As many people here are aware, one of my least favorite banks, especially in terms of system security, is Chase.
Today I received an email message from Chase informing me that I'd gotten a brand new hotel rewards program branded Visa card from them, and inviting me to click on various links to set up my internet access to the account, and inviting me to call a particular phone number to activate the account. Unfortunately, I had never applied for such an account. The name in the email was also not my name, and the email was also sent to an account I never give out to anyone. A detailed examination of the email made it appear genuine, though of course one can never know. (Chase's credit card operations send similar emails all to customers all the time, including links to click on, training their customers to become victims of phishing while carefully explaining to them that they should be very careful about phishing. Chase also has the bad habit of sending their security critical emails through third party providers -- in this case "bigfootinteractive.com" was in the path the mail took, though past experience tells me this alone does not mean the mail is fraudulent. Thank you, Chase, for making it so easy for people.) It was possible that the mail in question was purely fraudulent, but one couldn't really know. I suspected it was more likely that Chase had either sent the email to the wrong place or that a particularly stupid person had given the wrong email address to Chase when applying for the card and that it happened to be one of mine by accident. (Note to banks: 1) Always require round trip confirmations before accepting an email address for an account holder. 2) Never send anyone email inviting them to click on things, period. In fact, you probably shouldn't be sending people email. 3) Study what Chase does carefully and send out reports internally saying "don't let this happen to us.") Now, here I am, either the subject of phishing, the victim of some sort of identity theft (possible but not likely) or in possession of important information that would allow me to commit credit card fraud. As an honest person, my reaction is to call the bank. Unsurprisingly, Chase's "confirm that you have gotten your credit card" number has a small bug. It really doesn't want to allow you to report that something is wrong, it only wants to let you report that everything is okay. One wonders at a "confirm you got your card" phone number where you can't easily report a problem but only success -- it certainly isn't brilliant security design. By pretending to not have a touch tone phone (I'm sure that trick to get to a person will end when they put voice recognition on the line) I managed to eventually get through to a live sentient being, but sadly the human in question was not really well equipped to speak with other humans -- in particular, beyond the fact that this person was remarkably unintelligent, he was also remarkably unintelligible. By the accent, I don't think he was in an offshore call center, but he might as well have been. First, he asked me what I expected him to do about the situation. Now, generally speaking, one imagines that a bank would want to know about such a situation, but this being Chase I suppose I should not have been surprised at the quality of personnel training involved. When I explained that I thought that perhaps the bank would be interested in preventing fraud, he then asked that I give him all my personal information, even though I explained that not only was I suspicious enough under the circumstances that I didn't want him to have my social security number, but also that I thought it was unlikely that the card in question had my social security number attached to it. After a few passes back and forth, I asked to speak to his supervisor, which after a number of minutes on hold didn't happen. Then finally he transferred me to an anti-fraud department. The anti-fraud group seemed to be at least slightly more on the ball, but kept insisting on things like knowing my zip code when I was pretty sure my zip code would not be attached to the card in question. After I carefully guided the phone agent through doing a the database query, she finally located the card in question, which may or may not be legitimate but which (we established by checking a couple of digits) was not associated with my address, name or social security number. I suggested to her that she might want to have the account frozen, but she declined, and said that someone would simply contact the card holder. "Not my problem any more", I said, and we ended the call. I suppose the lesson of all of this is that security is hard, and a security system that depends on large numbers of telephone center representatives to function is probably a bad idea. There are several ways that this could have been avoided, and that the entire problem could, in fact, have been avoided -- Chase could have avoided attaching an unconfirmed email address to a new account, Chase could have provided a way for people to unconfirm rather than confirm cards on their 800 number, etc. However, all that is secondary. The real problem is that Chase, as well as many other banks, doesn't appear to make security a high priority in their operations. It is perhaps wrong of me to constantly pick on Chase, but since I constantly get new reminders, often unbidden as in the current instance, of how badly they operate, I think they make an excellent example of how not to run things. "Don't let this happen to you." Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]