Banking Follies

Perry E. Metzger perry at
Fri Jan 12 15:06:22 EST 2007

As many people here are aware, one of my least favorite banks,
especially in terms of system security, is Chase.

Today I received an email message from Chase informing me that I'd
gotten a brand new hotel rewards program branded Visa card from them,
and inviting me to click on various links to set up my internet access
to the account, and inviting me to call a particular phone number to
activate the account.

Unfortunately, I had never applied for such an account. The name in
the email was also not my name, and the email was also sent to an
account I never give out to anyone.

A detailed examination of the email made it appear genuine, though of
course one can never know. (Chase's credit card operations send
similar emails all to customers all the time, including links to click
on, training their customers to become victims of phishing while
carefully explaining to them that they should be very careful about
phishing. Chase also has the bad habit of sending their security
critical emails through third party providers -- in this case
"" was in the path the mail took, though past
experience tells me this alone does not mean the mail is
fraudulent. Thank you, Chase, for making it so easy for people.)

It was possible that the mail in question was purely fraudulent, but
one couldn't really know. I suspected it was more likely that Chase
had either sent the email to the wrong place or that a particularly
stupid person had given the wrong email address to Chase when applying
for the card and that it happened to be one of mine by accident.

(Note to banks: 1) Always require round trip confirmations before
accepting an email address for an account holder. 2) Never send anyone
email inviting them to click on things, period. In fact, you probably
shouldn't be sending people email. 3) Study what Chase does carefully
and send out reports internally saying "don't let this happen to us.")

Now, here I am, either the subject of phishing, the victim of some
sort of identity theft (possible but not likely) or in possession of
important information that would allow me to commit credit card
fraud. As an honest person, my reaction is to call the bank.

Unsurprisingly, Chase's "confirm that you have gotten your credit
card" number has a small bug. It really doesn't want to allow you to
report that something is wrong, it only wants to let you report that
everything is okay. One wonders at a "confirm you got your card" phone
number where you can't easily report a problem but only success -- it
certainly isn't brilliant security design.

By pretending to not have a touch tone phone (I'm sure that trick to
get to a person will end when they put voice recognition on the line) I
managed to eventually get through to a live sentient being, but sadly
the human in question was not really well equipped to speak with other
humans -- in particular, beyond the fact that this person was
remarkably unintelligent, he was also remarkably unintelligible. By
the accent, I don't think he was in an offshore call center, but he
might as well have been.

First, he asked me what I expected him to do about the situation. Now,
generally speaking, one imagines that a bank would want to know about
such a situation, but this being Chase I suppose I should not have
been surprised at the quality of personnel training involved.

When I explained that I thought that perhaps the bank would be
interested in preventing fraud, he then asked that I give him all my
personal information, even though I explained that not only was I
suspicious enough under the circumstances that I didn't want him to
have my social security number, but also that I thought it was
unlikely that the card in question had my social security number
attached to it. After a few passes back and forth, I asked to speak to
his supervisor, which after a number of minutes on hold didn't
happen. Then finally he transferred me to an anti-fraud department.

The anti-fraud group seemed to be at least slightly more on the ball,
but kept insisting on things like knowing my zip code when I was
pretty sure my zip code would not be attached to the card in
question. After I carefully guided the phone agent through doing a
the database query, she finally located the card in question, which
may or may not be legitimate but which (we established by checking a
couple of digits) was not associated with my address, name or social
security number. I suggested to her that she might want to have the
account frozen, but she declined, and said that someone would simply
contact the card holder. "Not my problem any more", I said, and we
ended the call.

I suppose the lesson of all of this is that security is hard, and a
security system that depends on large numbers of telephone center
representatives to function is probably a bad idea. There are several
ways that this could have been avoided, and that the entire problem
could, in fact, have been avoided -- Chase could have avoided
attaching an unconfirmed email address to a new account, Chase could
have provided a way for people to unconfirm rather than confirm cards
on their 800 number, etc.

However, all that is secondary. The real problem is that Chase, as
well as many other banks, doesn't appear to make security a high
priority in their operations. It is perhaps wrong of me to constantly
pick on Chase, but since I constantly get new reminders, often
unbidden as in the current instance, of how badly they operate, I
think they make an excellent example of how not to run things.

"Don't let this happen to you."


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list