39 thoughts on “Chase ‘Glitch’ Exposed Customer Accounts

  1. Dave Horsfall

    Perhaps it’s just me (being an apostrophe freak) but I parsed “one of their writers’ spouse” as “one of their writer’s spouses”…

  2. Mark

    No. But “the spouse of one of their writers” would have worked.

  3. ted

    It would be more reassuring if they used 2FA for every login.

    1. Stephen Harris

      2FA wouldn’t have helped; it was a backend issue. “Fred logs in; we know it’s Fred. But we’re showing Harry’s data”. 2FA would not stop that.

      1. ron

        Agree work in the financial software biz this was a session-state loss seen it happen before big news when it happens to a Chase.

  4. Dennis

    It’s interesting. Did I misread it, Brian, the only affected people were the ones using their mobile app, right? And whoever used the desktop web browser did not experience the bug? If so, there’s a bigger issue at play there. Cachinng server glitch would not explain why it wouldn’t propagate the same bug to the desktop site. What may be the cause here is that all processing of customer logins were done on a client side by the mobile app. Which is REALLY REALLY bad if that is the case. But hey, that has been done before, right 🙂

      1. Stephen Harris

        This really sounds like some session ID cache re-use issue. Chase is one of the biggest consumer banks in the US and they revamped their backend a few years back to be more API driven. All it would require is some b0rken memcached or similar layer to cause this type of issue.

        1. Alex

          I work for a middleware software company and have been to no less than 5 different financial institutions in the last 18 years that were affected by user’s seeing other user’s data. A couple of the cases were due to the session id cache entry not being properly cleared before reuse (one was an internally app managed session id cache, the other was the middleware product) then the other 3+ cases were all due to session id mishandling by the application where they did not understand multi-threaded programming (which is a complex topic) and thus introduced a bug into the app. The latter problem always occurred after a new version of the application was deployed and the failback was to revert to the previous version of the application. These problems are difficult to troubleshoot and reproduce in test as it only affects a very small part of the user population (being a timing issue so the timing had to be just right to hit the bug). More sophisticated middleware application servers have automated session crossover detection now so I’m a bit surprised that as many user’s detected the bug because running on a modern app server they should have seen the bug in the logs and immediately failed back to the previous app version. So maybe they moved to some open source platform as they tend to not have such robust capabilities as session crossover.

          1. Bruce Hobbs

            Shouldn’t the session id cache entry have a large enough id number (2^64) that any given id number would not be reused for at least a thousand years? That sounds like basic programming to me!

            1. Alex

              The session id may be different but the block of memory it is using is what is corrupt (containing someone else’s info). So the id may not be reused in thousands of years but the same block of memory gets reused over and over. Thus the “cache”.

              1. Dave Horsfall

                So the block of memory (that contained some sensitive information) wasn’t cleared before being freed? Now *that* is a basic programming blunder.

          2. CodeReader

            Exactly what I suspected.One can put all the authentication and security on transport buy if the session handling is shodduy, it’s the end !

      2. Beth

        I just received a letter from Chase stating that they were sorry for giving incorrect information on my 1098 and would be sending an updated and correct 1098 by March 15th. The next paragraph stated, in the same non-chalant wording, that they were also sorry to have mailed a copy of my previous 1098 to another individual, with my name and account information on it. The letter stated that the information release was not concerning. Basically, stating that it wasn’t serious because it didn’t include my social security number. Strangely similar to the current online issues, huh? Also, last week I received a letter from Chase with my address but another person’s name. I thought it was strange, but put it back in the mail box return to sender, no person by that name at this address.

  5. Sudhakar

    “Weller urged customers to “practice good security hygiene” by regularly reviewing their account statements, and promptly reporting any discrepancies. ”

    Classic company response…push the resonsibility onto the customer even if the company makes the mistake.

    1. Artis

      Sudhakar, your bank can’t verify 100%of all your transactions or decide on your behalf witch are fraudulent and witch aren’t, so if you wish to have a better user experience work with your bank as a team. In case of fraud or any other financial loss, they are still liable.

      1. Rafael

        Have you ever worked with a bank on fradulent transactions?
        There are fradulent transactions caused by the bank itself including random fees but the bank won’t reimburse you if you don’t notice those within a certain timeframe.

        With respect to the customer having to work with a bank on a UI, do you know the difference between a UI and the functionality. This is not an interface issue. This screw up is the direct result of the bank constantly cutting costs. Many software teams within Chase don’t have a separate QA. The developer will have to develop and the same person tests, deploys, validates with the end user, and supports the code.
        Chase is not a mom and pop operation, it’s a $95 billion a year company but they cut costs every year. Many App Dev Mgrs have to decide every year which servers to decommission (just for cost cutting, not for technical upgrades). There is not a lot of lower level environments. The developer is at the bottom of the foodchain at Chase. Even the people doing deployment with zero technical skillset take advantage of developers’ misery eventhough they can’t even open a registry or a shared folder on their own and the developer has to sit thru the whole deployment and validation to instruct each action.

        Chase’s way of development is to squeeze developers and then keep squeezing, make developer do everything including testing, and if there is an issue blame the developer.

        While this is a tricky issue, if you have a proper application level testing, then integrated testing and then performance testing each by a different team it most certainly would have been caught before the release.

        The problem is with their constant need for shoring up the bottom line by cost cutting even in a climate of healthly topline growth, many developers who could leave Chase have done so and the talented people remaining will have to play multiple roles to compensate for others who don’t know how do their jobs and the constant cost cutting from the bank.

        1. Jay M.

          Agree. During the time I spent with them, the managerial changes are almost always coup-styled. Someone from an unrelated industry will “impress” a top-level manager like a CTO and he will be given control of that unit – all managers in the whole lineup would be forced out (including those with decades of experience) and the new guy will bring in his people who usually don’t know anything technically. Those people then hire developers and others and you can imagine how that’d go. There is no due process at such a large bank. An enitre unit is treated like someone’s property. If you don’t or can’t involve in cutthroat office politics you can’t move up.

  6. Charles

    This is interesting, just this am I received one of those spam emails from what is supposed to be Chase Bank to verify my account info. The url of the site attached has no Chase name and I have no relationship with them. Just saying, coincidence???

    1. zboot

      Not a coincidence. Think about it. If you’re a scammer, this is the perfect time. Same reason you get an influx of spam mail selling official looking services when you buy a new house, get a new credit card, etc. You are temporarily primed to expect such communication and so, will be less likely to notice something amiss.

  7. knower

    Titanic ship was build by chase manhatten bankers, to rid of the …opposite !! so its same team..trotsies
    who knows what im talking they know, its all good in da hood

    1. CK

      This isn’t Facebook…why bother commenting with nonsense?

      Seriously if you have nothing to add to the discussion, don’t you have anything better to do?

      1. offcourse

        i got nothing better to do, but i like to add something always 😀
        im like internet troll,i like trolling and making others nervous:D i enjoy alot trolling:)

  8. Susan Suid

    my husbands account and my account (two different account numbers) were both hacked by venmo transactions totaling over $5000 on 2/20 – 2/21. No one at chase mentioned this issue when we called security regarding the hacks and no one mentioned this at the branch when we went in to freeze our accounts. So guess what – Chase loses the money involved and they also lose long time (over 25 years) customers.

    1. CK

      How is Chase responsible if your Venmo accounts were hacked?

      Venmo is owned by PayPal

      Did you have the Chase accounts linked to Venmo?

      1. Bruce Hobbs

        No, the account was likely linked by the scammer. Chase wouldn’t have known it was fraud until Susan notified them. It appears she expected them to be clairvoyant.

      1. Stephanie

        I wouldn’t be so sure. I also had many Venmo transactions on my fairly NEW Chase account this morning. They were definitely fraudulent. I found this article while Googling the problem.

  9. Don Clifford

    Users can check what systems have accessed their accounts in their “Manage Account Security” portion of their security settings. It tracks which devices accessed your accounts, and keep an eye out for any you don’t recognize. You can see any activity from the last 90 days. You can also turn on alerts to text you for account activity.

    1. vb

      That would not help in the case of this “glitch”. I think the setting you reference only shows ” devices that logged in to your account, ” not “devices that accessed your account”.

      The glitch described here was logging into one account and accessing another account.

      1. CB

        The “Device Access History” specifically states: “Track which devices accessed your accounts, and keep an eye out for any you don’t recognize. You can see any activity from the last 90 days.”

        That said, I don’t hold any hope that this screen will tell me if someone else accessed my account under these circumstances.

        I would like to see an update from Chase letting us know if /when they determine which accounts may have been accessed and that they are notifying individual customers.

        Additionally, I would like to see them specifically notify ALL of their customers about this “glitch.” It’s great to read about it through other online sources, but Chase needs to do this for all their customers to increase awareness.

        1. Alex

          You are probably correct that the device access history probably will not contain any entry related to the other user’s data. Thus the compromised user won’t know. I would guess device access history is only logged when the user logs into their account and it would have been the other user’s login instead of the one they are actually seeing on screen.

  10. Wolf

    Chase blocked my credit card 3 times last week for so called “suspicious activity”. 1st time for doing business with a new to me merchant. 2nd and 3rd time for shopping at a grocery store where I had been using my credit card for over 30 years. Bottom line, Chase security is a joke! They have no clue as to what they are doing!

      1. Wolf

        No, good security is not a joke but Chase security IS. Blocking my personal transactions 3 times in 5 days is NOT good security! It is a JOKE! In over 40 years I’ve never experienced fraud on my cards because I practice “good security”. So feel free to practice your sarcasm else where!

  11. DA

    I have a feeling I know who’s account that was that 16K in credit card balances..

  12. RC

    Found a security vulnerability in the verification process :-). After failing twice to self identify you get prompted with the option of trying again in 72 hours. But if you back out to the page where it mentioned you failed the verification, click the “opt-in in person” and then at the bottom of the page click “verify online”. You get to try again for a third time. I cannot confirm, but maybe you have an unlimited number of tries…

Comments are closed.