Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx)

A few days ago, I got a call from my girlfriend, Olivia. I was so deep in working on my startup, Parse.ly, that I hadn’t checked my bank account statements in several weeks. We just went into private beta last Thursday, after DreamIt Demo Day. She noticed some suspicious charges, and so I looked into them. Indeed, it looked like I had been a victim of fraud: there were three charges that clearly was not me.

I immediately called Chase Customer Service. In order to confirm the details about my account, the representative needed me to identify the fraudulent charges, but also identify charges that were actually valid. For this latter bit, I needed to identify the time/place of a specific transaction. This card was mostly used for online auto bill payments, so this turned out to be impossible for any of my last 20 valid payments. Yet the customer service rep insisted that I name a time and place. I told her, “The time and place was whenever the server for this system decided to automatically bill my account. I don’t know where their server is, I don’t know what time their cron jobs run.”

“Cron jobs?” she said.

Right, I had been hanging around techies at DreamIt Ventures for too long. “Listen, the transaction didn’t take place physically, it took place digitally. I can identify one transaction, which is about a month old, where I actually used the card in-person to buy something.” She finally understood and let me move on.

Burak from Trendsta said he felt bad for me, for how patient I had to be with this person. But that was the least of it. This little technical misunderstanding was nothing compared to what followed.

I was told that in order to get a credit back from my account, they had to collect from me a signed affidavit indicating the charges were fraudulent. This affadavit would be “securely shared” with me via e-mail. OK, “sounds good” I said. I waited around for the e-mail to come in.

Finally, two e-mails arrived in my inbox. The important bits are in red. First:

Message from Chase Customer Claims Secure Document Exchange

From: [email protected]

Welcome to the Chase Customer Claims Secure Document Exchange. You recently contacted Chase regarding your claim number XXXX. Your documents are available for your review.

Per our telephone conversation, you will need to register to our secure website.


Your initial password is: password

Your initial user name has been sent to you in a separate email.

On your first log in, you will be required to select a new password.

Thank you for using Chase Customer Claims Secure Document Exchange.

To contact Chase for claim related questions or to withdraw your claim, please call 1-866-564-2262.

Any geek reading this will immediately identify some key things wrong with this e-mail that make it look like a total phishing expedition. Namely:

  1. The e-mail address, rather than being from a chase.com domain, was from a strange domain named “secure-dx.com”.
  2. Rather than sending a cryptographically secure, expiring activation link, a default password was sent in plain text.
  3. To make matters worse, the password is the same for all users, and thus anyone who can guess my e-mail address can easily impersonate me on this “secure document” website.
  4. The default password is “password”. WTF?! I mean, c’mon?

I didn’t quite understand why I needed a “second e-mail” now, but I opened it up. Here it is, excerpted:

Your Chase Customer Claims Secure Document Exchange Electronic Package is available online

From: [email protected]

ANDREW MONTALENTI,

Welcome to the Chase Customer Claims Secure Document Exchange.You recently contacted Chase regarding your claim number XXXX. Your documents are available for your review.

Per our telephone conversation, you will need to register to our secure website by clicking on the link below or copy and paste the link into your browser’s address bar.

https://chase.secure-dx.com/consumerdcx-chase_atm

Your user name is [email protected]

Your initial password has been sent to you in a separate email

On your first log in, you will be required to select a new password. NOTE: This site is different from Chase.com and passwords are not related. Updating your password on Chase Customer Claims Secure Document Exchange will have no impact on established Chase.com passwords.

Once registered, you will be able to access your customer correspondence on our secure website. You may be offered the option to complete and sign the form online if you wish to do so. […]

To say I was confused would be a major understatement. I was downright depressed.

My guess is that the engineers at Chase thought that by separating the “password e-mail” from the “user e-mail”, that somehow made the whole communication more secure. Two e-mails are better than one, right?

The most important thing to point to is the link. The link where this secure communication will happen is not at the chase.com domain Instead, it is at https://chase.secure-dx.com/consumerdcx-chase_atm. There is no way, NO WAY this is a real Chase site, I think.

I click on the link and in Firefox, I see this:

chase_forgery

At this point, my paranoid self turns on. Curious, I click through the link anyway. And I see this:

chase_sdx

Now I’m really paranoid. Links off secure-dx.com pointing back to chase.com’s privacy policy. A username and password box and a sort of hokey imitation of the Chase.com web design. I realize, holy shit, I’m being duped! Not just small-time credit card fraud, but someone has managed to really take over my life!

Why am I freaking out? The customer service person I talked to, I realize what must have happened. That wasn’t Chase. Someone stole my credit card information and then set up a call forwarding on my cell phone, somehow, to point Chase’s customer service number to some fraudulent interceptor. This person then diligently took my claim only to send me an e-mail that would get yet more information out of me and take me for even more money. I freaked!

Immediately, I double-checked my call logs and compared them to Chase.com customer service numbers. I made sure to change my DNS server to OpenDNS to make sure no one was somehow intercepting that. Finally, I realized I could look at the number written on the back of my Chase credit cards. It all checked out — the number was good. So I switched phone. I called Chase customer service on both my phone and Olivia’s. I made sure the messages were exactly the same. From Olivia’s phone, I called back Chase again to speak to someone there about this. But then I got even more paranoid — how big could this be? — so I decided to hang up. Instead, I called my local Chase branch in my neighborhood.

With my local branch’s help, I got transferred via a branch office line to the actual Chase customer service. Finally on a secure line, I thought to myself. When they picked up, I was expecting to uncover the scam of the century. I felt like an investigative journalist right on the tail of something truly big.

But then I spoke to the Chase representative, on the secure line, and she explained to me that this is just the normal procedure. secure-dx.com is the website they use for “securely” sharing documents.

I was livid. I explained everything wrong with this setup. I demanded to speak to a supervisor. I spoke to a supervisor. He said he did not know why the system was the way it was. He wasn’t a software guy. He just knew that “with the way the business is changing lately, a lot of systems are in flux.” I said this flux was unacceptable. “I’m a software engineer,” I said. “How can I possibly trust Chase to manage my financial accounts if something as simple as sharing a PDF document is done in the least secure way possible?” What other skeletons might they have in the closet?

I wanted to be forwarded to the department responsible for that. After my explanation to him of what was wrong, he fully understood the problem. To his credit, he admitted it was wrong the way it was set up. He actually tried to track down a supervisor. But there was none that could field IT and software requests.

They promised to call me once they could track someone down to talk about this. No call yet.

My excitement came down a couple of notches. I was not the investigative journalist undercovering an elaborate scam any longer. Instead, I was a software engineer. And some members of my profession have let me down. Big time.

In the meanwhile, I did the research and found the vendor who provided this service to Chase. They are Wolters Kluwer, a “financial services and banking compliance solutions provider”. The product page for “SDX”, Secure Document Exchange, is completely ludicrous. They claim this product includes “industry-leading security, including PKI encryption and multi-level user authentication, to keep communications safe at every step of the process.”

Right, so the password was sent in plain text. The default password is “password”. And, rather than having a chase.com subdomain which points at Wolters Kluwer’s server (e.g. secure-dx.chase.com) and sharing a secure chase.com certificate with them, they decide to host the whole thing outside of the chase.com domain, so that as a user, I have no way of confirming this actually is an e-mail or system originating from Chase. Users are so confused by this that they have already reported it as a phishing scam, even though it is not one.

That’s industry-leading? That’s “safe communication”?

No, that’s a joke. Chase should be ashamed.

Jan 5, 2013 Update: Hi, unexpected /r/programming visitors! Yes, this article is over three years old. Yes, this process has not changed much in the past three years. No, I did not expect a customer support representative to really know what a cron job was.

Many reddit commenters took the position that I was being “overly paranoid” and that I took this whole thing way too seriously. Well, I strongly disagree. As many other commenters rightly pointed out, many individuals share usernames / passwords across systems. It was not paranoid for me to think this was actually a phishing scheme. Why would a phishing scheme send me a password, only to have me reset it when I log in? Answer: out of the hope that some percentage of users would “reset” their password with their actual bank password, of course. Phishing schemes are most effective when they spoon feed users a little trust, and then betray it. I admit that thinking that my cell phone had been hacked was perhaps a leap of true paranoia, but I tried to convey how I actually felt.

Chase did finally introduce their own domain (https://sdx.chase.com) for their “secure” document exchange service, the lack of which which was, by far, the major sore spot in this whole setup. The rest of the silly process remains. For me, the greatest damage this process does is in conditioning novice Internet users that systems like this are trustworthy. In other words, I’m not upset about the hundreds of people who, like me, questioned the legitimacy of this system. I’m upset about the thousands, or possibly millions, who used it without questioning it at all.

For those of you who enjoyed the article and feel as a programmer you would never make the same mistakes, you can take a look at the job opportunities available over at my startup, Parse.ly. A tad opportunistic, but hey, it’s not every day thousands of programmers flock to my blog.

212 thoughts on “Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx)”

  1. Nice… from mail1.secure-dx.com ([178.32.180.61]) by imta26.westchester.pa.mail.comcast.net with comcast id QAMi1h00L1Ksfjm0SAMice; Wed, 24 Aug 2011 10:21:42 +0000

    I thought someone had stole my identity, and was phishing passwords…

  2. Pingback: Borse Gucci

  3. This is still happening at Oct 2011 – these guys haven’t learned a damn thing. Still sending pwds in clear text, and still asking for patently ridiculous “validation”.

    Very frustrating….

  5. November 2011 — they are still doing it. Password is now in the same email, and looks like a randomly-generated one, but they then proceed to ask “security” questions, one of which is “pet’s name”, that isn’t really the real pet’s name, but a made-up one they email in a separate message. I think they deserve a medal for the worst e-doc process out there!

  6. I just went through the same experience. Even knowing that I just submitted a claim through my banker I was still skeptical of this email. At least if the email address said @chase.com it would be believable. Why not post the response (pdf) on my online bank profile and they can send me an email saying, “you have a notice.”

    In addition to having multiple financial advisers leave the company and fraudulent activity for several family members, all who just happen to be Chase customers, I’m excited for the new year and a fresh start with Chase.

  7. This is an interesting blog. I have done a fair amount of work on network security systems. I am amazed at the number of Software Engineers on this blog that are complaining. Please read “Not Phishing’s” entries on this blog. This is very normal for banks, law firms, hospitals, etc. etc. etc. to outsource services (such as secure document transfer) to third party providers (such as secure-dx). It is the organization’s responsibility to vet the provider for compliance to their security standards. It seems alot of posters here are concerned about the fact that the username and password are sent over unsecured email. If you notice your email, the password has a time deadline on it and you are forced to change it on first logon. If someone else gets to the account before you, they would have to change the password. You would know that my account was compromised (password would be changed) and could immediately contact Chase to disable access. Although issuing of a password over unsecured email is questionable, the security mechanism is designed for you change the password as soon as possible, thus rendering the emailed password ineffective. Not sure what the complaint is here as long as you respond as soon as you get the email.
    This blog sounds to me like a bunch of IT folks (or non-IT folks who have watched too many conspiracy movies) airing out their opinions on things they have overthought.

  8. Pingback: Chase’s dubious offer | Fairweather Zealot

  10. Ugh! Thank you for this post. I just got this email a few minutes ago after talking with someone about fraudulent charges and was starting to freak out a little bit… but I used the website and it seemed legit. As the previous commenter said, they are now using the domain sdx.chase.com, so that is a bit more comforting…

  11. I can’t believe they’re still doing this. it is UNACCEPTABLE. It’s such a blatant failure. I refuse to use the site. This is what happens when the GOVERNMENT starts to meddle in the internet and create random requirements

  12. I had my card used fraudulently to withdraw money from an ATM in my own city. This means they needed my PIN. There had been suspicious people INSIDE my local ATM vestibule over the past week (always at night) and even before my card had been used fraudulently I thought they might be skimming. So when my card was used the day after I had used that ATM with the suspicious person there at the time, it was clear what had happened. I had about 6 different data points over the course of a week that pointed to two people skimming at that ATM.

    The people on the customer service line didn’t care about me reporting that at all. The (obviously non-US based) person in the fraud department said Chase was only concerned with dealing with the effects of fraud, not stopping it (WTF!?) She said if I wanted to find the person who was responsible I should go to the police. I tried to explain I didn’t want to find the person, I just thought Chase should know about it, and she offered to write it down in my customer notes, which of course is useless, so I just hung up.

    So I went to the branch itself the next morning, figuring at least they would check the ATM video footage to see if the person was skimming or not. I mean, if someone was essentially robbing your bank over the course of a week, you’d want to stop it, right? Nope. I explained everything very clearly, the guy completely understood. He said skimmers are always coming up with new ways of getting PIN numbers and stealing info, explained it like it was a cat-and-mouse game. Except in this case there is no cat because he made it clear he had no interest in investigating or reporting it to anyone, it’s just not something they did.

    Oh, and the kicker? When I Googled for skimming at Chase, I found out there had been a skimming ring that had stolen $300,000 from ATMs in 3 days a few months back. In the EXACT SAME AREA, including this EXACT SAME ATM. You’d think there would be a security team at Chase that would be all over these types of reports, checking security footage and the like. Nope. I guess when you make tens of billions of dollars per year having to refund a few hundred dollars at a time doesn’t bother you.

  13. 3 years after your original post and very little to NOTHING has changed… Thank you for pointing out the painfully obvious and documenting it so clearly! Same old plain text, but at least its random numbers and digits now instead of stupid “password”… I have clicked on similar e-mails before and knew those were phishing sites… Did these idiots use an actual phishing site as their template?!?! No wonder they are being hacked and taken left and right… If this is just one aspect of their security, I can only imagine the rest… Were they always this bad or just since they acquired Washington Mutual? My branch is an ex-WaMu. I am seriously considering closing my account and going with another bank…

    Cheers!

  14. Just went through this whole thing myself. Very glad to find this post. In my case, I cancelled my ATM card when first contacted by customer service. After speaking to the fraud claims department, my paranoia was in high gear, so I called the number on the back of my card and verified that the card had indeed been cancelled. That put my fears to rest. I figured even if someone just confirmed my address, the card number they stole is now useless. Then I received the aforementioned email from the claims department. I entered the site, created a new completely random password and printed out the form.

    Here’s where it got strange again. The website states that if the disputed charges listed on the form are correct, you should mail or fax it back by following the instructions in the form. However, there were no instructions about returning the form. I called the claims department and asked them if they needed the form or not. The woman I spoke to told me that Chase hadn’t sent me an email about my claim, except what she called a verification email (however, this was the only email I had received regarding my claim) and that I probably shouldn’t click through the link and I didn’t need any sort of form.

    So, not only does Chase have a completely screwed process for managing fraud claims, the people manning the phones at their claims department don’t know what that process is. Shame on them.

  16. Unreal – just got a similar message today after my purse was stolen last weekend. And the process is still the same except now the password and login are in the same email. Which almost makes it creepier. Plus the user interface on the secure site is so sketchy – the PDF on the site is labeled “correspondence” and has basically no useful information. All of this screams fraud/ phishing / virus.

    Total disappointment in Chase – can’t believe they use this crap for their FRAUD claims!

  17. I came across this after talking on the phone for about 30 minutes with a Chase representative this morning. I woke up to a text message saying I had a strange $100.00 fuel charge that I needed to verify or deny. And then 2 phone calls and a voice mail saying I needed to verify account activity. I immediately called the Chase contact number from their website and got this figured out. It was not a number of theirs that had called me and they stopped my debit card and are sending a new one. There was no fuel charge on my card, but there was a charge from another state that was not me….it was all very confusing and after all that I received this same email! Talk about even more confused! The email does not look real, and lead me to believe the whole thing was not over! Thank you for this post as it has calmed my nerves. To say the least, I am not thrilled with them….what a headache.

  18. Thanks for the great blog. They made a few improvements to the site and their approach. Was skeptical after reading this, but went through the process and was okay. Got my pdf stating that a charge did not post to my account. Hope all is well with everyone and that your issues with Chase get resolved. Again, as many have stated…if you are still suspicious and concerned just pay a visit to your local branch.

  19. I received this email after making my dispute yesterday. I’m still sketchy about it and i refuse to make this account. lol. Even though you all confirmed it’s real there’s something inside of me that will not let me make an acct on this website. It definitely looked very fake… I googled the e-mail as soon as i saw it. And there are actually other websites about this email saying it’s a fake and not to even click the link.

  20. It seems to be a valid site as now it’s hosted via a subdomain of chase at https://sdx.chase.com/. Still – amazing that a bank would send out something that looks almost exactly like a phishing email. They even still send the password in plain text – I just hope they capture it before hashing and storing it. If they’re storing un-hashed passwords I’d be even more concerned.

  21. While reading Not Phishing’s comments my first thought was “this is one butthurt programmer”, later realizing he also left a link to isentry.com, which clearly is the firm behind this abomination of a system – make me want to pat my back.

  22. I have recently had the pleasure of working as a software engineer for a major bank in the United States, and let me tell you… When I was made aware of how many open exploits they had, it gave me nightmares. We’re talking 6 digits worth and ETAs to resolve all of them stretched out to several decades.

    Yeah…

  23. If you think this is frustrating, try working at a bank. I had conversations like this as an employee. The worst part was that I seriously damaged my career at the bank by trying to track things like this back to the responsible party and tell them what they were doing wrong. I made a lot of enemies by discretely letting managers know how insecure their systems were. My favorite was the time I told the manager of a tech team that her database admins had never changed the password on a database containing about $10B of account and customer information. It took 9 months to fix the problem and I had to go way over her head to get anyone to listen. Again, it took 9 months to get a technology team to change the default password on a database containing $10B of account and customer data.

    tl;dr: smart programmers don’t work in finance.

  24. “The default password is “password”. WTF?! I mean, c’mon?”

    Heh, I assumed you’d altered it for security reasons before getting to this sentence.

  25. Great read! I agree fully with every point you made in the article and the edit yesterday after the reddit flock arrived. I appreciate the opportunistic drop looking for programmers, too.

    Keep doing right!

  26. This JUST happened to me. I landed on this post after geugling for secure-dx.com.

    lol, good read. Felt relieved knowing we’re not alone in this. Didn’t feel so relieved knowing not much has really changed…

  27. This purported letter from Chase is a phishing scam. The same letter with exactly the same “claim” number has been sent to numerous people whose accounts have been hacked and the money returned to them. I got one too. The one I received is nearly identical to the examples given online, down to the claim number. Before I found that out, I’d checked with Chase and found they did not send it.

  28. Well, I need to correct something I posted here on April 14, 2013: And Chase really DOES have a broken system. After being told by a Chase representative that the email was not sent by Chase, I later inquired as to why the money had not yet been returned to my account. Turns out, the email and strange-looking site really ARE part of Chase’s Security system. So I filled out and returned the form. (But I had to call security and ask for help to answer an oddly/awkwardly-worded question on the form.) The money has been temporarily returned, pending completion of the investigation. When calling, I made sure to make the point to the representative that the identical letter is all over the internet with exactly the same claim number, so it appears to be a phishing scam. (Why even put the same claim number in the email?) She said she would make a note of that. OK… :-\

  29. Just adding to the comment just above: To let readers know, I had already returned one brief form earlier, and so I questioned the second strange form because I was told I’d only needed to return one form. When the second email showed up, a representative told me I had already done everything I’d needed to do. I was done, and to ignore the email and/or send it to “abuse” at Chase. I’ve been on the phone over this incident a bunch of times. Chase’s right hand REALLY has no idea what the other hand is doing.

  30. While I am not a programer, I too spotted the problems with this email. I first checked the IP address and DNS information. Surprise, nothing points to Chase! I then went to Chase site and went into their secure message center thinking there would be the same message for me..NOT!

    Now I too am paranoid and start checking the web for information on this mail when I came across this message. Thank you for clarifying what is going on here. I too will be contacting them with a complaint. Passwords in the clear? Really? Log in and change my password on a site that does not link to Chase? What a joke!

  31. Looks like Regions Bank has joined in on the sanity.
    All I can say is that the sales people at secure-dx must be awesome!

  33. Let me add something new – just got a text from “Chase” saying I was getting a temporary credit and for questions to call. Heres the deal – I don’t have a Chase account and I have never had one. I only deal only with PNC. Now what?? I googled the phone number is how I got to this site. Very interesting.

  34. Wow, I also rcvd. the same notification (literally, it is exactly the same as author’s) but mine was spammed. This is interesting as all other chase notifications make it to my inbox. Why would this occur? I immediately suspected it was a phishing scam and thus researched the net for more info. I look at it this way; I am leaving it in spam and trashing it, if it is that important Chase will find a secure, legitimate way to reach me and/or change practices as was requested 3 years ago!

  35. I can’t believe this article is already four years old and Chase has done almost nothing about this horrible “secure” banking method.
    Same story, filed a dispute about a month ago, notice the dispute was reversed today, checked e-mail to find this “secure-dx” BS. Needless to say, I’m not dealing with this website and I’m just going to Chase in person to deal with this.
    I just don’t understand why the higher-ups (or not so higher-ups) who make the decisions to keep these suspicious domain names/outside companies think it’s is a good idea. Is the gap between them and the modern “tech-savvy” client that large? Even 10 year olds these days know about phishing. I’m hoping within the next decade every large company will realize they have to stream-line these things. Why can’t this message center be integrated into the main banking website? It already has an inbox feature (which I checked to find zero messages regarding this recent dispute), surely they can add an extra layer of security to accommodate these types of messages, instead of relying on suspicious e-mails like this crap.

  36. Same thing here.

    This is crazy and set off alarms in my head right away. We should all just forward this page to chase and show them how many people think this is insane.

  37. And in December 2013, Chase is still using this method. I couldn’t believe how fake the emails appeared, and it still leaves me wondering if I’m not part of a huge scam.

  38. Just wanted to add my thanks for writing this article. I got the same email and if I had not read this page I would have deleted the emails!

  39. This emails allegedly from Chase are phishing expeditions. Chase does not send messages to your personal email account and require you to reply. Any messages are sent via their secure system requiring you to log on with you account name and password, never a password they send you. Willing to bet every person here reported an erroneous charge on their account to Chase the day before getting this email. Same thing happened to my wife. She reported some invalid uses of her bank card to Chase, and this message popped up the next day. Problem is Chase doesn’t have her email address, but whoever used her debit information did.

  40. @Bill Gore — check out this interesting new development. The old Secure-DX site is still online at https://chase.secure-dx.com/consumerdcx-chase_atm/private/main.jsp. As you can see, the domain is “secure-dx.com” with the “chase” subdomain, which makes it seem like a phishing scam, as my original blog post indicated. However, the same application is also running at https://sdx.chase.com/consumerdcx-chase_atm/private/main.jsp — notice the chase.com domain with the “sdx” subdomain. The fact that the same application is now running hosted at Chase’s owned-and-operated chase.com domain confirms, once and for all, that this was not a phishing expedition. This was, in fact, just a poorly implemented computer system that *looked* like a phishing expedition. It’s sad, but true.

  41. Thank you for posting this. In 2014, they’re still sending the weird e-mail from chase (@secure-dx.com) with instructions to change the password then asking for a phone number when you do so. I ignored it the first couple of times assuming it was a phishing scam.

  42. I have recently had this problem. The “kids” I spoke to on the phone were horrible, unprofessional, could not understand basic laymen terms, etc. I had a months worth of fraud on my account. I just got the sdx chase link and it wont even let me log on. Once I put the password in they provided me with in the box it just refreshes and replaces my email address with “?i?z&ufr|4???” . I am beyond irritated with chase at this point and am planning on going back to BOFA.

  43. Four days ago someone got ahold of my debit card info, and spent > $400 on online shopping! I immediately called Chase and cancelled the card.

    Then I got this email today, similar to what others have described (sdx.chase.com). Although for me I got #1 ‘enter first, last name’ and the ’emailed password’. #2 ‘enter OLD Password’, then ‘New Password’, and then ‘Confirm Password’.

    The email, and the site link identified me by my email, and not my Chase ID (all Chase emails I’ve ever seen identify me ‘Chase Online Customer’, never by either email or ID.

    The identification and password-reset must surely be a scam. I’ll be contacting Chase in the morning. No way in hell I’m entering my info here. @Pixelmonkey, I’m right inline with your thinking.

  44. So I have verified, through someone who has worked at Chase for 5 years, that “Secure DX” site is legit. Keep in mind, this site doesn’t seem to ask for any of your personal information and is separate from your Chase.com log in. Further more, I have banked with Chase for 5 years myself and compared to other big banks, Chase is the best when it comes to fraud prevention; however most people are not proactive when it comes to protecting their information. Read up and use your resources before claiming a site is a scam. They have a lot of resources to read and help educate:

    https://www.chase.com/resources/fraud-prevention

    https://www.chase.com/resources/report-fraud

    https://www.chase.com/resources/personal-banking-contact

    https://www.chase.com/content/dam/chasecom/en/checking/documents/chase_by_phone_09_10_13.pdf

  45. That e-mail is a phishing scam. It’s not Chase. I don’t know whether this topic is part of the scam or someone unwittingly affected by it, but let me boldly state that under no circumstance is Chase sending out this e-mail. If you’re confused, call the number on your debit card, ask for the fraud department, and they’ll tell you themselves. Anyone information you provide to this Chase secure DX scam will be used to further target you.

  46. John,
    Actually, it’s a Chase site. I got this email and thought it was a scam. I mean are you kidding me it had both a username AND password in the same email?

    I called Chase and then went through the links and found the document they sent me and indeed it is a reply to a response I had initiated. Unbelievable!

    How many years have they been sending this garbage email and still have not fixed their problem. IT’s 2015! If this is how they protect my information I’ll switching banks.

    I have NO FAITH in their ability to keep my information private.

  47. August 2016 and they are still sending this email out although the password isn’t password anymore. I’m not following the link, feels like total bs other than yahoo put it in my inbox rather than my junk folder.

  48. Yep. I got this email today and it looked suspicious as heck. I have been banking with chase for almost 10 years, have never received this before. I have reported fraudulent activity on my card at least 6 times in that span. Doesn’t make since that NOW I would receive this type of claim follow-up email. Especially since judging by this page it seems that it as been going on since at least 2009. I don’t trust it. I had just received a new card, and everything on my account looks fine. I wouldn’t even need this service at this point anyway. I’d advise others to avoid the site link they provide also.

  49. Yep. I got this email today and it looked suspicious as heck. I have been banking with chase for almost 10 years, have never received this before. I have reported fraudulent activity on my card at least 6 times in that span. Doesn’t make since that NOW I would receive this type of claim follow-up email. Especially since judging by this page it seems that it as been going on since at least 2009. I don’t trust it. I had just received a new card, and everything on my account looks fine. I wouldn’t even need this service at this point anyway. I’d advise others to avoid the site link they provide also.

  50. I got the email today, a few days after I had called Chase because my card was being used by someone else. I was immediately worried if it was a scam or not and did a lot of research online. After reading many websites, I decided that it would be best for me to simply get a phone number from the back of my card to call Chase and ask them myself. I called Chase using the number on my debit card and I put in my information (card # and PIN) into the phone and to my satisfaction the operator tells me that the card has been closed, and if I would like to continue forward with a representative to discuss my closed card, to press “0”. So I press 0 and am talking to a real person, and I tell them about the email and its fishy contents and they told me that yes, the email is from “Chase customer claims” and that there is no need to be worried. Still skeptical (because of what i’ve researched), I told the representative that I was worried because I looked up the email online and lots of people think it’s a scam. The representative assured me that it’s not a scam. So I click the link on the email and logged in with the password given, and it then asks for your name (first/last) and asks you to change your password. I changed my password to something that is not the same as any of my accounts just to be safe. The site then took me to a PDF which was genuine and it just wanted to let me know the following:

    “We appreciate your business and we’re temporarily crediting your account ($xxx.xx amount — I removed for sake of privacy) while we
    research your claim. We’ve included a list of your credited transactions.
    If the amount we refund would earn you interest, you’ll receive that as part of your regular interest
    payment or as a separate credit. We will also refund any applicable fees.
    You can use the temporary funds while we do our research. If we decide the charges were correct, we’ll
    let you know before we reverse the credit.
    If you have questions, please call us anytime at 1-866-564-2262.
    Thank you for choosing Chase.
    Sincerely,
    Customer Claims Department”

    So to sum everything up, I was extremely worried that this was a scam email and I was thinking to myself “how the hell would the scammers know I contacted Chase anyway?” That’s what scared me the most. But after calling Chase on my own, by using the phone number on the back of my debit card, I assured that I was talking to a valid Chase representative and the automatic operator confirmed my card was closed before continuing. The live Chase representative assured me more than once that the email is legit and the domain is for Chase customer claims. I logged into the website, again changed my password to one that I do not use for anything else (just to be safe), and found that they simply wanted to update me on the status of the fraud prevention. Pretty much they just wanted to let me know that they were crediting my account for the lost funds due to the fraudulent charges, and the PDF also showed a listing of the disputed charges and how much each one was for. When you log into the website to view the PDFs, you will see that the domain actually IS from Chase.com (sdx.chase.com).

    In short, after being extremely worried about the email after suffering fraudulent charges on my card, I found the website to be safe after contacting Chase live support via the phone number on my card and actually going through with the process. If you have any questions, feel free to respond to my comment. I have nothing to gain from posting this except for maybe it’ll help someone out there who was worried like I was. Cheers to all.

    John

Leave a Reply