Comments on: Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx)

By: greens survive only when reds die online games

greens survive only when reds die online games — Wed, 18 Jan 2012 21:43:59 +0000

greens survive only when reds die online games…

[...]» Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx) | pixelmonkey.org – alter or abolish?[...]…

By: Depannage Informatique

Depannage Informatique — Wed, 18 Jan 2012 06:39:08 +0000

Depannage Informatique…

[...]» Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx) | pixelmonkey.org – alter or abolish?[...]…

By: fake credit card, fake scan credit card

fake credit card, fake scan credit card — Mon, 02 Jan 2012 06:49:16 +0000

fake credit card, fake scan credit card…

[...]» Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx) | pixelmonkey.org – alter or abolish?[...]…

By: Chase’s dubious offer | Fairweather Zealot

Chase’s dubious offer | Fairweather Zealot — Thu, 29 Dec 2011 17:40:25 +0000

[...] me, that looks like a spoof URL. In reality, I was able to find out¹ it belongs to a company specializing in secure document transfer. Sounds good but why not have it [...]

By: how to make hair grow faster

how to make hair grow faster — Sat, 17 Dec 2011 17:02:22 +0000

how to make hair grow faster…

[...]» Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx) | pixelmonkey.org – alter or abolish?[...]…

By: Boston Red Sox

Boston Red Sox — Sat, 17 Dec 2011 01:24:40 +0000

This is an interesting blog. I have done a fair amount of work on network security systems. I am amazed at the number of Software Engineers on this blog that are complaining. Please read “Not Phishing’s” entries on this blog. This is very normal for banks, law firms, hospitals, etc. etc. etc. to outsource services (such as secure document transfer) to third party providers (such as secure-dx). It is the organization’s responsibility to vet the provider for compliance to their security standards. It seems alot of posters here are concerned about the fact that the username and password are sent over unsecured email. If you notice your email, the password has a time deadline on it and you are forced to change it on first logon. If someone else gets to the account before you, they would have to change the password. You would know that my account was compromised (password would be changed) and could immediately contact Chase to disable access. Although issuing of a password over unsecured email is questionable, the security mechanism is designed for you change the password as soon as possible, thus rendering the emailed password ineffective. Not sure what the complaint is here as long as you respond as soon as you get the email.
This blog sounds to me like a bunch of IT folks (or non-IT folks who have watched too many conspiracy movies) airing out their opinions on things they have overthought.

By: The Chase Madness

The Chase Madness — Tue, 13 Dec 2011 21:54:50 +0000

I just went through the same experience. Even knowing that I just submitted a claim through my banker I was still skeptical of this email. At least if the email address said @chase.com it would be believable. Why not post the response (pdf) on my online bank profile and they can send me an email saying, “you have a notice.”

In addition to having multiple financial advisers leave the company and fraudulent activity for several family members, all who just happen to be Chase customers, I’m excited for the new year and a fresh start with Chase.

By: alexey

alexey — Tue, 15 Nov 2011 00:01:58 +0000

November 2011 — they are still doing it. Password is now in the same email, and looks like a randomly-generated one, but they then proceed to ask “security” questions, one of which is “pet’s name”, that isn’t really the real pet’s name, but a made-up one they email in a separate message. I think they deserve a medal for the worst e-doc process out there!

By: pixelmonkey

pixelmonkey — Sun, 30 Oct 2011 03:00:06 +0000

@Mentatchris sad to hear

By: Mentatchris

Mentatchris — Fri, 28 Oct 2011 14:01:21 +0000

This is still happening at Oct 2011 – these guys haven’t learned a damn thing. Still sending pwds in clear text, and still asking for patently ridiculous “validation”.

Very frustrating….

By: Borse Gucci

Borse Gucci — Thu, 27 Oct 2011 06:15:49 +0000

Borse Gucci…

[...]» Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx) | pixelmonkey.org – alter or abolish?[...]…

By: Chris

Chris — Thu, 25 Aug 2011 02:37:50 +0000

Nice… from mail1.secure-dx.com ([178.32.180.61]) by imta26.westchester.pa.mail.comcast.net with comcast id QAMi1h00L1Ksfjm0SAMice; Wed, 24 Aug 2011 10:21:42 +0000

I thought someone had stole my identity, and was phishing passwords…

By: pligg.com

pligg.com — Sat, 20 Aug 2011 11:46:25 +0000

secure-dx) | pixelmonkey.org – alter or abolish?…

» Chase’s completely insecure and broken “secure” document exchange system (aka securedx, secure-dx) | pixelmonkey.org – alter or abolish?…

By: Dustin

Dustin — Wed, 06 Jul 2011 14:12:43 +0000

Glad that this post is as trafficked as it is. As a heads up to your readers, Fifth Third Bank just started using secure-dx, and like many others my reaction was the same. Thankfully I checked with my bank, and stumbled across your blog. Appreciate the work!

By: Khris

Khris — Fri, 01 Apr 2011 19:52:19 +0000

Thanks for the initial post and detail on this. The fact that this is not a big phishing scheme baffles me. The website is totally legit and I still cannot believe it. At least it is now a sub-domain of Chase.com. Sheer Madness!!

By: pixelmonkey

pixelmonkey — Wed, 30 Mar 2011 02:42:00 +0000

@Heggie thanks, glad you found the post to be helpful

By: Heggie

Heggie — Tue, 29 Mar 2011 03:49:37 +0000

thanks for the post Andrew, kudos for the write up.. ther two Chase sdx emails look completley like a phishing scheme, and my paranoia ratcheted up just as yours did.. so glad I found your post. nice work.
-not a software engineer but knows enough IT to recognize a bad design..

By: Michael

Michael — Mon, 28 Mar 2011 01:14:55 +0000

Also got Chase’s streamlined re-fi offer in the mail and called the number given; also got concerned at the point they asked for birthplace etc. for security questions. Stopped at that point and did a double-check by looking at the Web page the rep suggested (www.chase.com/newlowerrate); unfortunately, it DOESN’T show any phone numbers! Probably because they have different call centers for different batches of offers; still, it just shows how easily a scammer COULD piggy-back on this legit process.

Anticipating that some scammer will try to do so eventually (the issues in this blog have hardly changed since mid-2009, right?), I recommend that everyone complete a little due diligence along the way — check the phone number, check that the link in the email goes to where it says it does, etc. In my case, calling the Chase Mortgage number and talking with a re-fi specialist did confirm that the offer and the rep was legit.

For the re-fi process, it appears (in)secure-dx.com is only being used to deliver loan documents for review, instead of snail-mailing printouts. Responses (incl. signatures) are via fax or email. So, not a big deal once you make peace with the preceding steps.

Apparently Chase trusts their automated document delivery to secure-dx.com more than via email. They did verify my identity every time I called, so they would be sure of the email address that I gave them to send the ID/password for secure-dx.com access to the documents they could have sent to that email address… but they sent the Authorization to Disclose Information form to that email address!

HELL, why not just post the documents in my online Chase mortgage account?!?

With decades in the field of systems design and development, I certainly agree this is the sloppiest process I’ve seen for a provider in a “trust” industry. (With a nod to the recursively weird World Wide Web, see the post by “motty” on Nov 25, 2009 about trust at http://www.metafilter.com/86980/Banks-are-too-big-to-fail-at-social-media which is in turn commenting on THIS page…)

By: barbara o

barbara o — Tue, 01 Feb 2011 20:08:27 +0000

Oops, that is, I HAD BofA accounts …

By: barbara o

barbara o — Tue, 01 Feb 2011 20:07:43 +0000

Chase are complete idiots when it comes to the web. I’m a web designer, and I can’t tell you how many times I’ve complained to them about how much their online interface SUCKS. I got these dumb emails too (thing is, I have not contacted Chase about any fraudulent purchases … ???) and reported them to abuse@chase.com figuring they were phishing. lol Hopefully they get the point. Looks like lots of other knowledgeable folks have done similar things. I have BofA, in fact switched accounts to Chase in 2009 after 15 years of banking with them cuz they were suddenly tacking all kinds of fees to my accounts. Well, Chase is not only doing the same exact thing now (despite claiming that they’d “never do this to their clients!” two years ago) but they suck big time when it comes to the online environment. Which is why I’m switching over to Schwab momentarily …

By: Rufus

Rufus — Fri, 28 Jan 2011 08:32:26 +0000

Incredible. My wife just went through the same bizarre process after unauthorized charges appeared on her card. Exactly the same as what is described here. Like everyone else, I googled secure.dx to try to get a fix on what sort of lame scam we had stumbled into.

By: Jeff

Jeff — Tue, 18 Jan 2011 15:41:15 +0000

ROFL!!! Amazing! I am currently in the state of paranoia doing whois lookups on secure-dx.com and emailing the fraud center to tell them someone outside the US is trying to scam their customers. This is absurd! Thanks for the post.

By: Brandon

Brandon — Mon, 03 Jan 2011 19:25:09 +0000

Thanks for posting this. I found your article when I looked up an 866 phone number calling my phone. I recently had unauthorized activity on my card, and went through a claims process identical to the one you described. Besides being disconcerted that my card was somehow being used without my knowledge (despite the fact that it was still on my person), I wasn’t tech-savvy enough (or didn’t have enough common sense, even) to be alarmed at the process for filing my claim verification online. I’m not sure what Chase was calling me about just now, but I’m relieved that I found your post and now feel enlightened about the oddness of their process, and also relieved of fears that this is a phishing scam. Again, thanks!

By: Tim

Tim — Mon, 03 Jan 2011 14:52:23 +0000

Another huge thank you for this post. Started to get really freaked out because we got a streamline re-fi offer from Chase Mortgage. I realized that I had no idea that the phone number I called was legit. Then the secure link comes from this dumb address and I really started to get worried, because this is rinky dink.

I never gave my social on the phone, and they seemed to know all the information they should have known, but still, let’s make people feel better, not worse with our secure communications.

I would have felt better if they’d just sent the pdf’s as an e-mail attachment.

By: Jim

Jim — Thu, 30 Dec 2010 14:34:10 +0000

WTF. Just received a similar email regarding our mortgage refi – not a minor transaction! And boy o boy, this makes me feel better:

http://secure-dx.com/

broken page, running IIS. nice. Oh, they forgot to program for non-www. nice. IT kings! Yeah, this system is ridiculous. OK, with the www, it redirects to isentry.com – which is who the domain is registered to.

They refer me to this site to explain how this is a top-level state of the art security system (that happens to reek of phishing)…

http://www.wolterskluwerfs.com/Content/Products/ProductDetail/Secure_Document_Exchange.aspx

“SDX Secure Document Exchange (SDX) provides a powerful, secure, and simple way for financial institutions to electronically transmit information and documents over the Internet. SDX employs industry-leading security, including PKI encryption and multi-level user authentication, to keep communications safe at every step of the process.”

Ya. “industry-leading security” like animated gifs are the cutting edge of graphic design.

By: Kate

Kate — Thu, 23 Dec 2010 08:47:57 +0000

OH, and the password isn’t “password” anymore….but, it’s still right there in the e-mail even if it is 43igsowtisf or something like that.

By: Kate

Kate — Thu, 23 Dec 2010 08:44:17 +0000

it’s december 2010 + this crap is still happening! omg! MONKEY, thanks for your post + investigation + suggestion. I’m just an end user, but with above average tech savy + this thing reads SCAM like crazy. + it’s not…that’s mind blowing. weirder–the call center in the phillipines that handles fraud charges were a disaster–didn’t know 11 was november, not october, sent me to regular customer service for someone to “read me my transactions” even with a fax from me on their screen already showing all the fraud charges, and even the manager who was generally good, omitted over $100 in charges until I insisted several times that his numbers were wrong. DISASTER!!! NIGHTMARE!!! + now they are adding all these rules to keep “free checking” —-I’M OUTTA THERE.

By: Evelyn

Evelyn — Thu, 09 Dec 2010 20:05:39 +0000

I love “Not phishing “. He/She is very detailed and is a wide thinker. ALso, I work for Chase and I know how these things worked, so it’s really legit as to what I can say. All these things on this website are clearly and perfectly just moans and cries of people who had been defrauded and lost all their money because of a fraudster, and not Chase. You guys should think more about it, you try not to use your card online frequently or maybe, just even the thought of ALL banks having the same issue. Why not do this. Type in to Google, “WAMU complaints” or “Wells Fargo bank complaints”. See guys, you’re not alone. The bank is here to protect your money, and even if you guys complain about it, All is in the REg E, and the government’s federal law that what these banks are doing (such as Chase) are all legit.

By: sue

sue — Tue, 02 Nov 2010 19:02:32 +0000

this is the second time my chase account has been used without my consent but I didnt have to do any of this the frist time! they did every thing over the phone and refunded all the disputed charges Im not doing this but I will be calling the bank back and telling them what I think

By: Nathaniel Jones Jr

Nathaniel Jones Jr — Sat, 25 Sep 2010 13:36:23 +0000

This about the Dish Network that was charged to my checking account on 9/24/10
for 180.00 dallars. That I didn’t know anything about.I don’t know anyone that has
Dish Network. I have Time Warner.