An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#30151 - 05/24/14 10:21 PM chase.com security advisories
artie505 Online


Registered: 08/04/09
Two security advisories regarding chase.com:

1. Chase has finally gotten its act together and (silently) updated its user password policy to bring it more into line with the real world:

Your new Password:
  • Must be 7-32 characters long
  • Must include at least one letter and one number
  • May include some special characters or punctuation
  • Must not match your User ID or your previous five Passwords
So, if, as I have, you've been living with a password that's not as strong as you'd like, you can now strengthen it.

2. I was appalled to learn that the options to receive security alerts when
  • "My password has changed"
  • "My user ID has changed"
  • "My device has been approved"
are not set in stone, but are user option prefs located at Customer Center > Manage Account Alerts > Alerts available for (Dropdown) > Online Security.

Further, the first time I navigated to that location I found that all three prefs were turned off...that I had been at risk for quite some time.

Now, it's possible that I reeeally spaced out and turned those prefs off on my own, but it's also possible that Chase has them turned off by default; I therefore suggest that all chase.com users check theirs. (I'll appreciate feedback about their default state.)

I can't imagine why Chase thinks *anybody* would want to run without those prefs and has left them as user options?
_________________________
The new Great Equalizer is the SEND button.

Top
#30168 - 05/27/14 09:15 AM Re: chase.com security advisories [Re: artie505]
Ira L Offline


Registered: 08/13/09
Loc: California
So I checked my Chase.com alert settings, and the three security alerts you mentioned above were by default set to e-mail me if there were changes. Additionally I could choose to receive the notifications by text or by push through the Chase mobile app.
_________________________
On a Mac since 1984.
Currently: 27" iMacs, Macbook Air, macOS 10.14.x,; iPhones, iPods and iPads galore!

Top
#30170 - 05/27/14 11:14 PM Re: chase.com security advisories [Re: Ira L]
artie505 Online


Registered: 08/04/09
Thanks for that info, Ira.

I can't imagine having turned those prefs off - I haven't even got the slightest recollection of having ever visited their location - but...
_________________________
The new Great Equalizer is the SEND button.

Top
#30172 - 05/28/14 05:19 AM Re: chase.com security advisories [Re: artie505]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Clearly, I'm looking in the wrong place...

I too have a Chase account, but am unable to find the settings mentioned. Where might those critters reside? confused
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#30175 - 05/28/14 09:06 AM Re: chase.com security advisories [Re: Pendragon]
Ira L Offline


Registered: 08/13/09
Loc: California
Log in, then Customer Center>Manage Alerts. The resulting page has a pop-up menu that follows the phrase "Manage Alerts for…". The fact that you can change that menu to "Credit Cards" is not too terribly obvious, but once you do, you will see the alerts being discussed here.

The alerts under discussion seem to be available only if you have a credit card. Other alerts apply to bank accounts.
_________________________
On a Mac since 1984.
Currently: 27" iMacs, Macbook Air, macOS 10.14.x,; iPhones, iPods and iPads galore!

Top
#30178 - 05/28/14 12:04 PM Re: chase.com security advisories [Re: Ira L]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Thanks, Ira. As you suspected, I was looking on the wrong place. Though I fail to understand why the default setting was as it was, and why the option to "fix" the issue is not readily apparent.

<Sigh>
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#30180 - 05/28/14 12:08 PM Re: chase.com security advisories [Re: Pendragon]
artie505 Online


Registered: 08/04/09
What was the default setting that you don't understand, Harv?
_________________________
The new Great Equalizer is the SEND button.

Top
#30182 - 05/28/14 12:12 PM Re: chase.com security advisories [Re: artie505]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Originally Posted By: artie505
What was the default setting that you don't understand, Harv?


I would have expected the default to automatically notify the customer when any of the following are changed; much as Apple does (I think).

"My password has changed"
"My user ID has changed"
"My device has been approved"
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#30183 - 05/28/14 12:56 PM Re: chase.com security advisories [Re: Pendragon]
artie505 Online


Registered: 08/04/09
So your prefs were turned off! (Thanks for the clarification.)

I'm not certain what Chase's default is, because the first time (that I'm aware of, anyhow) I saw those prefs, mine were turned off, but Ira has reported that his were turned on, so I guess we're still up in the air.

But we're now at 2 to 1 on the turned off by default side. Booo!!!

Aside: I went through minor hell with Chase over this issue and the fact that user p/w's could not include non-standard characters; we exchanged a bunch of e-mails in which they repeatedly assured me how much Chase cared about customer security but never even acknowledged my points, that I had made them, or that they were being kicked upstairs for further consideration, and they finally told me that any further e-mails would be ignored.

I guess that I, although probably not alone, did make my points...points that should *never* have had to be made in the first place.
_________________________
The new Great Equalizer is the SEND button.

Top
#30185 - 05/28/14 01:13 PM Re: chase.com security advisories [Re: artie505]
joemikeb Offline
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Sounds as if you should consider changing banks.
_________________________
joemikeb • moderator

Top
#30186 - 05/28/14 01:45 PM Re: chase.com security advisories [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
Sounds as if you should consider changing banks.

Me, and a significant portion of the rest of America, but why? Despite its protestations, Chase has cleaned up its act in the areas I complained about...even gone beyond what I suggested!

My solution has been to "sandbox" Chase; I keep next to no money in my accounts there, and there are no connections (from inside chase.com) between them and my accounts with other institutions.

You sound smug; is it because you've explored every security option at every financial Website with which you deal and satisfied yourself that you're not at risk from weaknesses in any of them, or, more particularly, that you're totally happy with the security with which they provide you?
_________________________
The new Great Equalizer is the SEND button.

Top
#30194 - 05/29/14 08:09 AM Re: chase.com security advisories [Re: artie505]
joemikeb Offline
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: artie505
You sound smug; is it because you've explored every security option at every financial Website with which you deal and satisfied yourself that you're not at risk from weaknesses in any of them, or, more particularly, that you're totally happy with the security with which they provide you?

I don't think it is possible to be totally happy with security in today's internet environment, but I am satisfied my financial institution (bank, broker, insurance) is doing their dead level best to stay on the cutting edge of security. They have been on the forefront of new security measures often months or even years ahead of the big nationals. The fact my major financial institution is run entirely by retired military, who are by training and nature very security conscious, probably helps. It also helps that as a mutual benefit association, they are answerable only to their customers and not beholding to Wallstreet or stockholders for costs or profits.

But any financial institution is potentially vulnerable, and the bigger they are the more tempting a target for exploitation they present. So it behooves the individual to be vigilant. In fact my financial institution stays on the member's case about security options they should be using not only with them but in general on the internet.
_________________________
joemikeb • moderator

Top
#30203 - 05/30/14 11:08 PM Re: chase.com security advisories [Re: joemikeb]
artie505 Online


Registered: 08/04/09
> ...I am satisfied my financial institution (bank, broker, insurance) is doing their dead level best to stay on the cutting edge of security.

Just like Chase, that couldn't be bothered to alert its customers that they could upgrade to safer passwords...even thinks they might not care to be notified if their user name, password, or registered computer has been changed. tongue

Sounds like you're in a more secure situation than most, though. cool

> So it behooves the individual to be vigilant.

Only to have that vigilance subverted by institutional negligence! frown

The Internet sure makes life easy, but in the balance, it makes us vulnerable to so many avenues of attack that I sometimes think it would have been nice if Al Gore hadn't invented it.
_________________________
The new Great Equalizer is the SEND button.

Top
#30205 - 05/31/14 02:39 AM Re: chase.com security advisories [Re: artie505]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
> So it behooves the individual to be vigilant.

Only to have that vigilance subverted by institutional negligence! frown

Yes, and sometimes you are exposed when, "shakey" from the point of their ability to be secure, vendors retain information without your knowledge.

The example I always think about was a few years back when I shopped at a local store that sold small appliance parts and paid with VISA. A couple of years later I returned to buy a refrigerator part and they had my VISA number on file.

Given the ability of hackers to get into major "secure" sites, I figured it wouldn't take too much to steal information from a local parts shop. I demanded they immediately remove the number.


Edited by ryck (05/31/14 02:39 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#30206 - 05/31/14 10:32 AM Re: chase.com security advisories [Re: ryck]
artie505 Online


Registered: 08/04/09
I've never run into a situation like that, but any time I enter my card number on-line I visit the site after my transaction has been completed and either determine that my number has been deleted or delete it myself. (Amazon is a major offender in that area.)
_________________________
The new Great Equalizer is the SEND button.

Top
#30207 - 05/31/14 03:44 PM Re: chase.com security advisories [Re: artie505]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
….any time I enter my card number on-line I visit the site after my transaction has been completed and either determine that my number has been deleted or delete it myself.

That's a great idea. Is it easy to do?
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#30208 - 05/31/14 04:11 PM Re: chase.com security advisories [Re: ryck]
artie505 Online


Registered: 08/04/09
You can generally manage your payment options through your account; that's how it works with Amazon (the only site from which I purchase that retains my number).

Many (most?) sites, Apple included, delete your card number immediately after your transaction has been completed.

And Amazon must know that their policy is offensive, because when you go to delete your card number they tell you straight-out that the deletion won't affect transactions, even uncompleted ones, for which it's already been used.

I very much prefer to buy from sites that accept PayPal, and I'm seeing more and more sites biting the bullet and doing that. (Edit: Small Dog and Jet Blue come to mind.)

Man, what a database that must be!

Edit: On occasion, I've actually paid a coupl'a bucks more for items purchased with PayPal rather than give up my card number.


Edited by artie505 (05/31/14 04:18 PM)
_________________________
The new Great Equalizer is the SEND button.

Top
#30209 - 06/01/14 08:25 AM Re: chase.com security advisories [Re: artie505]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
You can generally manage your payment options through your account; that's how it works with Amazon

Thanks. I'll be going to the site today to do that.

Originally Posted By: artie505
Many (most?) sites, Apple included, delete your card number immediately after your transaction has been completed.

I don't think that's the case with iTunes or the App Store. I've had cases where I made a purchase, but there were insufficient funds remaining in the account, and the difference showed up as a small extra charge on my VISA. Maybe that also needs to be dealt with in the account.

Originally Posted By: artie505
I very much prefer to buy from sites that accept PayPal...

I'm with you on that one. PayPal is always my first choice.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#30211 - 06/01/14 05:05 PM Re: chase.com security advisories [Re: ryck]
artie505 Online


Registered: 08/04/09
I think you're correct about the iTunes and App Stores retaining card numbers, and I don't know if you can delete them. (I've never dealt with either and just plain forgot they exist.)

The Apple Store does not retain card numbers.
_________________________
The new Great Equalizer is the SEND button.

Top

Moderator:  alternaut, dianne, MacManiac