Date: Thu, 06 May 1999 12:40:08 GMT
>From: Daniel@DanielNorton.net (Daniel Norton)
Subject: Security/privacy hole in Chase Online Banking

Here's an excerpt from a letter I faxed to Chase Online Banking
(www.chase.com) the other day.  Not only have they not fixed the problem,
they apparently didn't consider it a big enough risk to reply to my letter.
It was particularly difficult to find someone at chase who knew what I was
talking about (I'm not convinced I ever did):

=====

CHASE ONLINE BANKING
Attn: Yvonne Woods
Attn: Daryl Stimley

Dear Sir and Madam,

I am writing to report a serious security problem with your Chase Online
Banking web service.  The problem is best described by example:

   1)  A customer signs onto the service, giving an account and 
       password.
   2)  The accesses information on the service.
   3)  The customer signs off.
   4)  The system reports that the session has exited.
   5)  A different person can now fully access the account.

It has been difficult to get in touch with the right person that understands
this.  I was referred to Abdul Gbabamosi, but he clearly has no
understanding of the problem at all and he point-blank denied that I
actually saw the above scenario occur.

You can review a test I just made.  It shows I signed on today at "6:03 pm
ET" and signed off at "6:07 pm ET".  I then accessed my account without
entering my account number and password and signed off again.  The log
should show that I signed off again at "6:09 pm ET".  The COB account number
for my business is [deleted-DAN].

This problem raises the greatest risk for people who access the service
>from public terminals, but can also pose a problem even for people who
access the service at home who might not want other family members
having full access to the account.

I hope you are more effective at addressing the problem than you are at
allowing me to report it.

Sincerely,
 
/ss Daniel A. Norton/
President


[ from Risks Digest 20.38 ]