Is It Really Chase.com?
|
I got a new Chase credit card the other day and I decided to sign up for online access, mostly so I can see my charges as they happen. The link I followed from the home page for the particular card branding sent me to a page with the title "Chase OnlineSM - Sign Up" and a URL of "http://cardsonline.chase.com/cgi-bin/nph-s.[junk]/1/[more junk]/https/chaseonline.chase.com/chaseonline/signup/sso_signup_filter.jsp" I was less than impressed with the fact that they ask for important sensitive information on a non-SSL page:
And those red asterisks mean you can't hold back:
Look back at the URL again: http://cardsonline.chase.com/cgi-bin/nph-s.[junk]/1/[more junk]/https/chaseonline.chase.com/chaseonline/signup/sso_signup_filter.jsp(I've removed some codes that I didn't understand, but might have had something personally-identifiable in them.) It's a real head-scratcher. there's another URL there at the end, what looks like an SSL version of the same thing with characters removed that would be illegal in the middle of the URL. It's not the form action, I can see what that is in the source. But I can take this second URL and just browse it: https://chaseonline.chase.com/chaseonline/signup/sso_signup_filter.jspand I appear to be on the same initial sign-up form, but with SSL! And it looks like it's real:
So why are they sending people to a non-SSL page to upload very sensitive information? And does this really matter? I have a very high degree of confidence from how I got there that that http site is real. But it doesn't matter. This is really sloppy on Chase's part. They are one of the top phishing targets out there and they should be scrupolous about using every measure available to help users authenticate their web pages. |
Comments (3)
You missed one of the best parts! Quote:
"Note: if your account number includes letters, please be sure to capitalize them."
What, did the developers really not know how to convert lower-case to upper-case (most Web server and client-side scripting languages have built-in methods for doing so [e.g. ASP.NET’s "stringVar.ToUpper"] -- heck, typing that "Note:..." text was much more typng than that!), or to use a LIKE instead of = comparison in the SQL SELECT ... WHERE clause!? Why put such a repeated burden on thousands or perhaps even millions of customers, instead of a one-time minor inconvenience to the developer!?
Posted by COMALite J | June 1, 2007 11:04 AM
Where is the page that asks for my id & password?
Can you what type of game we are playing?
Posted by Caroline Zink | August 7, 2007 8:45 PM
Did you ever find out if this was legit? I got the same thing right after opening a new account and unfortunately didn't suspect until I'd entered my SSN!
Still waiting on a response from abuse@chase.com
Posted by Mike Roy | January 1, 2008 3:26 PM