chase.com not secure, but prompts for login

Discussion in 'other security issues & news' started by mbeiley2011, Sep 26, 2011.

Thread Status:
Not open for further replies.
  1. mbeiley2011

    mbeiley2011 Registered Member

    Joined:
    Sep 26, 2011
    Posts:
    4
    The website www.chase.com is not fully secure, yet they ask their customers to enter their login username and password on this page. This is very bad security policy, and subjects all the chase customers to having their login credentials stolen.

    If you go to:

    https://www.chase.com

    it should be showing all secure content, and most web browsers will show you this with a lock symbol. If you check in IE9 or Chrome they both indicate the problem. Most likely they have some image on their home page not secure, but the end user cannot easily tell what is secure and what is not, so they can't be sure their login credentials are safe. I notified Chase of this on Saturday when I first noticed it, and yet still today it is broken. It seems crazy in this day and age that a large bank would be so lax with security. Please see the attached screen shots showing the problem.

    chase_with_ie9.jpg

    chase_with_chrome.jpg
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    Enter an incorrect password, hit enter and see if it takes you to the secure page.
     
  3. mbeiley2011

    mbeiley2011 Registered Member

    Joined:
    Sep 26, 2011
    Posts:
    4
    Hi ronjor,

    Yes, their re-directed logon page is fully secure, and that is what I've been using. I was just trying to point out the problem. If a bank can't demonstrate better security than this on their homepage, it is scary to imagine how safely they treat confidential data internally.
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    It is sloppy. There are many sites that are like this.
     
  5. dawkholiday

    dawkholiday Registered Member

    Joined:
    Oct 6, 2011
    Posts:
    3
    When you visit the site do you look up Chase.com through a search engine or use a bookmark/favorite? This information should have been given to you if you asked them. They explained that to me last night. Did you talk to customer service about it? What did the CS say?
     
  6. mbeiley2011

    mbeiley2011 Registered Member

    Joined:
    Sep 26, 2011
    Posts:
    4
    Hi dawkholiday,

    The problem is the same no matter how you visit their site (bookmark, type it in the address bar, follow a link...). Their home page is providing both encrypted and non-encrypted content, thus the full page is not encrypted. It isn't obvious to the end user what is and isn't encrypted, so this is a bad practice, and doesn't give the user confidence their login credentials will be transmitted encrypted. Different browsers show this problem to the end user in different ways. In IE, the lock is not present. In Chrome the lock icon changes to have a warning sign on it, which you can click on, and they'll explain the problem.

    I did send them an email through my account, but the answer was basically to call them. I view this as their problem, and wasn't going to spend more of my time trying to explain what they should already know. It baffles me that a bank as large as Chase can't figure out these basic security issues.

    The work-around is to enter a bogus password, and you'll be re-directed to a dedicated login page that is fully encrypted.
     
  7. dawkholiday

    dawkholiday Registered Member

    Joined:
    Oct 6, 2011
    Posts:
    3
    could it be IE 9? im running IE 8 and get my lock. I spoke with Chase and they mentioned that they are not fully operational when running on IE 9. not exact words but its how i phrase it lol. idk. just trying to offer a differ view. I mainly use Firefox though and have had no problems. Just booted up IE 8 to test it out and refuse to bump up to 9 just because I hate microsoft.
     
  8. wat0114

    wat0114 Guest

    I beleive you are right. When I enter credentials (randomly typed fake) I get two ip addresses logged. One secure and one unsecure:

    port 443: 159.53.60.105

    port 80: 199.16.83.72

    this was with IE9 so dawkholiday may have a point about the browser used.
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  10. wat0114

    wat0114 Guest

    I just tried royalbank login using IE9 (the one I deal with) and it's all secure connections. As ronjor pointed out chase appears to be sloppy so no excuses imo not to be ready for IE9.

    EDIT

    try a search on "Chase login" and go with the first result. You should get -https://chaseonline.chase.com/
     

    Attached Files:

    Last edited by a moderator: Oct 6, 2011
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ wat0114

    Don't know about IE, but with FF the padlock showed solid gold on both those "supposedly" secure www's

    pad.gif

    So on it's own it might be a true indication of FULL security ! That's why i Love calomel :)
     
  12. wat0114

    wat0114 Guest

    I got redirected like you, CloneRanger, but no padlock showed until after I attempted to sign in. It's gold when I hover over it, and same thing with royalbank.

    Did you try: -https://chaseonline.chase.com/ ?
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Just tried https://chaseonline.chase.com for you EXACTLY as before. The padlock showed solid gold, even though neither were 100% secure via Calomel ?
     
Loading...
Thread Status:
Not open for further replies.