Dave Burke : Online Community and Social Business Specialist

A Geek's Rationale for Closing a Credit Card Account

For the last several years I've had 3 credit cards.  One of them was a Chase MasterCard I opened to use with Circuit City's Rewards program. 5% of each purchase accumulates to use with future purchases.  I thought it was a smart program, so I started buying at Circuit City.

Last week I read somewhere how a number of banks and financial institutions have security design flaws on their websites putting their users at risk.  I hadn't checked on my Circuit City and Chase accounts for a while (cause I hadn't bought anything electronic for ages), so I thought I'd pay a visit.

I went to login and saw the url

http://www.chase.com/ccp/index.jsp?blah-blah

You're kidding me.  I'm going to send my username and password on an open wire when logging into my credit card account?  Unbelievable.  This tells me that Chase doesn't care about my business, and neither does Circuit City, another reason why the company is heading into the toilet.

Interestingly, here's a forums thread started on 8/20/2008 on DSLReports.com titled "Chase Bank responds to Website Security Design Flaws."  Apparently Chase "is again using SSL for its main webpage and login from that page," but that doesn't apply to its credit card services.

So I called Chase then and there to close my credit card account.  I mentioned the online security problems with the friendly rep responding, "I can explain how the online system works..." "No, you don't understand," I told him.  "No secure login to either my Chase Rewards account or Chase credit card account. That's just way too incompetent for me to trust my business with you."

Sometimes you have to listen to your inner-geek.  Down to two credit cards.

Comments (6) | Post RSS RSS comment feed

Posted on 9/5/2008 8:56:32 PM by Dave Burke
Categories: Everyday
Tags:

Related posts

Comments (6) -

9/6/2008 1:46:11 AM Permalink

It's no better here in the UK.  My bank only allows alpha numeric passwords (no symbols).  Once you've entered your password you have to give the xth yth and zth characters of your "memorable information", but they refuse to allow you to give yourself any kind of "hint" for your memorable information.  Because I infrequently used the online banking, every time I did I had to call up and reset my "memorable" information.  I did not go down the post it note route, but many others would.

The stupid thing here is they fail on both security and usability - yes allowing a memorable information "hint" does reduce security slightly, but it considerably increases usability, and considering they don't allow symbols in their passwords, the security argument doesn't wash with me.

Unfortunantly I'm stuck with them for various geographical reasons, but I hvae canceled my online banking account as I don't trust it, especially since my first phishing email in three months was "MY BANK Online Security Notification".  It's too much of a coincidence for me to believe it is conicidental.

Alex United Kingdom |

9/6/2008 5:07:40 AM Permalink

Thanks for sharing that, Alex.  Actually--and I probably should have mentioned this--one of the reasons I went back to check out Chase's security with my account is that I received a similar phishing email...from Chase!  So I felt the same as you on the coincidental nature of the email and Chases' lack of security.

Dave Burke United States |

9/6/2008 11:40:19 AM Permalink

Hey Dave, I went to the Chase site and it has auto-redirection to https, in fact it won't let you use http at all.  I do see remnants that this was not always so, as the "Log On" box does submit to an https site, which does mean that the login is secure.  Even if this home page was http, the login information would not be sent from your browser to the server until an https connection had been established.  Smile

Bill Bosacker United States |

9/6/2008 2:10:25 PM Permalink

Oh, Bill, you're always such a smartie pants!  I went back to the Chase login and verified what you're saying, but I'll have to think through what your claim of the login being secure. What about the initial transmission of the login info to the HTTPS redirect page?  Thanks for sharing your thoughts on this.

Dave Burke United States |

9/6/2008 3:23:59 PM Permalink

Hey Dave, np.  Most people haven't bothered to really find out what is going on behind the scenes, but if the form action is an https page the browser will initiate the SSL communication before sending the request to the server.  Only after the SSL connection is open will the page request be sent.  The actual page request is encrypted into a single BLOB of data that can only be decrypted by SSL certificate on the server.  There is no plain text URL available, no cookies, nothing but the BLOB (which has all these objects inside of it) and the TCP packet headers.

Bill Bosacker United States |

9/6/2008 3:37:04 PM Permalink

You always know the most extreme geeky stuff.  That's why I like having you around so much!  "will initiate the SSL communication before sending the request to the server...then the page request occurs."  Hm, you've never steered me wrong before and this makes sense to me.  I won't worry about trying to http:// login after getting that phishing email from Chase then.  Thanks!

Dave Burke United States |

Pingbacks and trackbacks (1)+


Powered by BlogEngine.NET 2.0.0.36
Theme by Dave Burke

Copyright © 2013 Dave Burke.  All Rights reserved.