, knowing that many of their
    targets will be among the recipients. In the process,
    they end up sending an email to many people who aren’t
    customers.

    If you have responded to a phishing e-mail that appears to
    have originated from Chase by entering personal or account
    information into an e-mail/unauthorized site or over the
    phone, we ask that you immediately call our customer
    service team for further guidance and assistance. In
    addition, if you have already clicked on a link, we
    recommend that you run an anti-virus program on your
    computer.

    To help you safeguard your personal and financial
    information, we recommend that you be suspicious of any
    e-mail that:

    – Requires you to enter personal information directly into
    the e-mail or submit that information some other way.
    – Threatens to close or suspend your account if you do not
    take immediate action by providing personal information.
    – States that your account has been compromised or that
    there has been third-party activity on your account and
    requests you to enter or confirm your account information.
    – States that there are unauthorized charges on your
    account and requests your account information.
    – Asks you to enter your User ID, password or account
    numbers into an e-mail or non-secure webpage.
    – Asks you to confirm, verify, or refresh your account,
    credit card, or billing information
    – An offer of a reward for completing a survey.

    You should never reply to, click on, or enter any
    information if you receive a suspicious e-mail. We
    proactively work to stop fraudulent messages; however,
    criminals with malicious intent continually look for new
    ways to circumvent security measures. Although we did not
    send the e-mail, please know that we regret any
    inconvenience or concern it may have caused you.

    Thank you,

    Husein Barot
    Email Customer Service Representative

  16. Chase Abuse department doesn’t know their ass from their elbow, or they are trying to cover up the boneheaded secure-dx system they were using.

    As for my website, I assure you I am not a phisher or attempting to help the phishers. As I mentioned numerous times, I discourage anyone from actually using Chase’s insecure system — and instead, report it to Chase. But the truth is, this is an official Chase system, and that’s what makes it even more laughable (and pathetic)!

  17. This website is an attempt to bolster and validate the well organized and sophisticated phishing attempts of the people sending these fake Chase customer claims emails.

    THE WEBSITE IS A CRIMINAL SCAM

    DO NOT CLICK THROUGH

    This website has been reported to the FBI. The only reason it is still up is to catch these pieces of trash when they make more stupid comments and reveal more about themselves through their language patterns.

    To whomever is writing this site – you had better pray the authorities find you first.

  18. @nadda,

    As I mentioned numerous times, I discourage anyone from actually using Chase’s insecure system — and instead, report it to Chase.

    My question is, why, if I repeatedly state that users reading this article should not make use of this insecure system, do idiots like you continue to libel me and label this site part of a widespread phishing conspiracy?

  19. I just came across this blog while sitting bored at work, ironically by trying to reverse lookup the 866 number that had mysteriously called me this morning. I dealt with this exact same (apparently epidemic) issue last December when I had two fraudulent charges on my account for a plane and bus ticket around $600. Sad to say I could never figure out who exactly did it (even though Chase said they were “conducting an investigation”, which just makes me laugh at this point), though I honestly think it was a waiter at a restaurant that had my card in hand while processing the check for my meal, because he took an awfully long time to do so. Safe to say now I only use cash when eating out.

    Went through this whole secure document exhange crap, and while I did get the amounts credited back to me with not much trouble (just a giant migraine, because a college student like myself TREASURES that amount of money), it certainly surprises me to learn just how unsecure this third-party method is. I can’t remember the process exactly and say my experience was verbadom, but I did encounter the phishing warnings via Firefox (I refuse to use IE), repeatedly, it was a bitch to get through to the site. Having dealt with enough attacks on my computer, I was naturally paranoid like everyone else, but like it SHOULD be to begin with, I wanted to put my trust in my bank and went with it. All in all, the problem was resolved, but this method will definitely make me think twice now. *has been with Chase since 2006*

    At the very least I think the problem’s resolved. Now and then I still get emails from the Document Exchange thing, saying I have a “new correspondence message” from them, blah yada blah. Why, I have no clue. They pretty much state the same things over and over in regards to resolving the disputes, so with each redudant message, I took it less seriously.

    Recently, however, in the past month or so *can’t remember exactly when*, Chase credited $31.01 (onto the old account that I since technically “closed”). It said it was for the bus ticket thing that I already was credited with before (at least I thought for sure I was). Thinking it may have been a stupid mistake on their part, I let the money sit. And it stayed, for weeks. That’s when I started wondering if they had indeed hadn’t reimbursed me the full amount before. Since I had an unused debit card they sent me alongside the card for my new account that was apparently usuable, I went ahead and decided “Hey, I need some things from Bed Bath and Beyond for my apartment!” and used the money. Used most of it that trip, and nothing funny happened from it, so it seemed legit. Around A MONTH AND A HALF LATER, Chase sends me yet ANOTHER email on the UNsecure Document Exchange. I open it while at college, and it states basically “Oh! For no reason to be explained we are reversing the $31.01 credit made on such and such date.”, and that was basically it. My mind immediately went to that money they dangled in front of me that I spent at BBB. My mind, “……..FFFFFFFF**********.” From that reversal, the account was then -$26. My next thought, “NSF FEES. FFFFFF*********.” Because they charge those fees bloody fast, I tell you. Sometimes within HOURS. Needless to say, I was livid. I was already dealing with BS from AT&T turning off my service AFTER I paid, so I definitely was not happy to see this. Like the wind, I ran to the nearest branch to take some money from my other account and deposit it in, just enough to bring it back into the green. The one reason I did so was so that I wouldn’t be taking out $60 to satiate the problem. I was not in the best mood to deal with the issue properly, not to mention the branch I was at was full of stupid kooks, so I deposited the money and left.

    Does that mean I’m leaving the matter alone? No. 🙂 Rest assured they’ll be getting a nice reprimand from my end. I don’t appreciate paying for their stupendous mistakes. Insult to injury, I live in NYC.

  20. Oh, and I read your article on the $39 fee thing and was trying so hard not to cackle at my desk. Pure brilliance. 🙂

  21. Another Chase customer with the same experience. I sent a message to Chase via its chase.com secure messaging system informing them I cannot accept any correspondence they send via a phishing site.

  22. I thought it was a scam too, but when you go to sign in at “chase sdx” it asks you to change your password to something you want from the one they give you in the email and it says in the PDF that the fraudulent charges on my account were credited and when I checked the chase website they had been credited. It all seems like a scam a first but it is real (but stupid how it is all done).

  23. I really don’t know why people call this website a “SCAM”, it is not, call Chase customer service from the number on your debit card and ask them if the site is real and they will tell you “YES” and they will tell you that because the website is “REAL” and not a “SCAM”

  24. I had my debit card cloned or something and got charges in California that depelted my account. I am going through the same thing. The SDX site looks very fishy/cheap/amateurish/fake to me also. They did have an accurate listing of the charges so I went on with it. I went back and forth in the site, and then got a ‘command failure’ message. I could no longer access the site at all. Chase had me delete my cookies and try again. Did I mention cheap/amateurish? I was able to submit it finally.

    Now I can’t log on because the password seems to have changed and the account is “locked”.

    I mentioned to Chase that it is odd that a couple of years ago their fraud detection system denied my attempted $5 purchase at a store I go to three times per week, for 20 years, and let this new stuff happen.

  25. I just had 4 unauthorized charges reversed on my Chase account, I did go to this website as well and give an ‘e-signature’ verifying my report. As it was explained to me by the Chase fraud department I could choose to e-verify or I could go down to a local branch and file the report or do a mail filing. As I wanted this taken care of immediately I chose to do the e-verification. They also sent me the email with a one-time only password, stated in the email was that it was a random # generated and would not work after I changed the password. I submitted all of this on Tuesday 08/24/10 (also had to wait to go from pending to transaction), and while waiting for VISA to do its investigation they temporarily refunded all monies removed from my account. I got a phone call from Chase today stating that their findings were that my account was charged without my authorization and that all monies including the 3 over drafts it caused were all going to stay reversed.

    * I hate Chase, I hate all the fees and issues associated with them, this is the first time I’ve ever had a problem resolved so quickly and easily.

  26. I am really confused. After reading all of the other commits, I am more confused than ever. How am I to know that this website is what it says it is? I want to get my money back but am afraid to go on not knowing that is will be secured the way that Chase explains that it will be.

  27. Just another recipient of the two emails….
    Like everyone else, I’ve seen enough of the phishers to know better than to trust these. So, I googled it to see what comes up… this site is first….

    I’m going to write Chase and send them this site.

  28. Chase is making it confusing for their customers to determine if they are being scammed. If they do not follow the key indicators that help customers determine that they are who they represent, scammers will have a field day.

    That being said, my username and password was sent in the same email and that kind of made redundant any security they intended with the secure-dx site (which is weak because the website SCREAMS out phishing even though it might not be).

  29. The debit and credit cards that’s how chase get you, a lady went into my account said chase and deposit 250 dollars, this was over the weekend, I did not know about any deposit, the deposit slip looked like someone just put anything on it, it had my account number, now you know you have to show ID , well chase tried to use the excuse I used 85,000 dollars on my debit card, look out when they choose your pen number, and refuse to let you choose your own pen. they send you what they want you to have.

  30. This about the Dish Network that was charged to my checking account on 9/24/10
    for 180.00 dallars. That I didn’t know anything about.I don’t know anyone that has
    Dish Network. I have Time Warner.

  31. this is the second time my chase account has been used without my consent but I didnt have to do any of this the frist time! they did every thing over the phone and refunded all the disputed charges Im not doing this but I will be calling the bank back and telling them what I think

  32. I love “Not phishing “. He/She is very detailed and is a wide thinker. ALso, I work for Chase and I know how these things worked, so it’s really legit as to what I can say. All these things on this website are clearly and perfectly just moans and cries of people who had been defrauded and lost all their money because of a fraudster, and not Chase. You guys should think more about it, you try not to use your card online frequently or maybe, just even the thought of ALL banks having the same issue. Why not do this. Type in to Google, “WAMU complaints” or “Wells Fargo bank complaints”. See guys, you’re not alone. The bank is here to protect your money, and even if you guys complain about it, All is in the REg E, and the government’s federal law that what these banks are doing (such as Chase) are all legit.

  33. it’s december 2010 + this crap is still happening! omg! MONKEY, thanks for your post + investigation + suggestion. I’m just an end user, but with above average tech savy + this thing reads SCAM like crazy. + it’s not…that’s mind blowing. weirder–the call center in the phillipines that handles fraud charges were a disaster–didn’t know 11 was november, not october, sent me to regular customer service for someone to “read me my transactions” even with a fax from me on their screen already showing all the fraud charges, and even the manager who was generally good, omitted over $100 in charges until I insisted several times that his numbers were wrong. DISASTER!!! NIGHTMARE!!! + now they are adding all these rules to keep “free checking” —-I’M OUTTA THERE.

  34. OH, and the password isn’t “password” anymore….but, it’s still right there in the e-mail even if it is 43igsowtisf or something like that.

  35. WTF. Just received a similar email regarding our mortgage refi – not a minor transaction! And boy o boy, this makes me feel better:

    http://secure-dx.com/

    broken page, running IIS. nice. Oh, they forgot to program for non-www. nice. IT kings! Yeah, this system is ridiculous. OK, with the www, it redirects to isentry.com – which is who the domain is registered to.

    They refer me to this site to explain how this is a top-level state of the art security system (that happens to reek of phishing)…

    http://www.wolterskluwerfs.com/Content/Products/ProductDetail/Secure_Document_Exchange.aspx

    “SDX Secure Document Exchange (SDX) provides a powerful, secure, and simple way for financial institutions to electronically transmit information and documents over the Internet. SDX employs industry-leading security, including PKI encryption and multi-level user authentication, to keep communications safe at every step of the process.”

    Ya. “industry-leading security” like animated gifs are the cutting edge of graphic design.

  36. Another huge thank you for this post. Started to get really freaked out because we got a streamline re-fi offer from Chase Mortgage. I realized that I had no idea that the phone number I called was legit. Then the secure link comes from this dumb address and I really started to get worried, because this is rinky dink.

    I never gave my social on the phone, and they seemed to know all the information they should have known, but still, let’s make people feel better, not worse with our secure communications.

    I would have felt better if they’d just sent the pdf’s as an e-mail attachment.

  37. Thanks for posting this. I found your article when I looked up an 866 phone number calling my phone. I recently had unauthorized activity on my card, and went through a claims process identical to the one you described. Besides being disconcerted that my card was somehow being used without my knowledge (despite the fact that it was still on my person), I wasn’t tech-savvy enough (or didn’t have enough common sense, even) to be alarmed at the process for filing my claim verification online. I’m not sure what Chase was calling me about just now, but I’m relieved that I found your post and now feel enlightened about the oddness of their process, and also relieved of fears that this is a phishing scam. Again, thanks!

  38. ROFL!!! Amazing! I am currently in the state of paranoia doing whois lookups on secure-dx.com and emailing the fraud center to tell them someone outside the US is trying to scam their customers. This is absurd! Thanks for the post.

  39. Incredible. My wife just went through the same bizarre process after unauthorized charges appeared on her card. Exactly the same as what is described here. Like everyone else, I googled secure.dx to try to get a fix on what sort of lame scam we had stumbled into.

  40. Chase are complete idiots when it comes to the web. I’m a web designer, and I can’t tell you how many times I’ve complained to them about how much their online interface SUCKS. I got these dumb emails too (thing is, I have not contacted Chase about any fraudulent purchases … ???) and reported them to [email protected] figuring they were phishing. lol Hopefully they get the point. Looks like lots of other knowledgeable folks have done similar things. I have BofA, in fact switched accounts to Chase in 2009 after 15 years of banking with them cuz they were suddenly tacking all kinds of fees to my accounts. Well, Chase is not only doing the same exact thing now (despite claiming that they’d “never do this to their clients!” two years ago) but they suck big time when it comes to the online environment. Which is why I’m switching over to Schwab momentarily …

  41. Also got Chase’s streamlined re-fi offer in the mail and called the number given; also got concerned at the point they asked for birthplace etc. for security questions. Stopped at that point and did a double-check by looking at the Web page the rep suggested (www.chase.com/newlowerrate); unfortunately, it DOESN’T show any phone numbers! Probably because they have different call centers for different batches of offers; still, it just shows how easily a scammer COULD piggy-back on this legit process.

    Anticipating that some scammer will try to do so eventually (the issues in this blog have hardly changed since mid-2009, right?), I recommend that everyone complete a little due diligence along the way — check the phone number, check that the link in the email goes to where it says it does, etc. In my case, calling the Chase Mortgage number and talking with a re-fi specialist did confirm that the offer and the rep was legit.

    For the re-fi process, it appears (in)secure-dx.com is only being used to deliver loan documents for review, instead of snail-mailing printouts. Responses (incl. signatures) are via fax or email. So, not a big deal once you make peace with the preceding steps.

    Apparently Chase trusts their automated document delivery to secure-dx.com more than via email. They did verify my identity every time I called, so they would be sure of the email address that I gave them to send the ID/password for secure-dx.com access to the documents they could have sent to that email address… but they sent the Authorization to Disclose Information form to that email address!

    HELL, why not just post the documents in my online Chase mortgage account?!?

    With decades in the field of systems design and development, I certainly agree this is the sloppiest process I’ve seen for a provider in a “trust” industry. (With a nod to the recursively weird World Wide Web, see the post by “motty” on Nov 25, 2009 about trust at http://www.metafilter.com/86980/Banks-are-too-big-to-fail-at-social-media which is in turn commenting on THIS page…)

  42. thanks for the post Andrew, kudos for the write up.. ther two Chase sdx emails look completley like a phishing scheme, and my paranoia ratcheted up just as yours did.. so glad I found your post. nice work.
    -not a software engineer but knows enough IT to recognize a bad design..

  43. Thanks for the initial post and detail on this. The fact that this is not a big phishing scheme baffles me. The website is totally legit and I still cannot believe it. At least it is now a sub-domain of Chase.com. Sheer Madness!!

  44. Glad that this post is as trafficked as it is. As a heads up to your readers, Fifth Third Bank just started using secure-dx, and like many others my reaction was the same. Thankfully I checked with my bank, and stumbled across your blog. Appreciate the work!

  45. Pingback: pligg.com

Leave a Reply