Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx)
A few days ago, I got a call from my girlfriend, Olivia. I was so deep in working on my startup, Parse.ly, that I hadn’t checked my bank account statements in several weeks. We just went into private beta last Thursday, after DreamIt Demo Day. She noticed some suspicious charges, and so I looked into them. Indeed, it looked like I had been a victim of fraud: there were three charges that clearly was not me.
I immediately called Chase Customer Service. In order to confirm the details about my account, the representative needed me to identify the fraudulent charges, but also identify charges that were actually valid. For this latter bit, I needed to identify the time/place of a specific transaction. This card was mostly used for online auto bill payments, so this turned out to be impossible for any of my last 20 valid payments. Yet the customer service rep insisted that I name a time and place. I told her, “The time and place was whenever the server for this system decided to automatically bill my account. I don’t know where their server is, I don’t know what time their cron jobs run.”
“Cron jobs?” she said.
Right, I had been hanging around techies at DreamIt Ventures for too long. “Listen, the transaction didn’t take place physically, it took place digitally. I can identify one transaction, which is about a month old, where I actually used the card in-person to buy something.” She finally understood and let me move on.
Burak from Trendsta said he felt bad for me, for how patient I had to be with this person. But that was the least of it. This little technical misunderstanding was nothing compared to what followed.
I was told that in order to get a credit back from my account, they had to collect from me a signed affidavit indicating the charges were fraudulent. This affadavit would be “securely shared” with me via e-mail. OK, “sounds good” I said. I waited around for the e-mail to come in.
Finally, two e-mails arrived in my inbox. The important bits are in red. First:
Message from Chase Customer Claims Secure Document Exchange
From: chase_customer_claims@secure-dx.com
Welcome to the Chase Customer Claims Secure Document Exchange. You recently contacted Chase regarding your claim number XXXX. Your documents are available for your review.
Per our telephone conversation, you will need to register to our secure website.
Your initial password is: passwordYour initial user name has been sent to you in a separate email.
On your first log in, you will be required to select a new password.
Thank you for using Chase Customer Claims Secure Document Exchange.
To contact Chase for claim related questions or to withdraw your claim, please call 1-866-564-2262.
Any geek reading this will immediately identify some key things wrong with this e-mail that make it look like a total phishing expedition. Namely:
- The e-mail address, rather than being from a chase.com domain, was from a strange domain named “secure-dx.com”.
- Rather than sending a cryptographically secure, expiring activation link, a default password was sent in plain text.
- To make matters worse, the password is the same for all users, and thus anyone who can guess my e-mail address can easily impersonate me on this “secure document” website.
- The default password is “password”. WTF?! I mean, c’mon?
I didn’t quite understand why I needed a “second e-mail” now, but I opened it up. Here it is, excerpted:
Your Chase Customer Claims Secure Document Exchange Electronic Package is available online
From: chase_customer_claims@secure-dx.com
ANDREW MONTALENTI,
Welcome to the Chase Customer Claims Secure Document Exchange.You recently contacted Chase regarding your claim number XXXX. Your documents are available for your review.
Per our telephone conversation, you will need to register to our secure website by clicking on the link below or copy and paste the link into your browser’s address bar.
https://chase.secure-dx.com/consumerdcx-chase_atm
Your user name is my.email@hidden.com
Your initial password has been sent to you in a separate email
On your first log in, you will be required to select a new password. NOTE: This site is different from Chase.com and passwords are not related. Updating your password on Chase Customer Claims Secure Document Exchange will have no impact on established Chase.com passwords.
Once registered, you will be able to access your customer correspondence on our secure website. You may be offered the option to complete and sign the form online if you wish to do so. [...]
To say I was confused would be a major understatement. I was downright depressed.
My guess is that the engineers at Chase thought that by separating the “password e-mail” from the “user e-mail”, that somehow made the whole communication more secure. Two e-mails are better than one, right?
The most important thing to point to is the link. The link where this secure communication will happen is not at the chase.com domain Instead, it is at https://chase.secure-dx.com/consumerdcx-chase_atm. There is no way, NO WAY this is a real Chase site, I think.
I click on the link and in Firefox, I see this:
At this point, my paranoid self turns on. Curious, I click through the link anyway. And I see this:
Now I’m really paranoid. Links off secure-dx.com pointing back to chase.com’s privacy policy. A username and password box and a sort of hokey imitation of the Chase.com web design. I realize, holy shit, I’m being duped! Not just small-time credit card fraud, but someone has managed to really take over my life!
Why am I freaking out? The customer service person I talked to, I realize what must have happened. That wasn’t Chase. Someone stole my credit card information and then set up a call forwarding on my cell phone, somehow, to point Chase’s customer service number to some fraudulent interceptor. This person then diligently took my claim only to send me an e-mail that would get yet more information out of me and take me for even more money. I freaked!
Immediately, I double-checked my call logs and compared them to Chase.com customer service numbers. I made sure to change my DNS server to OpenDNS to make sure no one was somehow intercepting that. Finally, I realized I could look at the number written on the back of my Chase credit cards. It all checked out — the number was good. So I switched phone. I called Chase customer service on both my phone and Olivia’s. I made sure the messages were exactly the same. From Olivia’s phone, I called back Chase again to speak to someone there about this. But then I got even more paranoid — how big could this be? — so I decided to hang up. Instead, I called my local Chase branch in my neighborhood.
With my local branch’s help, I got transferred via a branch office line to the actual Chase customer service. Finally on a secure line, I thought to myself. When they picked up, I was expecting to uncover the scam of the century. I felt like an investigative journalist right on the tail of something truly big.
But then I spoke to the Chase representative, on the secure line, and she explained to me that this is just the normal procedure. secure-dx.com is the website they use for “securely” sharing documents.
I was livid. I explained everything wrong with this setup. I demanded to speak to a supervisor. I spoke to a supervisor. He said he did not know why the system was the way it was. He wasn’t a software guy. He just knew that “with the way the business is changing lately, a lot of systems are in flux.” I said this flux was unacceptable. “I’m a software engineer,” I said. “How can I possibly trust Chase to manage my financial accounts if something as simple as sharing a PDF document is done in the least secure way possible?” What other skeletons might they have in the closet?
I wanted to be forwarded to the department responsible for that. After my explanation to him of what was wrong, he fully understood the problem. To his credit, he admitted it was wrong the way it was set up. He actually tried to track down a supervisor. But there was none that could field IT and software requests.
They promised to call me once they could track someone down to talk about this. No call yet.
My excitement came down a couple of notches. I was not the investigative journalist undercovering an elaborate scam any longer. Instead, I was a software engineer. And some members of my profession have let me down. Big time.
In the meanwhile, I did the research and found the vendor who provided this service to Chase. They are Wolters Kluwer, a “financial services and banking compliance solutions provider”. The product page for “SDX”, Secure Document Exchange, is completely ludicrous. They claim this product includes “industry-leading security, including PKI encryption and multi-level user authentication, to keep communications safe at every step of the process.”
Right, so the password was sent in plain text. The default password is “password”. And, rather than having a chase.com subdomain which points at Wolters Kluwer’s server (e.g. secure-dx.chase.com) and sharing a secure chase.com certificate with them, they decide to host the whole thing outside of the chase.com domain, so that as a user, I have no way of confirming this actually is an e-mail or system originating from Chase. Users are so confused by this that they have already reported it as a phishing scam, even though it is not one.
That’s industry-leading? That’s “safe communication”?
No, that’s a joke. Chase should be ashamed.
August 29th, 2009 at 5:45 pm
I found this post when I searched for ’secure-dx’ after having the same emails from Chase (after talking to the claims department). I am not even a software engineer, and I can tell that they are idiots for setting it up this way. Did you ever actually log in and get your documents? I’m not sure I even want to try.
September 1st, 2009 at 9:50 am
Thanks for this post – found it after making the same call about a compromised account and finding the same messages in my account. Who thought this was a good idea? Now I’m left with a creepy paranoid feeling and a complete distaste for Chase.
September 1st, 2009 at 12:24 pm
I found this post the same way. So far I am still waiting for a response from Chase regarding the incredible timing that a phisher would have to have in order to send me these emails after I actually did file a claim with the claims department. I did the same thing-clicked on the link anyway-but didnt actually log in. Has anyone (you or anyone reading this) actually logged in? I am with you. Paranoia galore. Thinking back to the information I had to give the claims guy was certainly enough info to steal everything in my banking life. I started thinking maybe the number I was transferred to (via Chase) was an inside job and I have just been swindled. I guess it makes me feel better knowing that someone else (on almost the same day) has had the same experience. I am also left with a serious distaste for Chase because whether it turned out to be an inside scam job or that they would seriously be this stupid, how is this secure banking any which way? And why didnt the guy from the claims department tell me to expect this email and that I would need to log-in to view these documents a few days later? WAMU had some great customer service, but that has obviously died with the re-org. Any recommendations on better banks to use after these shenanigans?
September 1st, 2009 at 4:33 pm
holy crap, thank God i stumbled onto this site. it’s not a scam, that is a real website. i called chase today to dispute a charge and i saw this site so i actually logged in. it’s actually a real chase site with my dispute claim form. chase is such a joke. i can’t believe they would actually make a site/email process like that. unbelievable.
September 2nd, 2009 at 4:38 pm
Did chase lose a brunch of their customer data? I had few unauthorized transactions on my chase debitcard too. So far, I only use my debitcard as my ATM card. Here is my story.
Last thursday when I logged in my online account, I noticed there was one pending unauthorized transaction($5xx) on my account. I contacted chase the next morning and the customer service person told me they can not do anything at that moment. I have to wait until the transaction is posted.
On the weekend, I had a road-trip to Spokane which is 300 miles away from my home. When I arrived home, I found there were another two pending unauthorized charges($17xx and $6xx) shown up.
On 9/1, I went to chase, they told me the same story blah blah blah… they can not do anything. AND THEN, FINALLY, I REMEMBERED. AT LEAST THEY CAN DO ONE THING FOR ME. which is to close my card and cut my loss.
Now, I am on the same boat with you guys. Having 3000 dollars fraudulent charges on my account, and received few suspicious emails.
September 16th, 2009 at 8:52 am
Man, I just had this happen to me as well. I missed a call, and they left a voicemail. The guy told me it was from fraud prevention and what-not and to call him back and HAVE MY DEBIT CARD NUMBER READY and left a 866 derp derp derp number. So I was ready to call shenanigans and pulled out my card and called the number, and the person on the line asked for my card number as well! I thought someone did something to my phone, so I told her I didn’t have it with me, then she asked for my social security number, I played dumb and said I couldn’t remember it. She finally suggested she could ask the security questions, which were so darn easy, I mean they asked “do you own property in, A) Montana; B) Oklahoma; C) Washington; or none of the above.” I was thinking this was a big scam, but eventually I got transfered to the Claims department. What did I get? Some guy asking me if I bought x on x day, and then he mentioned sites I never even heard of. He reacted with a “lol u got to many u didnt maek, let’s just cancel.” That gave me a sigh of relief, but then I remembered I didn’t know this guy’s name! When I asked for it I got “Ryan” “…Ryan…Ryan what?” small pause, “Smith.” Ryan Smith! How generic! So the next day (I get off of work late) I go to the bank thinking it was a scam and I fell into it, I got to the teller and she wasn’t a US native, so I struggled with her broken english and she told me the card was still active. I ran to the Customer Service area and spoke with a rep who made a call, right off the bat she gave them my debit card number, I was scared, but she assured me later that it was legit. Turns out Ryan just but a block on my card or something, but it got completely canceled, filled out some paperwork that was faxed over and my money was returned a few days later. Though, I had some pending charges with did go through and I received the email you mentioned, and I have to say the form the website requires you to fill is the same one that was faxed over to the bank I go to. I have confidences that this site isn’t a scam, but it desperately needs to be fixed asap.
September 18th, 2009 at 7:17 pm
Wow! Same exact story here. Just got off the phone with Chase customer service, and found this post when I googled the secure dx link in the email!
Someone could create a clever scam by imitating Chase’s procedure here. Maybe they’d even create a blog post and some fake comments from upset “customers” to convince people that while this seems like a total scam, this is actually the Chase procedure for dealing with fraud. *looks around suspiciously*
Seriously, though, thanks for the post!
September 23rd, 2009 at 4:11 pm
Thanks for the post, same thing just happened to me. A fraudulent charge was made on my account, I got a phone call and they ended up sending me these emails. SO SKETCHY LOOKING! I went through with it, though. It works, and the website doesn’t ask for any real important information such as your normal Chase.com username, social, account number, nothing.
September 24th, 2009 at 11:51 am
Exact same thing just happened to me as well. The customer service people seemed totally clueless when I called them and questioned why the emails and link were from a non-Chase site, and had no idea why I might think that the plain-text default password of “password” was about as insecure a way to share “secure” documents I could think of. The fact that both people I spoke to on the phone were only marginally capable of speaking English may have added to their confusion.
Ironically, the website doesn’t appear to work anyway, as I was caught in some sort of system error loop.
Chase has lost me as a customer because of this. I doubt they particularly care, as consumer banking is a bit of a loss leader for the big guys anyway, but fuck them.
September 24th, 2009 at 12:22 pm
I didn’t recieve my user name.
September 25th, 2009 at 11:45 pm
Like everybody else said: thanks for writing this post, I too found it through Google when my alarm bells were set off, and I too am annoyed that this is the process Chase has set up for people. Sigh. I’ll be writing them a physical letter about this.
October 17th, 2009 at 8:50 pm
Another thanks for this post. After almost an hour on the phone with Chase customer service, I was finally told to just disregard the warning about the phishing site from Firefox. Told by an extremely unhelpful representative of the bank. Amazing that halfway through October, there is still no change to this system. I used to be a WaMu customer, and this is the first time I’ve had to deal with Chase since the merger. I am definitely going to another bank, as I have no faith in a bank who’s fraud and claims departments can’t even create a basic level of security in their own systems.
October 22nd, 2009 at 4:32 pm
Yes this is shady. Though the forgery alert from Firefox is only on the Mac. Firefox on PC (3.5.3) doesn’t show the alert and Internet Explorer 8 doesn’t identify it as a threat when checked with the SmartScreen check.
So while yes, this is shady, whatever mechanism Firefox and Safari on the mac are using to notify users of fraudulent websites is actually reporting a false positive, making the situation seem worse that it really is.
October 22nd, 2009 at 11:36 pm
Thank you for taking the time to find this one out. I was in the same boat as you, freaking out thinking someone was about to steal all of my money. I want as far to bail out my extra cash from my Chase account into one of my other banks and ran a credit report to see if anything else was going on.
@WildcatTofu: I was having this same thought too. My claim was with my ATM card through Chase that I have never used, not even swiped it once. Yet some how someone was able to get my number and make a charge online?
I am going to write a letter and I strongly considering dropping Chase altogether.
Thanks again monkey. (First time reader but I think Ill have to follow now, looks like some good reads!)
October 23rd, 2009 at 2:05 am
I had a hiccup with Xbox live charging my card while my account was low, putting me into the negatives with a friendly insufficient funds charge. I started to report the fraud after Microsoft clearly stated 3 times the charge was never made by them.
I got the same scenario. I even have the fraud alert in Google Chrome for the website!
Though, I did some work for Chase when they converted from WaMU. We were going to install several PC’s and printers, we had a pamphlet that made it all seem professional with special screws for different devices. They changed the location of the training session without notifying those who were already scheduled, and we went without training. We got there, and half of the peripherals weren’t even going to be installed by us. We just swapped out the card scanners and printers! It was rediculous what we went through to do something so simple. I don’t understand how Chase can be so successful.
Imagine it, there were 5 people in my team to replace three scanners and one printer (and the lead reformatted the drivers, but we had to sit around ’cause its a bank and we can’t just walk outside after it’s closed). We were there for SIX HOURS, although we finished in less than 30 minutes. Still got paid for training that we didn’t do, mileage that we didn’t drive, and 8 hours of work, all at $18.00/hr. One person could have done ALL of this in that 6 hours with no training, just that pamphlet. Instead, five people with 8hours, plus 4hr’s training time and 120 miles @ $0.55/mi.
I wouldn’t complain with the $250 check for 6 hours of work, but WaMu was my bank before, now thats Chase! Chase is so terrible at everything… so unorganized… they have other companies do everything for them. It’s scary that they manage so much money…
October 24th, 2009 at 10:31 am
I got completely paranoid too – thinking that my phone was being redirected to the scam center. I told them to just mail me the docs. I think that this blog is also part of the scam so that when you google “chase phishing secure-dx” this comes up for reassurance
October 25th, 2009 at 5:01 pm
Thanks for the post. Same story here. Some phishers do a better job than this… which leads me to ask: Is this post part of the scam?? Now that’s intricate!
October 25th, 2009 at 8:04 pm
same thing happened to me, but when opened page anyway, after putting username and password, the page wouldn’t load or go anywhere.
i don’t understand why so many people have this problem, everything starts on september, that’s when they took my money when i never use my debit card for anything.
am definitely closing my account
October 26th, 2009 at 1:35 pm
Thanks for posting your story!!! I experienced the same thing – When I received the emails, they were suspicious so I did a search on the link and looks like I have a lot of company in dealing with this:(
October 28th, 2009 at 7:28 am
Same story, different user. Not only has my paranoia about the emails and site gone into over drive but the automated phone system kicked it off. When I called this morning to dispute 3 charges made yesterday I was prompted to enter my card number when I pressed *0 to speak to a cust service rep. This is not my favorite thing, I’d rather they did this another way, but I entered it. Then I was informed by the happy automated attendant that their new procedure is for me to enter my PIN number for this card as well. SERIOUSLY?!?! Then I get the nice people in India who are very apologetic for my troubles but not very reassuring telling me they’ll email me a link with documents to file the fraud claim. FF of course blows up on the secure-dx.com domain, got the plain text email with password as the password… this is a joke. And of course, it happens within 2 weeks of my WAMU account being “finalized” at chase.
October 28th, 2009 at 12:36 pm
I am truly in awe with this whole situation right now. First I get a fraudulent charge on my card and then I was told to go to my email and end up reading everyone is having a problem and has gotten the phiser warning. I think I’ll just go into my local branch to solve this problem. I’m also sick of dealing with people who don’t speak good english, it is very frustrating to keep explaining the same thing over and over again. It’ bad enough to have to deal with it in the first place! Warning everyone it was expedia that charged my card without my permission and has caused all these problems! Do they consider the time it takes out of our lives to fix this? I was on the phone 4 hours with expedia getting the charge to my card reversed because I never wanted their service and chase was nice enough to conference call and help me with that, but now expedia has given my card number to book a room @ the quality inn hotel without my permission and here I am hours later still dealing with it and now this!
October 30th, 2009 at 9:27 pm
I continue to be amazed at how:
1. Chase has not contacted me about this issue, even though I have repeatedly contacted them about it by phone and e-mail over the last couple months.
2. 21 people have posted comments here, and the number seems to be accelerating slowly.
Thanks for stopping by. If you are interested in more JPMorgan Chase shenanigans, check out my latest post on their assessing $39 overlimit fees on my account:
http://www.pixelmonkey.org/2009/10/30/jpmorgan-chase-valid-fees-and-humanity
November 4th, 2009 at 1:21 pm
same thing just happened to me. i’m a web programmer, too. i still find it hard to believe.
November 7th, 2009 at 3:27 pm
im in the same boat as everybody here, i get 2 fradulent charges on my account at the end of october…….i call chase, speak with some guy named “gil” in the claims department, he says they’re gonna shut my card down and send me a new one and also send me an afterdafit in my email so i can sign electronically……..
i get the email with “password” being my password smh…….and i click on the link and BOOOMMMM!!!! fraud alert goes off on my firefox……..even on my google chrome…..thank god i found this blog, props to the starter and shaking my head at chase……..why get another company to do the job your suppose to do…..hopefully my claim gets resolved smoother then this
November 10th, 2009 at 12:24 pm
Same happenings. Same thoughts exactly. Ludicrous. F
November 12th, 2009 at 3:43 pm
going through saaame exact thing.
planning on taking time out of my busy schedule to go to a local branch, make my claim from them there, withdraw all my funds from my accounts and get the hell out of chase.
i was charged $100.. i better get it back! i’m a college student for christ’s sake..
November 13th, 2009 at 11:00 pm
Same exact thing happened to me. Thank you for posting your story!
I am on win 7 and the red screen of impending identity theft and permanent financial failure showed up on both chrome and firefox. Someone above posted it was Mac only. Chase is retarded but I want my money back. I hope 5 years from now I hear about a class-action lawsuit involving this and can happily add my signature to split $6.49 with the rest of yous
November 17th, 2009 at 12:22 pm
I am the newest this this scam. We had an ex-employee who somehow is still managing to withdraw money even though his card is shut down! Apparently he is going to the teller window and even with all the warnings put on the account he managed to withdraw another $700!!!! So again on the phone with Chase and I too get this baloney email indicating a claim number and message inbox. Since I received a message from Firefox I was hesitant to go further, so I did a little research and ended up here. Bottom line…is this for real from Chase or is it a scam?
November 17th, 2009 at 4:51 pm
Hi , I had three pending charges on my account this pass weekend that I did not make, one posted and they sent me the form, and i sent back they did credit the account but the other account I have to wait unitl it post. What is happening I have never had this problem when I was a WAMU. Im very afraid I have cancelled my card.
November 18th, 2009 at 5:13 am
Well I’m in pretty much the same boat as a lot of people here… only to make matters worse, I’m currently deployed to Iraq with the military. I received an e-mail from my family back in the States, saying that chase called about some fraudulent charges. My mother did some investigation for me, and said the call was legit, and my had my card shut down on me. I did some calling around from over here, which has been a headache as well because I can only make calls back to the US for 15 minutes at a time. My debit card was indeed closed (even tried to make a purchase with it just to confirm), and their claims department said they would e-mail me with information to get my money back. So I waited… and nothing. I called again several times, and finally when I got a hold of who I needed to they said they would send the stuff again, and finally it came through. I open the link, and the fraud warning came up on firefox, like most other people here. So that scares me to death. I go ahead to the site but don’t log in, and the address looks fishy to me, so I try to find some link to the site from chase’s main page. Can’t find anything from there… so I’ll definitely be calling Chase before I proceed with anything.
Does anyone know of any links through Chase’s main page? If so, please share. I don’t like this one bit, and it doesn’t help being several thousand miles from home when I’ve got enough to worry about on top of all this…
November 18th, 2009 at 1:07 pm
Wow. I got the same emails after disputing two back-to-back $503 ATM withdrawals. The website set alarms off like crazy, in Firefox, and in my head. Thanks for posting this.
November 20th, 2009 at 12:12 am
found this post when i searched for “secure-dx.com chase” … obviously feeling the same worry and suspicion as everyone else.
this is such a broken process on chase’s end. I can’t believe someone on the “web” side of Chase actually thought using a non chase.com URL for a security site would be acceptable.
sidenote:
the very first and only time i used my debit card (at a chase ATM), it was showing fraud charges within 24 hours. That’s not a fun experience.. and now i’m dealing with this broken process to try and retrieve the money that was stolen. I think i’m done with chase… I miss Wamu.
November 20th, 2009 at 10:46 am
Secure-dx.com is a VALID system. It is used by hundreds of thousands of people every month for a whole variety of document delivery reasons. Do you question a postal delivery from FedEX even though the content inside the package was sent by a bank!
Some Firefox (and Chrome) browsers may fire off a phishing alert but that is because the people running their anti-phishing systems never follow up on false alarms even when told about them. Microsoft, AOL, Yahoo and the rest know secure-dx.com is legit because they bother to verify anti-phishing alerts.
November 23rd, 2009 at 2:07 pm
I want to add my thanks for the info and affirmations here.
I went through the same thing three days ago when I discovered a fraudulent charge on my account. My call to the 800 number that used to announce that you had reached WAMU now said welcome to Chase. I proceeded with the same concern and was told I would be sent the necessary forms via email which I would have to sign and return before my account could be adjusted.
Since the fraudulent activity had already taken a good chunk of change from my account, and worried about the fallout if checks started bouncing, I deciding it was better to hurry to the nearest branch.
As it turned out, one of two fraudulent checks had already been “cleared” and a copy of the check was available:
Well, I guess the good news is that I don’t have to bother filling out and signing an affidavit?
Why? Because although the phony check displayed my bank’s routing number and account number at the bottom, it was imprinted with another branch’s address, with a different person’s name, address and had a signature that didn’t remotely resemble mine.
I’m not sure the naively constructed internet security at this bank concerns me as much as the “security” within the bank itself? The bogus check stood out like a sore thumb when compared with every check I have written on that account for the past 12 years. Since other banks can now offer you photocopies of your atm deposits as part of your receipt, it seems in theory at least, that the bank could minimally recognize a blatant forged signature, electronically, if not by personal observation.
November 24th, 2009 at 2:59 am
I do find it funny reading some of the posts on here. Beth, you show a concern that when you phone WAMU it now says Chase, have you been asleep for the last year. WAMU went bust because of their own practices and stupid lending. Chase saved them! And you mention “naively constructed internet security” but you didn’t actually use the product as you went straight to your branch!
November 24th, 2009 at 10:54 am
Ok, I understand your amusement! May I clarify?
First, (lol), of course I am aware of the Wamu-Chase transition. Hello, I’ve watched the cute new little outfits appear on the tellers, seen the new deposit slips appear and watched the construction crew erecting the CHASE logo to the branch just down the street – over many months. (Not to mention, more to the point I guess, the ongoing failure of the link that was supposed to transition me from WAMU online banking to the CHASE credit card site.)
Whatever. The point I failed to make was that I called the number I had long ago memorized from my dealings with WAMU, so I was reasonably certain that I was talking to someone legitimately connected with Wamu-Chase. It was a telephone banker there that directed me to retrieve the affidavit from my email and return it electronically. It was only when the warnings popped up that I looked further. Finding the fake looking Chase logo at the next step, I closed my browser and headed to the branch.
My statement that Chase’ internet security is “naive” was in response to the many stories posted here, which if true, support that Chase’ vulnerability is not just obvious to IT professionals or internet forensics specialists, but also to average yahoos like me.
One more thing: Rather than “blatant forged signature” I should have written “blatant forgery.” There was nothing about that check that resembled my own. You could see from ten feet away that it wasn’t mine.
November 25th, 2009 at 9:42 pm
Wow, months later and this system is still in place _and_ they’ve contributed nothing to this conversation among dozens of angry customers.
Total social media failure, on top of total IT failure. I’m floored.
November 25th, 2009 at 11:33 pm
I had the same thing happen to me with a fraudulent charge on my Chase debit card. The fraud department sent me e-mails that looked like phishing e-mails, so I forwarded the e-mails to abuse@chase.com. I never got the automated receipt reply they promised on the website. I went into the branch and explained the scenario. They were able to get the fraud dept to fax the claim to them. I signed it and was reimbursed two days later. I explained to them that the mails from Chase fraud are being intercepted as well as the phone calls. Its their business to follow up on it. Who looks into the fraud happening in the fraud department?
November 26th, 2009 at 12:52 am
Love it. This hasn’t happened to me (I saw this linked from Metafilter), but you can be certain that I’ll never, _never_, bank with Chase for anything.
The sad part, though, is that I was going to interview with them for a Java Architect position after one of their recruiters contacted me, but this is making me question that…
November 30th, 2009 at 10:31 pm
Just happened to me as well and Firefox kept blocking the site. About the same time, I got another email from Wells Fargo to “update my information.” Have never banked with WF and the Chase “insecure” emails were obnoxiously phishy. Card has never left my wallet, wallet has never left my side – how does someone in San Bernardino, CA withdraw $100 from my account at an ATM with NO CARD when I live in TX?
The banks get bailed out for billions and they can’t keep $100 straight?? About time to buy a safe and a gun.
December 3rd, 2009 at 3:32 pm
Same thing just happened to me, which is how I stumbled upon this site. I can’t believe that a publicly traded company could be so incompetent about a security issue like this for such an extended period of time. Do they not care how horrible this makes them look during a time where they should be working their hardest to attract customers and appear like a solid company that can be trusted with handling client’s money securely. You would think that they have gotten many, many calls and e-mails about this issue considering what pops up when you Google the web address “https://chase.secure-dx.com/consumerdcx-chase_atm”. This has been going on for months, seemingly without any improvement!
I am surprised that at this point they don’t at least warn you that this website will pop up as fraudulent when you are speaking with the fraud department and they explain to you that they are sending you a PDF doc to fill out. Clearly they don’t care all that much about appearing like they are a highly secure and competent company, but can’t they at the very least let customers know that they are aware of an issue ahead of time? It would probably save them quite a bit of customer service rep hours spent listening to people complaining about what is happening when they try to go to the site. It would at least have saved me from having the slight heart attack I had when I saw what was popping up when I tried to go to the site.
Ideally, they would just fix the problem in a timely manner. But maybe security isn’t at the top of the list of priorities for Chase.
December 4th, 2009 at 6:43 pm
OMG WTF. You guys, isn’t this so fucking weird? This just happened to me. Same google. A few years back, I fell for a Paypal email a few years back and have been suspicious ever since. I’m missing $1000, they called me. I remember the multiple choice questions and feel that that would’ve been tough to invent. I remembered how the claims people I was connected to didn’t have as much info as I expected (typical though for a bank).
IN FACT I AM SO PARANOID that I am reading all these comments to be sure they are real.
Shit, they’ve made an un-trusting lot out of us all, haven’t they. (They being, you know, the smooth criminals). I feel like being paranoid about my significant other cheating because the last one did, or something like that.
December 4th, 2009 at 8:04 pm
LOL.
Went through the exact same thing yesterday. I only received one email though with the login info. The other email with the initial password never arrived. I didn’t consider trying something as stupid as “password” though. Haha. At this point, I’m only surprised the inital login wasn’t “admin”. Freakin’ amateurs.
Software Engineer here also.
I’ve heard a lot about people getting fraudulent charges on their checking accounts here in California lately. The people that I know that I’ve talked to were all Wamu-Chase customers I’m starting to wonder if all these other people being affected by fraudulent charges are also Wamu->Chase customers.
Something very wrong going on here…
December 5th, 2009 at 11:03 am
@John,
“I’ve heard a lot about people getting fraudulent charges on their checking accounts here in California lately. The people that I know that I’ve talked to were all Wamu-Chase customers I’m starting to wonder if all these other people being affected by fraudulent charges are also Wamu->Chase customers.”
This is very intriguing to me. A few other people on this thread have indicated that they have no idea how these fraudulent charges might have come about. In my case, the card that Chase claims was “stolen” was still in my wallet when the fraudulent charges occurred, and I never leave my wallet anywhere except by my bed or in my pocket. So it seemed strange to me.
I wouldn’t be surprised if Chase lost a whole lot of customer information, and rather than make an announcement about it (and further tarnish their brand) they figured they would just handle it on a case-by-case basis.
December 5th, 2009 at 11:17 pm
The card is in my wallet too. I tried going through the emails they sent me even despite the warnings, and couldn’t get into the site, Firefox just would not let me in. I guess I will try and call again tomorrow and have them mail them to me. As much as I am paranoid, the phone calls were Chase, there’s no way it could’ve been a scam, and they didn’t get any information from me, they didn’t ask for my social or anything, just confirmation of info they already had.
I’m unemployed and this is literally almost all the money I have that is gone now, allegedly withdrawn from an ATM in the Bronx, nowhere near where I or anyone I know lives.
December 5th, 2009 at 11:18 pm
oh also I have been with Chase since 2004, not WaMu ever.
December 8th, 2009 at 3:18 pm
I just went through all this crap but the website is real and I got my money back the next day. It was a huge hassle but I feel good now knowing that I have my money back.
December 9th, 2009 at 12:06 am
Just got this as well, about the only difference is the password isn’t “password” – everything else appears to be the same!
December 9th, 2009 at 2:30 am
Holy Cow…what is the deal with Chase…i just hit with over $900 in fradulent charges at a 3 Walmarts in NH/MA. Have yet to call claims, but this is making me nervous.
December 9th, 2009 at 2:44 pm
This just happened to me also and I’m in California. I freaked out too, everything looked so suspicious. After reading these posts though, I figured I would give it a try. I did manage to get to the webpage, put in my username and password and then it brought me back to the Reported Web Forgery page. It just kept going in a loop. I finally gave up and called them. They are faxing the form over to me at this very moment. Why couldn’t they have done this in the first place?
I think the thing that really bothered me was when I first contacted them about my fraudulent charges, the person I spoke with told me there were other charges besides the $150 that had actually been declined, like an $1800 for arline tickets and $20 for railway tickets. She told me to call back the next day as she could not do anything until the $150 actually posted. So, I call the next day and come to find out that she didn’t even bother to cancel the card and then this new rep asked me a bunch of questions with the most important one being did I contact the merchant to try to get them to reverse the charge. I said no and was told that this is their policy for the customer to try and do that first. I asked how in the world could I call them when I don’t know who they are or have contact info (plus would they even reverse it just because I said so). He also asked if I had authorized this charge or if I had allowed someone else to use my card. Well if I did wouldn’t I have hunted down the person and water tortured them until they confessed. The Rep also asked me if I would know how my credit card info was stolen if I still had my card in my position? Uh…if I knew that wouldn’t I have started off my conversation with that instead of going through all these other questions. I think their process is absolutely ridiculous! I also bank with Bank of America and they have their own problems, but this is something they are actually great at. They would have automatically closed that card, sent me a new one, and handled all of the dealings with the fraud charges. As it shoudl be!
Anyways I totally miss it being WAMU, even walking into the branches now bugs the hell out of me. It seems so cold and impersonal, the tellers don’t even smile they always look like they rather be somewhere else or that you are bothering them. Even their attempts at small talk is painful. They should also stop asking me if I would like to replace my WAMU card with a Chase one. Heck no, I can’t stand Chase!!! Thanks so much for your blog!
December 9th, 2009 at 6:36 pm
Thanks for your blog!!! I am going through the exact same thing you describe.
All this happened to me just recently
I raised my eyebrow when I saw the secure-dx.com domain I thought “Unreal! Can they be that incompetent?” “They really thought their customers weren’t going to know better?” or “Is there is some coordination going on between the bank and criminals?” hence the timing of the email…
Eventually, proceeded to feel like this was some huge scam, just like you describe and it didn’t help that the Chase Rep sounded Under-Intelligent and pompous. My instincts went crazy.
I was going to call chase to verify this email but all the lines “were busier than usual”
So I googled: chase secure dx, and found this blog. Even so, I still felt this was part of a scam for a second. Sweet Jesus! I’m paranoid!
After Reading this relatively recent story and reading the blogs I calmed down a little bit.
I’m a Wamu-Chase customer, Perhaps Chase is trying to cover something up in relation to California customers. I would not be surprised.
Instinctively, I’ve Felt there is something off putting about Chase even before all this happened. “Feel the Force That Surrounds You” Like Yoda said …I’m serious
I too miss sweet, friendly Wamu… RIP Wamu
I am grateful you put this up thanks again
December 10th, 2009 at 12:45 pm
I finally got a hold of the claims department the day after the fraudulent charges and they could “do nothing until the transactions posted”. They also suggested that I call the stores the transactions were done at and the number they gave me was for another unrelated store when i finally tracked those numbers down, the merchants said they could do nothing and to call my bank (to be fair I think if the store is an online store you might be able to do this), but if someone has cloned your card and uses it at a physical store that store isn;t going to say ok let me reverse the transaction and I’ll be out the inventory…yeah right. Anyway once the transactions posted, I went to the website discussed here and was able to do everything online (with a temporary password) took about 5 minutes and then about 2 hours later they “temporarily” credited the money back to my account until they could “further research” the incident. Just means no true finality to this, but at least I have my money back for groceries (a la Kate Goeslin hahaha). They also asked my if I still had my card…yes..and if I let anyone use it…uh no…btw i am not a california customer, so conspiracy theorists can take a rest. I think there are just a bunch of sophisticated people out there taking CC numbers with “blink” technology or that have hacked into computers to steal the CC info. be interesting to know if everyone here has blink/speedpay, or the last couple of dozen stores you were at.
December 10th, 2009 at 7:07 pm
Dear Sir;
I have been recently contacted chase customers claims secure department, and also I have gotten my claim number . now I want to review my documents for me to getting claims on my account.
Thank you very much for your helping!
Faithfully
Kaiman Leung
December 11th, 2009 at 12:33 pm
I found this site after getting my emails from Chase – I needed proof of payment since Chase seems to have screwed up a couple of my auto payments (I was a Wamu customer). Got really worried about that phishing warning. Why can’t they just make these documents available on the Chase website? Isn’t that site secure enough to handle copies of checks? I’m no techie, but that seems weird to me.
And can I just say that the Chase customer service rep really annoyed me when she said it was MY responsibility to make sure all address and account numbers for my automatic payments were correct after the Wamu changeover. I mean, isn’t that THEIR job? Maybe it’s time to go back to Wells Fargo.
December 11th, 2009 at 4:42 pm
I have been a victim of the new Chase dsyfunctional business model. In fact the latest was 2 days ago with five charges 2 of which was to purchase anti-virus and fruad protection software (ironic). The only reason the account is still open is transitioning automatic payments into my new account. The initial contact with Chase involved being told that I should attempt to contact the companies submitting the charges and have them reversed, and the rep would give me the contact numbers. With WAMU the company name and phone number was listed on the statement. After several attempts to contact one company (Microsoft Xbox, a whole different nightmare) I called Chase back. Got the same rep as the day before who promptly asked if I had tried to contact the company. Then her next question was why is this an, illegal charge. The rep should have said it would be much more efficient and easier if you can resolve this with the company that is charging you, our policies make it difficult at best and frustrating at worst. So here I sit trying to figure out if I even care to pursue this endeavor or call it a loss and move on with my life. Chase makes a great case for why monopolies where broken up and it is my opion banking should be locally controlled. If you are standing across the counter from your neighbor or person who will see you in the grocery store maybe you will not be made to feel like a crook!
This may be the information age but some companies are still getting it all wrong. Taking my business someplace else. BTW I was a WAMU to WAMU-Chase customer.
December 11th, 2009 at 10:28 pm
Same problem here. How can i trust banks any more… 5th institution i bank with and the 4th to fuck up…(also a Wamu to Chase customer and never had problems until the switch fuck Chase).
December 12th, 2009 at 1:35 pm
Same problem as above. Think I’ll pack up and head for a smaller Credit Union.
December 13th, 2009 at 8:57 am
[...] of years ago I grumbled about companies’ clueless use of domains and email and, judging by this horrendous example from Chase, things aren’t getting much better. Meanwhile, the ludicrous design of the Verified By [...]
December 15th, 2009 at 1:12 pm
I cannot believe this has happened to so many people. Seems we all have the same story! I went from wamu-> chase and I had gotten a fraudulent charge of about 400 dollars and filled out a claim and everything. Now I get these emails from them and follow the link and warnings start popping up SUSPECTED PHISHING SITE!!. So I’m thinking oh myyyy gooodness what have I gotten myself into? Freaking out so I search google like everyone else for secure dx chase and that led me here. Glad to know now it’s a real site. Thanks
December 17th, 2009 at 8:44 pm
Thanks, dude. You’re the man.
December 20th, 2009 at 6:01 am
i just ran in to this problem today i just had a bunch of viruses attack my computer so i am really cautious of what i open, but i tried to go on the link and the same message popped up either way the installed software on the computer wont let me open it thank goodness. knowing my luck i would have probably done something real bad for myself i think I’ll go to my branch and fill out a form in person thanks for the advice and help.
December 25th, 2009 at 4:50 pm
Just opened a Chase account, never received my debit card– it was apparently stolen out of the mail by somebody who bought gas and a burrito.
My spider-sense was tingling with the weird emails and addresses, then I got a fraud warning in Chrome which sealed the deal for me. So I went to the branch and was amazed to find out that this is actually how Chase does business.
Since I haven’t ordered checks yet, I’m going to close this account and find somebody else. Lotsa fish in the sea and I’m not going to trust my money to these ass clowns
December 26th, 2009 at 5:28 pm
Same thing just happened to me and I’m SHOCKED at Chase’s stupidity. I just sent an email to David Pogue, a tech writer with the NY Times. I’m hoping he’ll pick up on this and cast the shame on Chase that they deserve for this.
December 26th, 2009 at 6:33 pm
There ARE phishing versions. When I got the first Warning screen for the secure dx site – I called Chase and Rep said yes, we heard of that, ignore and enter the site. I did, entering user and Chase generated password. Next page was supposed to be changing password to private one. Instead another Warning screen came up. Rep said proceed anyway and the next page required real name (not user name) and phone number. Chase Rep said Stop! It’s a phishing site. Go to your local branch and we’ll fax fraud affidavit there, or we can mail to you.
You cannot be too careful.
December 27th, 2009 at 10:31 pm
This happen to me last week. Bad charges on my debit card. After talking to customer service I got the two emails with the username and password. I called chase about the emails but they transfered me around until they hung up on me. I am fucking done with chase, I am cancelling my accounts and moving my money to another bank.
December 27th, 2009 at 10:33 pm
FUCK CHASE
December 28th, 2009 at 4:56 pm
@carl, can you tell us what the URL was for the phishing version of this site?
Overall, I discourage anyone who reads my article to use the insecure secure-dx system. Instead, file a complaint with your Chase branch/rep, and even point them to this article.
The last thing I want to have happen is someone uses it because my article confirms it is Chase’s actual procedure, and then it ends up there is a real phish that is masquerading as their real procedure, anyway! Agh…
December 29th, 2009 at 4:23 pm
ditto, ditto, ditto. same thing happened to me. What a joke of a bank. Great way to get blog traffic though Pixelmonkey!
December 30th, 2009 at 1:34 am
Christmas Eve some one started using my account. I called immediately freaking out, I still had some shopping to do. They also deposited fake deposits into my account. And Chase let them continue to use my account.
I am so pissed that I didn’t pull as much money as I could out, I have no credit cards and all my money is tied up in this account. Everyone I spoke to was not concerned and I was getting no where. Until I finally got the right person and now this stupid email shit is happening. My computer will not let me go through. What a joke. This statement they emailed me is the only way to get my account credited.
My branch manager told me they found scanners on the atms that morning. This all happened after I made a deposit a few nights before to deposit my bonus check. They finally upgraded their atms and I was so excited to use it. I will never ever use my atm card as a debit and expose my pin #.
The women on the phone had the nerve to ask me like 4 times how this could of happened?
I am so disappointed!!!
December 30th, 2009 at 12:43 pm
Someone got my debit card number (not actual card or pin) last week and cleaned my account out this weekend at grocery stores and gas stations here in town. After filing my claim with Chase I got this same email with the secure-dx link. Firefox and Chrome gave the warnings and that’s when I did a search and found this site. At least now, though, the password is an actual number instead of just the word “password”.
I called Chase claims again and had the representative read the entire link back to me to ensure that it was legitimate and it was. I voiced my concerns about security but you know these kids that man customer service lines either don’t care or are too scared to say anything.
If you have concerns then call Chase claims and MAKE them read this link to you. Also, tell them how this weird link makes a worried customer even more worried.
December 30th, 2009 at 12:44 pm
PS, in the end I had to use Internet Explorer because Firefox wouldn’t let me complete the form even though I told it the site was ok.
December 30th, 2009 at 6:30 pm
@Kimberly, this issue has certainly sent a lot of traffic to my blog, but I honestly would prefer if Chase didn’t utterly fail at this and actually resolved the issue.
January 1st, 2010 at 1:56 pm
It is unbelievable that this has gone on for over 3 months and the situation sucks. Based on the loss reports I am seeing, it seems unsafe to have much balance on a Chase account that has debit-card access.
I really miss WaMu checking and how well everything worked. While the JP Morgan Chase take-over solved a problem WaMu had, but I didn’t, I feel like I have been teleported into some sort of parallel green-eyeshade universe with 19th-century steam-powered ATMs and banking computers that shuttle transactions and cash on conveyors. My first clue was ATM deposit envelopes that ask for more information than if I’d walked in and used the teller and that don’t fit the ATM hopper for fresh envelopes. My second was bank statements that list check clearances in two places so I can’t reconcile in Money so easily any more.
This now makes what prompted me to defect from Wells Fargo to WaMu a few years back seem like trivialities compared with the cluelessness I am now experiencing.
January 5th, 2010 at 3:10 pm
same here!!!! not sure whether to sign in to the website or not……
January 6th, 2010 at 4:29 am
REPEAT POST!
Secure-dx.com is a VALID system. It is used by hundreds of thousands of people every month for a whole variety of document delivery reasons by well over 100 institutions around the world. Do you question a delivery from FedEX even though the content inside the package was sent by a bank!
Some Firefox (and Chrome) browsers may fire off a phishing alert but that is because the people running their anti-phishing systems never follow up on false alarms even when told about them. Microsoft, AOL, Yahoo and the rest know secure-dx.com is legit because they bother to verify anti-phishing alerts.
The “false positives” on the anti-phishing are Firefox/Chrome related, try telling them they are wrong and see what you get as a response….in the meantime use a different browser, like IE!
January 6th, 2010 at 2:07 pm
@Not phishing,
It may be a “valid” system, but as I explained in my article, it’s also utterly broken and insecure. Not because of the false positive phishing messages, but because of the fundamental design of the system.
Just because thousands of people are using a broken, insecure system every month does not make it any less broken or any more secure. It just makes it a bigger disaster than if no one used it.
You wrote, “The ‘false positives’ on the anti-phishing are Firefox/Chrome related, try telling them they are wrong and see what you get as a response….in the meantime use a different browser, like IE!”
LOL — are you honestly suggesting that informed web users who have chosen the better browsers in this world should switch over to IE, which has myriad documented — but unfixed — security bugs? Wow!
January 6th, 2010 at 10:36 pm
Just got an e-mail like this. This is the second time today Chase disappointed me. I usually deposit money in $100 bundles, and was depositing money at an ATM, which failed and “stole” my money. I filed a claim, which passed. Then, I deposited another $100 at a different branch, but it was a check. A few days later, I get a notice saying my claim, which passed, was reversed! Apparently someone at Chase misread my account statements and saw the check entry as the missing cash entry, and reversed the ACTUAL cash entry. First that, now this. Chase never fails to disappoint.
January 7th, 2010 at 2:10 am
Look how many of us have had charges against our accounts.
Anyone else think they might need a MORE SECURE BANK ?
January 7th, 2010 at 6:25 pm
So funny, you post very paranoid articles (about loads of things) and yet refuse to read the content of the responses. Most of the moaning on this thread is about bankdand fraud, all banks suffer from this. At least this one is trying to speed things up!! And hundreds of thousands of people have had this bank (and many others) sort their fraud through this system.
And you IGNORE the fact that IE and YAHOO and AOL and most others know about secure-dx.com, as do literally millions of people in the USA who have used it succesfully.
Heres a suggestion, why don’t you try and call Google/Firefox/Mozilla and ask them about the site….would love to know if you get a reply.
January 7th, 2010 at 10:13 pm
@Not phishing,
In what way is my article (or others) “paranoid”?
You say I “refuse to read the content of the responses” — no, I have read every single response on this thread. I have even followed up with some by e-mail.
“And you IGNORE the fact that IE and YAHOO and AOL and most others know about secure-dx.com, as do literally millions of people in the USA who have used it succesfully.”
Wrong. Read my post and comment again. The fact that the site was marked as a phishing site by Firefox is nothing more than a symptom of the fact that the site has a completely insecure design. I outlined numerous things that this system could have done better. From being hosted at a chase.com subdomain, to using a secure certificate with a proper signature, to not sending plain text passwords via e-mail, to not choosing a default password of “password”.
Nothing I wrote relies upon that phishing message as proof of my case that secure-dx.com’s design for handling “secure documents” is a complete joke. It’s just the thing that made my ears perk up, and those of many others.
I’ll repeat what I wrote above:
Just because thousands of people are using a broken, insecure system every month does not make it any less broken or any more secure. It just makes it a bigger disaster than if no one used it.
The damage caused by the insecurity of this system may be minimal, since it is just used to push PDFs around. I would have been fine being e-mailed the PDF I had to “securely sign”. But, the pomposity and pretense that goes along with this “secure document exchange” system is what makes it open for ridicule. It purports to be this super-secure, ultra-convenient website for Chase customers; in reality, it is designed in an amateurish, security-ignorant way, and as a result, Chase’s customers (many of whom are much brighter than the engineers who implemented this system) are left confused and annoyed. For those who end up using the system despite the warning indicators, its insecure design simply reinforces bad habits that cause phishing and other crimes in other corners of the web.
Here’s a good habit many informed Chase customers have: if ANY website gives me a login screen that looks like Chase, but is hosted off the chase.com domain, I should NOT USE THAT SITE. It’s probably a phishing attack.
That good habit is just destroyed by secure-dx.com.
That people are confused by the phishing message is just a small problem. The MUCH BIGGER PROBLEM is that secure-dx.com is totally insecure in every single way, as described in my post. If there were no phishing message, I would have written the same post, minus one screenshot.
January 11th, 2010 at 3:09 pm
Ok…something is going on with Walmart. Last week I got hit with, yes, about $900 in charges at a Walmart in PA. Chase blocked my card and didn’t process the charges. They issues me a new card. But, I had noticed an errant charge, also in PA, and went through the same secure-dx nonsense as everyone else above.
I am nervous about all this enough to totally change my accounts.
January 13th, 2010 at 8:24 am
I’ll glad I found your site – I went down the exact same path and even had the Chrome phishing warning that I ignored and then search the secure-dx.com domain to find your article. Then I logged into it – just to see a PDF. Ridiculous.
January 14th, 2010 at 1:19 am
On Jan. 8, 2010 I was also hit with a fraudulent purchase at a K-Mart for $ 325.00 and then a subsequent attempt at a Wall-mart the same day for $700 in Riverside, CA. Fortunately, Chase did put a stop on the second attempt and I have since cancelled my debit card- but for Chase to credit back my account on the first purchase, I had to go through the same process all of you have been subject to. The result is- my web browser blocks access to the site. Now I am greatly disturbed and concerned by what I have discovered about Chase and secure dx.com reading the testimonials on this site.
We are in deep trouble if we as a country can’t create an online banking system that solves problems safely and efficiently- this is fundamental !
January 14th, 2010 at 4:39 pm
Add me to the list. I contacted Chase about a charge on my debit card. They said I would get a temporary credit, which I did. Then a few hours later these emails arrived from chase_customer_claims@secure-dx.com. I work at company that is very security conscious, so this email address immediately raised red flags. It’s not from Chase.com and it directs me to a non-Chase website that triggers a security alert for phishing in firefox. Then it asks you to create an account on that site. I called Chase expecting them to tell me this was not legit. I was surprised when the rep told me this was a 3rd party they use for this service. She was not very nice and seemed annoyed with my questions. I got the feeling they are asked about this all the time. I forwarded the email to abuse@Chase.com and told them I refuse to go to this site. I asked for something to be sent from Chase.com or for them to mail whatever it is they want to send. If the person who I talked to when I called in the dispute told me to expect this email and told me it would come from this non-Chase address I may have gone along. I would expect a bank of all places to be more concerned with security and avoiding the appearance of a scam!
January 15th, 2010 at 1:41 pm
Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase Fuck Chase
January 15th, 2010 at 1:43 pm
One last Fuck Chase
January 16th, 2010 at 10:04 pm
I hate Chase as much as anybody, they can go to hell, but you are being paranoid. The forms they send are blank. Once you fill any information on them you have already changed the password.
Big banks SUCK!! They don’t care about you unless you are a multi-millionaire. Join a local credit union.
January 16th, 2010 at 11:14 pm
Thanks for the information. I just had two Wal-Mart charges to my account for $100 each in Urbana, IL. I called Chase to make a claim and had the same problems as everyone above. I too was a WAMU customer for many years and never had any problems. As soon as Chase took over, I have had nothing but problems. I was disappointed with Chase before this happened and now I am really upset. How can this have been going on for so long. I am closing my account as soon as I get my money back. I don’t feel that anything with Chase is secure.
January 18th, 2010 at 5:27 pm
Thanks for the information. I wasn’t going to sign in, but I’m glad I did.
Everything is OK with this site, not really it should be linked to chase.com.
WOOOOOOOO disputed a charge, and got the 87 dollar charge back and 3 over draft fees.
Total of 186.00 added to my account, oh yeah.
January 19th, 2010 at 6:40 pm
Same story here!… I’m in Cali and a former WaMu clinet. Called chase from the 800 number on the back of my debit card after my debit card was coming up declined. Found out some yahoo in IL charge 600 bucks at the local Pilot gas station. Called and talked with chase they said I had to wait for the transaction to post to my account and they would cancel my card and send me a new one. I called back after the charge posted to my account and now I was faced with the untrusted sited thanks to firefox. I googled the 800 number in the email and this site came up. After reading up on the issue I went ahead and logged into the chase.secure-dx.com. (I got my two emails form chase, however they no longer use password”) I went ahead and logged in and I did not used my real phone number when prompted for my for it. I got my form with my disputed transaction already on it, printed it out finish filling it out and faxed it in.
I got to say I am REALLY unhappy about this and I will be switching back over to my credit union. I miss WAMU and do not trust chase one bit.
January 19th, 2010 at 6:50 pm
I wanted to add… I did have Pay Pass on my card and it never leaves my pocket and is really only used at my local gas station and grocery stores. However I did use my card at the local pumpkin patch this year when (I am wondering if that is when they got my number?) I needed a few extra bucks for the kiddie rides for my kid…. hum???
January 19th, 2010 at 8:02 pm
I have tto be very careful because these days people will get a hold to your credit cards debit cards ues it without a care in the world so now im aware that your id can get stolen at anygivin time so now im careful about were im using my card and were im keeping my card
January 19th, 2010 at 9:39 pm
Wow/wow. this chase really stink,I’m going through the damn idiotic scam of chase bank.
I previously had my runs down with chase,but this the ultimate of a consumate and fool
thieves they are.not way thats why banks are going through these hard times.it is an
institution create to rob your money legally and with not much to do abour it.lets hope this
gives them an awareness of they jointly scam with the other company involved.
January 20th, 2010 at 3:50 pm
THANKS CHASE
January 20th, 2010 at 4:01 pm
CHASE
January 20th, 2010 at 8:06 pm
FF wouldn’t let me to the site.
IE let me right it.
Whaddya know…
January 21st, 2010 at 10:21 pm
It actually is a scam.
January 22nd, 2010 at 2:44 am
I got these emails as well, but I went into a branch just to tell them I hadn’t received any money from an ATM. No suspicious charges. In fact, the $20 I never got is already in my account hours later. But Firefox wanting to block this site is a little strange and led me here. I guess it’s legit, but I sure as hell searched for it before logging in. They didn’t tell me I had to do anything, so I’m just going to delete the emails.
Oh, and my password did seem to be a random character generation, so at least they “fixed” that.
January 22nd, 2010 at 10:00 am
I have worked 2 hours trying to reset my password with chase. if you ask them for a print out they send you something that does not identify the charges, if you call customer service you get and endless loop message, if you go on line you get a help desk that is no help. I use this site for unemployment debit card. No one seems to know what is going on. Why does the stae of texas use this shitty company
January 22nd, 2010 at 12:24 pm
I also freaked out over the secure-DX domain, and thought I was being scammed. Thanks for the blog post – there isn’t a lot of other info on this out there. Shame on Chase for using such a poor security system – if they really need to outsource this, they should arrange for them to use a chase.com subdomain.
January 22nd, 2010 at 4:07 pm
I had the same debit card fraud. Someone has used the debit card in California, nearly $1000.0 in motorcycle sport store.
We have never used this card physically.
Another point is the 1866 claim dept phone number hardly worked, once we entered the debit card and pin number, it always hang up and cannot connect through. While, this maybe a way the information can be stolen.
For those of you have trouble to get through, send your claim letter to,
P.O. Box 620002
Internal Mail TX1-2551
Dallas, Texas 75262-9802
Customer Claim Department
Phone: (866)564-2262 Fax: (866)701-9886
But Chase database must have been compromised somehow. This is the conclusion.
January 25th, 2010 at 7:39 pm
How do I know this isnt a fraud cover for the warning I reached when investigating my atm problems…….????
January 25th, 2010 at 7:41 pm
Telling me the website is that of Chase and is safe, in fact I am opening myself to further fraud.
January 27th, 2010 at 12:43 am
I had the exact same thing. Fraud on card, called, was told about secure document sharing and the whole deal smelled fishy. I got the same paranoia, wondering how big could this be? But, you’ve put my fears to rest. Good grief Chase! My plan is to never use my debit card ever again.
January 28th, 2010 at 11:06 am
My story’s no different.
It’s pretty pathetic that Chase’s procedure initially appears to be blatant fraud, but turns out to be legit. An actual fraud would undoubtedly be more clever.
February 1st, 2010 at 12:39 pm
My story is no different .
I was pretty amazed that someone got a hold of my credit card number in a different country
I reported the fraud with chase, and they are taking care of the problem.
February 3rd, 2010 at 4:14 pm
lost my card sometime during last week got my card back today when i went to put gas in the car the card was declined called up chase to see what the problem was come to find out there was a negative balance of $130 someone had used my card to purchase things chase was nice enough to help me out on the phone now hopefully they can rectify the negative balance that someone made on my account.
February 4th, 2010 at 12:35 am
Damn, I too found this site via Google search of secure-dx. Google favors you :p
Anyways, my story is similar to yours. I even went to my local branch in Miami and one of the bank specialist actually told me that secure-dx is in no way related to Chase and that the claim number in the e-mail was not even under my name. I told him that I was going to go to my local police station and file a report, so that they could track whoever owned secure-dx and gang rape them with the FBI.
After reading this, I’m even more disappointed that it is not a real scam, but just an embarrassing security flaw. A very big one. In fact, Chase should fire its IT guys and security advisers. Out of a cannon. And into the sun!
February 4th, 2010 at 12:38 pm
click on the sdx chase URL in the email they send. click on “forgot my password”. when that comes up click on request new password. The new password they send will be the same as the old password but it will work. at least it did for me.
February 8th, 2010 at 11:22 am
I just received a package from a company called DHL, and when I opened it I found a letter from a bank. Should I be paranoid and ignore the letter…lol…never read so much paranoid drivel as on this thread!
February 15th, 2010 at 12:34 pm
@Paranoid People
I think the analogy would be that you received a letter from a company you’ve never heard of, delivered by a company you’ve never heard of. The scenario you stated would be correct if the email contained a link to your bank. The real question for me is whether this site asks for sensitive info or just displays documents to the user.
February 21st, 2010 at 2:38 pm
Also WaMu-to-Chase, here. Going through this right now, with added annoyances.
After logging into sdx.chase.com, I get the screen that contains the pdf link. The screen says “If the list of transactions contains all the items you wish to dispute, you can fax or mail back the form, simply print the pdf attachment and follow the instructions within the document.”
Well. There are no instructions within the document. None. Which strikes *me* as a clever way to minimize the number of claims that are actually completed by consumers. I call Chase and have a mostly unhelpful session in which I am repeatedly told “What you have received is a blahblahblah form, notifying you of blahblahblah.” I keep trying to explain that I have received two messages from Chase: one of which is the pdf the CSR refers to, the other which tells me that I am supposed to return the pdf and that the pdf itself is supposed to contain instructions for doing so.
Ultimately, she told me that because my claim was for less than $100, I do not need to return an affidavit. I see that tidbit nowhere in the information I’ve received.
Bonus rounds:
The fraudulent charge was paid to brzsupport.com which is some porn subscription service. Exactly a week earlier I found a pending charge from the same site — brzsupport.com — and immediately emailed Chase. The next morning it was gone. The CSR told me the charge appeared because someone somewhere *mistakenly* provided my card number and that there hadn’t been an actual case of fraud. That they had taken care of it before it went through. And yet, here I am. (For more on brzsupport.com: http://www.complaintsboard.com/complaints/brazzers-support-servces-brzsupportcom-c309068.html )
Plus, Chase apparently double charged a vast number of people who made purchases on a particular day in January, me included. See: http://www.yelp.com/topic/west-hollywood-if-you-bank-with-chase-please-check-to-make-sure-that-you-werent-double-charged-last-night.
Aaaaaawesome.