RE: [Full-Disclosure] http://www.chase.com/ vulnerability

From: James Patterson Wicks (pwicks_at_oxygen.com)
Date: 05/29/04

  • Next message: Cory Donnelly: "[Full-Disclosure] Re: rsynd-too-open.c posted on fd is backdoored. Don't run it!!!" 
    To: gauntlet@nym.hush.com, "Perry E. Metzger" <perry@piermont.com>, full-disclosure@lists.netsys.com
Date: Sat, 29 May 2004 10:38:45 -0400

    The Chase home page has been like this for over a year. I was a bit
    worried after the change, so I just bypassed it. If you feel more
    secure logging in on an SSL page, just do the following:

    1. From the Chase home page, click on the lock icon next to the words
    "Access My Accounts"

    2. On the page that appears, click on the "Log On Now" box sitting in
    the left border.

    3. You will then arrive at the old login screen with the little golden
    lock icon. Log in and feel secure.

    Since Chase changed this page over a year ago, I'm sure we would have
    heard something if the Chase site was being exploited.

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
    gauntlet@nym.hush.com
    Sent: Friday, May 28, 2004 3:24 PM
    To: 'Perry E. Metzger'; full-disclosure@lists.netsys.com
    Subject: RE: [Full-Disclosure] http://www.chase.com/ vulnerability

    Many financial institutions do the same thing.

    www.americanexpress.com:

    Security is important to everyone!

    Please be assured that, although the home page itself does not have an
    "https" URL, the login component of this page is secure. When you enter
    your
    User ID and password, your information is transmitted via a secure
    environment, and once the login is complete, you will be redirected to
    our
    secure area.

    If you wish to speak further with a technical specialist, please feel
    free
    to contact American Express Online Services at 1-800-297-1234, 24
    hours/7
    days. If you are outside the United States, please call collect at
    1-336-393-1111.

    ---------------

    Rob

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    This e-mail is the property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to postmaster@oxygen.com and destroy all electronic and paper copies of this e-mail.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Cory Donnelly: "[Full-Disclosure] Re: rsynd-too-open.c posted on fd is backdoored. Don't run it!!!"