Chase Bank - Worst And Seemingly Most Insecure Telephone Interface Ever!
Posted July 21, 2008 at 11:07 AM by Ben Nadel
I just got off the phone with Chase Bank. I haven't called them in a long time because overall my service has been really good. I don't know when they updated their telephone service, but this was so ridiculous that I needed say something.
First of all, they want you so SAY all of your commands. I don't know if the number of people in this world who own rotary phones or who don't have fingers just sky-rocketed, but I can't imagine that a voice-recognition system is ever going to be as good, as fast, or as error-free as simply typing on a keypad. But that's not even the most ridiculous part. They then threw this at me:
"In order for our telephone representatives to know who you are, please SAY your account number or debit card number"
... I say my debit card number because I have it in front of me.
"Please SAY your debit pin number"
... WTF? You want me to say BOTH my debit card number AND my pin number out loud? Are you insane? Do you want me to say my social security number out loud as well while I'm at it (which they did, in fact, have me do later on in the process). Am I going crazy or this like an insanely huge security risk? Is there something I am totally missing? Is it more secure to say things out loud than to type them in on the keypad?
What am I missing here?!?
- Wanted: Full-Time ColdFusion Developer at Intoria Internet Architects
- Cold Fusion Senior Developer at Edge Information Management
- Back-End Web Developer-Information Technologist at Michigan State University
- ColdFusion Developer at Nonfat Media
- Mid-to-Senior Level Web Application Developer at SiteVision, Inc.
Good points Ben. As you noted, the fact that they ask you for your account number AGAIN once a rep. comes on the line gives listener-in's a chance to confirm they heard you right the first time ... oh, and thanks for the PIN too.
Unfortunately, in the bank's effort to make sure you are who you claim to be, anyone else within earshot can now do the same.
Word up! I might as well wear a shirt that says "Mug Me and Take My Debit Card" :)
I feel paranoid entering my personal information on the keypad, let alone speaking it ... so this system freaks me out! On a side note, I wonder if the system sends you directly to a CSR if you swear at it. I've heard of that happening in newer systems elsewhere and this seems like a perfectly legitimate cause for swear at something.
When they asked, I actually said "Are you Kidding Me"? To which it said something like:
I'm sorry, you're entry was not understood. Please say your debit card pin number
At that point, I tried just hitting "0" (zero) on my keypad. This actually worked and took me to another line for waiting to talk to someone. Of course, this was not given as an option, but I have been told that when-in-doubt, hit zero.
Totally inexcusable, I agree. Even while working for a very small company for many years, we worked either in large rooms with a few cubes or in nice offices with no ceilings = shared airspace. And it's worse in the larger corporate cubefarms. Since most folks do most of their 'business hours' errands during work hours, WTF? When faced with these types of situations, I often resort to finding an empty conference room to place a call, but then everyone assumes I'm on a phone interview.
Sadly, this is the same state of affairs for using online customer service websites too. I had a bad experience with National Grid AND Verizon a few months ago. :(
You'd think these major corporations would actually hire web programmers with a little more intelligence than a college drop-out?? What is this, the dot-com bubble all over again!?!
I wouldn't be surprised if they found out that asking people to say their numbers out loud, reduced the number of mistakes. It might be easier to make a mistake typing in a long number like an account number, than it is if you're reading it off a bill or something.
These decisions are usually bottom-line based, so probably they found out that it saves money to do it this way.
Perhaps... but I wonder if there is a long-term cost of theft? Or maybe I am just overreacting.
Ugh, banks are some of the worst offenders, but that's by far and away the most inexcusable security mistake I've ever seen.
I'm yet to find a bank whose online banking site conforms to web standards - even remotely, or works consistently (or at all) in different major browsers.
If they can't build a site that meets web standards, how can I trust them to meet security standards?
Also, I have heard there are banks out there who implement two-tiered security (you know, you're issued with a key generator, so you need your password AND the key gen that only you have), but I haven't come across any.
It's kinda scary how little they seem to think about/value these things really.
Ben, good story. One quick thing though, you meant to say unsecure, not insecure. Believe me, Chase doesn't have emotional problems tied to low self-esteem.
By the way, for some reason, some linguists refuse to accept unsecure as a real word. But then you need to use vulnerable, which, interestingly enough, CAN be used to describe a network and a human interchangeably whereas insecure can not.
There's a website that proports to show you how to get past the automated system and actually get a live person, with data on over 100 companies. I watched a news report last night and it was really interesting. The reporter spent over 5 minutes trying to get through the "press 1" system and in her next attempt, she kept hitting the pound key until she got a live person. Unfortunately, I can't remember the URL right now, but I'm sure it would be in the top 10 results if one did a google search for this site.
Yeah, I just keep hitting zero until I get someone.
On the subject of security... when are the "security experts" going to learn that forcing everyone to use ridiculous security schemes will actually cause more security problems than they help because the normal idiot at home ends up writing things on post-its and sticking them to the monitor?
At citicard.com, things start out easily enough. You have to enter personal information and your card information to open an online account for your card. But then it gets very weird. They ask you to enter a username and password. Normally, the username would be your accountNum or email. Then they tell you your username can't have your name or accountNum in it. Unfortunately, all my emails and memorized usernames have one of my names in it.
Now, did I mention it's a shared CC? so my wife needs to have access as well... So now we can't have a common username like we always use, so now I have to write it down somewhere. Then I go to enter in the password we always use for financial stuff, which is about 12 characters, and a mix of letters, special characters and a number.
Unfortunately the site says the password must be > 6 letters and contain 2 numbers. So now even the back up password we have doesn't work because that only has 1 number as well. So now I need to use a new password I've never used before. So, once again, I write it down.
Then we come to the security questions. Apparently, mother's maiden name/1st school, etc aren't good enough anymore. Now we have things like what is your favorite movie/song or Name your favorite pet. In other words, things that can change over time. So guess what... I have to write it down... and there was no ability to write in your own questions because apparently that's bad too.
So I think it's ridiculous that all these sites expect you to keep unique username/passwords for every site because then you end up with 12 combinations. I can't remember all of that,let alone coordinate with my wife on anything. I have about 4 passwords i use all the time. One for personal banking, one for my server logins, one for e-commerce type sites like amazon, and a BS one for when a MsgBrd site makes you put one in and I don't care if someone else knows it. That's it. I don't have to write stuff down usually.
But now everything is written down and stored somewhere.
If it goes on my harddrive, then if I'm average Joe and my computer crashes, i have to take it to Best Buy and now the A+ certified, 10 dollar/hour guy has access to everything important to you because you know damn well average Joe does not know how to encrypt something.
Option B is to hide it in your house or in a safe. This way, if you're ever robbed, in addition to your valuables, your thieves can now go to your bank and everywhere else and wipe you out completely. And your insurance will not cover it because you were "dumb enough" to write your password down.
Online banking sites and the ilk need to use a universal strength tester like MSFT has for their password in WinServer. And if I have to answer a security question, maybe they could make it one that will have the same answer tomorrow as today. These people suck at anticipating how a user will actually use the system.
Instead of post it notes I use KeePass to track my websites that require authentication and security questions.
Nice comment. I think we are simply getting to the point where people are cannot / are not supposed to remember all of their passwords. I guess that's why things like RoboForms and what CoolJJ calls KeePass (I assume is along the same lines) are getting more popular.
I just hate to put my faith in a password-protected application that stores passwords. What if I forget that password - then I'm really screwed.
Hopefully one day, everything will just be fingerprint.
Sadly, Play-Doh and gummi bears can both be used to fake out fingerprint scanners. Here's an example with Thinking Putty: http://www.puttyworld.com/thinputdeffi.html. Apparently Silly Putty won't work as well, but it's pretty funny that gummi bears work LOL
Just Google "silly putty fingerprint scanner" and click a few links if you have a moment for a few chuckles.
That's bananas! So what are we left with? Retinal scanners?
I guess. Or those hand-print scanners seem to work all right. Our servers were behind those at a Level(3) facility for years and it seemed pretty secure. A swipe card to activate and then a full hand-scan to match the swipe card before the door would open to the rack room. Don't know how easy it is to spoof those, but at least I'm pretty sure that silly putty and squishy candy wouldn't be sufficient to bypass them!
Retinal scanners??? Tha's crazy! The day I bend over for some machine just to get through some door is the day...
oh wait... retinal... you mean the eye thing... got it.
nevermind, cancel that last message.
Needless to say, the biggest security threat is, and always will be, the guy who leaves post-it notes on his monitor... I actually just encrypt an excel file with truecrypt which I trust more than any off the shelf program.
But my point was that all the citicard "security experts" can do is force people with a normally good security practice to form a bad habit by writing down a password or something along those lines. Anybody using ANY security system to encrypt passwords doesn't need to be told to make a password stronger.
Ha ha... retinal :)
OMG, this is hilarious! When I run across crap phone systems like that, I hit 0# 0# 0# or whatever their system will respond to and usually they'll send you to a rep after that.
I almost spilled out my drink. I though you said rectal scanner.
Not for nothing Steve, but that's one of the two reasons why you shouldn't drink and code at the same time.
The other reason, of course, is because in an impaired state you may accidentally choose php over ColdFusion.
So, despite all these hoops that financial institutions are making us jump through, Ben's Chase experience is certainly not the only way they find to keep our data insecure:
Note that the average loss per intrusion of $30,000; that's putting a price on over-engineering (or under-engineering, in some cases).
Yea man, I had the same thing happen to me when I called in to Dell. I never talk into the phone, it might be cute but it's lame. Usually if you can dial the number corresponding to the options. Oh, and of coujrse hitting 0 10 times will send you to a person. I liked your comment about the number of people without fingers. HA!
Yeah, I hate any phone system that wants me to talk to it. I'm Southern, with a fair (not horrible) drawl. If you'll notice, those systems NEVER talk with a Southern accent, so how's it going to understand ANYthing I say? Yankees can't understand me (or I them), how's a computer going to?
I had a similar run in with PayPal's idea of "security". My account got hacked and I got locked out. To verify I was who I said I was, I had to call them - On a Land Line. Cell phones were not allowed! Excuse me, but I don't OWN a land line. And I couldn't use some one else's phone because the address wouldn't have been mine. I wrote them a nasty letter and asked them why they didn't ask how many horses I had hitched to my buggy outside. You'd think somebody like PayPal would know enough to be able to keep up with the times.
Yeah, owning a land line?? I don't own one either. You'd think in this day and age, they would expect that many people have a cell phone and cell phone only.
I was also victimized at Chase. I would agree that the are THE worst Bank to do business with. I tried to pay off my loan and they returned the money back to me after they sent me the title. They then charged my an extensive interest rate along with fee after fee after fee. Adding up daily interest and 5-6 fees, including late fees, transaction fees, title fees, early payment fees, etc.. Without any notice that they returned my payment I got slammed, and possibly had my credit hurt, by all of this. I promptly called them and they started accusing me of not having sufficient funds for the transaction. And that I would need to pay all of the amount including the fees. After many customer service agents, who were rude and kept telling me it was all my fault. I finally got someone who said I need to send them a verification of funds for the original transaction. Which by the way I had, and it also showed there reversing, or giving back my payment. I then sent this to them via fax. Which they quickly lost and then had no record of this happening. I called and spoke for over an hour with 3 more representatives that still accused me of making this mistake. I then got another person who then said that there was no record of anyone asking for verification of funds. But rather tried to make me pay the new amount that totaled well over the amount that I have. She then gave me a routing number and account number to make payment. Of course the number given me did not belong to my Chase account or even the routing number. But she kept saying this account is where we send payment. I quickly saw this as fraud. I also would pay any amount to any account other than my own. She was adiment that I was wrong and that I didn't know anything about banking. Unfortunately Chase is still ignoring me and has yet to respond to this problem. I have called many times since then, and I have to repeat the story at least 5 times for anyone to say anything. Which or course leads to me being in the fault and them being the almighty, unmoving, ignorant ones. My warning to anyone. DO NOT DO BUSINESS WITH CHASE. THEY ARE THE WORST. You would probably having better business with an obscure, 3rd world, hole in the wall bank then with Chase.
Sorry to hear of your troubles. I would recommend that you immediately send notification with full details to your state's Attorney General office. Not necessarily asking them to take action, but simply alerting them to the issue. I've done this before and it helped relieve the pressure a bit knowing I had got the right people involved. Clearly Chase has crossed your account with someone else's or something and isn't taking responsibility for it. I contacted the Ohio Attorney General years ago when MCI pulled similar crap with a long distance account. Turned out to be about 5 months before they went belly up (as WorldCom then, right around that whole ugly Enron thing). At any rate, I at least had a response / communication from the highest legal level in the state to indicate they were aware of the dispute. In Ohio at least, I was able to simply fill out a form with lots of detail right on the state website, so it was easy.
The russian bank, alfa bank, is on the brink of bankruptcy, the daily Financial Times Russia
reported in an advance copy of its Monday edition.
Private Russia banks have been trying "feverishly" to find a way to rescue the institution,
which was already hit hard by the US subprime loan crisis that began in August 2007, the WBD said.
Is this yet another bank to fall, due the economic crises?
Its scary to think that a Bank has a telephone interface that is so insecure. Asking just for your debt card number is bad but your PIN as well, that to me screams SCAM!!. Thanks for the post.