Chase Bank Helped A Hacker Gain Access to Steal My Identity & Money

“Someone hacked into your bank account. Your identity was stolen and your Chase account has been compromised.”

That was the message I received on Friday morning on 5/8/20 at 10:06 AM, after picking up what was the second phone call from a number I didn’t recognize.

I had a secure password. It turns out that wasn’t enough. What happened, my analysis and recommendations to secure your account are documented below in this article.

A Secure Password Wasn’t Enough

How did I get hacked? I have two-step verification, a secure password — I mean I don’t have short, easy to guess passwords using my name like password123. My password is long, annoying to type in, with characters that are difficult to name like: ~ — Is that Tesla? Hilda? Maybe tilde?

Why am I the Target?

I’m a physician, investigating Corona-Virus. I don’t have time to spend my days dealing with a cyber-virus. It turns out that was what I would be doing this Friday morning. Let’s back this up a little.

8:00 AM: I’ve started my day reviewing academic articles on viral correlations related to epidemiological causation analysis. But this is not a story about my Coronavirus research or Medwiser, a nonprofit working with volunteers on, among other things, a big data project to project and prevent future coronavirus infections; It’s a story about what transpires after Chase Bank calls me to let me know I’m a victim of identity theft. It’s a story I’m writing to get answers from Chase management and to let you know about steps you can take to make sure the same doesn’t happen to you.

9:54 AM: Caller ID from 888–373–1969 (that’s the actual number). I ignore.

10:06 AM: Same number calling again. OK. I’ll bite. Indulge me, hopefully the caller speaks English.

“Dr. Morgenstern this is John from Chase. You have been a victim of identity theft.” I sigh deeply. I have a feeling that this is going to consume the rest of my day.

How did this happen? What do you mean?

“Someone hacked into your bank account.”

Is this guy for real? I have a flashback. A day earlier, I had difficulty logging in to my Chase account, and, I changed my password. At the time, I thought maybe it was some glitch. Now I’m thinking there’s more to it.

As the representative is looking through my account to answer questions, I quickly attempt to login to my account to see if it is still accessible, if money is missing? I can’t get in. Now the account is locked.

The representative says “It isn’t clear what happened, but, I can look into it. Can you confirm your address?”

I’m about to answer but I pause. What if this is the hacker? “How do I know you are from chase?”

He provides me details about my account and says “if you feel more comfortable you can call back a Chase number.”

I need to be careful. John seems trustworthy. On the other hand, a good Con-Artist would too. I check my caller ID and enter John’s number into Google. John is dialing from a Robodialer number that is classified as “Severe” Robocaller. The website says I shouldn’t answer. Sounding suspicious, I tell John I will call back Chase.

First Denial. Then Some Anxiety

I’m not going to lie. Finding out you have been hacked or your account has been broken into is not fun. A lot of questions were going through my mind. What has this person stolen? Has he transferred money out of my bank account — money I need to live? Does he have access to other credit cards, other bank accounts. How did he/she/they get in? Is he currently logged into the same computer as I am? Could be watching me through my video camera? How long is it going to take to get some of these questions answered? Too long.

Investigating Hacking is Time Consuming

I call Chase, but it took a while to get through with the right person. A “while” is an understatement. It took several hours and I still don’t have the complete story. Due to Coronavirus, it appears there are even less representatives available to speak. I get transferred from one department to the next, disconnected and each time, it seems like I have just lost at least another 20 minutes.

11:00 Representative 1: voice is muffled by wind artifact. Transferred back into cue.

11:26: Representative 2: Get disconnected.

11:58: Representative 3: “You called the Fraud department, you need the Consumer Protection Unit.”

12:24: Representative 4: About an hour later, I finally speak to the first representative with information for me:

1. The perpetrator stole points, which will be restored, not money.
2. They aren’t sure how they got into my account. They will investigate internally (I’m not so sure they will)
3. Probably “your fault.” Of course. It’s always the consumers fault. At least 2/3rds of the time, I am told, it is from first hacking into your email (they know this because? think it’s made up). This implies that it’s only their fault 33% of the time (still that seems way too high to reassure me about a bank online security).
4. I ask if the attacker called them by phone to gain access. I’m told “that attack was done online” (turned out: not exactly true)
5. Do they have the IP address of the attacker? Yes — but that information can’t be shared.

Ask for a Supervisor

1:10 PM: Perhaps a supervisor could share additional details such as the IP address of the perpetrator? Turned out they had some useful information including:

1. The hack was more extensive. More than one card was affected. They stole points from several credit cards so every card had to be replaced
2. They did call Chase (either Online Technical Support or number from back of card) on 5/5/20 at 5:40 PM EST and asked to add an email address to the account — and with little verification — Chase added an email account.
3. The account note: records that all the hacker was asked was to provide was a credit card number, security code and a zip code. After that weak link exchange, they added an email to the account that could be used to change the password.
4. I can only get the IP address of the hacker, if I file a police report and have a police investigator call their law enforcement number (at least Chase was protecting someone’s information).

Inadequate Account Security

Probably sensing the information provided made it look like Chase had a flawed process, that would make it easy to break into any bank account, a process that was wholly inadequate, the supervisor offered, “it was possible” they may have asked for further information but that the note on file didn’t reflect it. Why would they record only some of the provided details and omit important ones?

Internal Audit & Investigation

Instead of staying idle during all the wasted time spent on hold (about 2 hours in total) I decided to conduct my own investigating:

1. A Deep Virus Scan that took over 1 hour: found no virus on my computer.
2. I changed linked bank email passwords
3. Checked User logs from Chase, my linked email, and my computer.
4. Chase User log shows — my perpetrator (Perp) logged in on Chase.com with a computer using a Mac Operating System (OS X 10_14_4).
5. Hacker added 2 emails to my Chase account without logging into my primary email account
6. Computer & Email User log review: Showed only one unique user. Same with email user log. No one accessed my email except from my unique device, my computer. This can be checked for every major email provider.
7. Online Research — credit card numbers can be purchased on the dark web along with security cards and other information about users. All the information needed to conduct these hacks on anyone is available online (assuming the information Chase reps provided me from their logs were accurate)
8. The weak link is often the representatives from different organizations that are vulnerable to being attacked as is shown in this CNN article and accompanying video below.
9. A review of other accounts shows someone attempted to gain access to my wifes Amazon account also but was denied access.
10. Spoke to a friend who is a cybersecurity manager at a mid-size bank to share the story and gather his opinion.

Every major email system allows you to audit unique users on your account

Summarizing the Hackers Steps to Break in to My Chase Account

On May 5/5/20 5:40 PM EST a hacker with my credit card number, security code and zip code obtained on the dark web, called Chase bank and convinced them to add an email to my bank account (let’s call it EZ2@BreakIn2Chase.com).

On May 7th 651 AM ET, he logged in to chase.com online or called in to say he forgot the password. He requested and a reset password link is sent from Chase to his email EZ2@BreakIn2Chase.com. Using that email, he changed the password and then logged in to Chase online using a Mac OS. The user was able to access other linked credit card information and transferred points (with a cash value) from several credit card accounts, to his own account. Thankfully, this raised a flag inside of Chase resulting in my accounts being locked and the phone call I received from John from a “Robocaller” number.

Analysis of Hacking & Chase Flaws

1.The hacker transferred points rather than cash to remain under the radar. This is apparently a common tactic since individuals and banks more commonly notice cash balances changing than points. In general, I am told it takes 90 to 180 days for most individuals to realize they are missing points.

2. Chase facilitated the hacking. It appears that this hack was either facilitated by a Chase representative violating security protocols or a protocol that is extremely insecure. Why is this insecure? Think about how often you give out your credit card information, including zip code and security code. How many online vendors and stores have you done this with in just the past year? Some of those places have been hacked (of course they have). If that is the only information needed to gain access to a bank account, then it is very insecure.

3. Weakness in Chases two-step verification process. Chase’s two step verification process does not allow you to restrict communication to only one medium such as a text message. It includes an email and a text number. It should allow users to take steps to limit access to a phone or email.

4. Adding an email should require two-step verification with an existing email or phone number (this might be the protocol that was violated in step 2).

5. Chase did a few things well: They flagged the account, called me, said they would replace the points, they replaced all credit cards and said they would ship them overnight.

6. Chase did more things poorly: It was not made clear by the first rep that the points from multiple credit cards were stolen or that they would be sending me multiple cards. I’m not sure if they knew this? The representative also omitted any information about the hacker calling to gain access to the account.

7. Chase should share more information about the hack: While Chase may claim that this article is inaccurate, it is based on the accuracy of the limited information I have been provided by their representatives. I requested additional information that was not shared with me (more on this below).

To Protect Clients Chase Should Share Information About Hack

Chase should help me identify the perpetrator by sharing an audio log (they “record your call for quality assurance”) and they should share the IP address of the hacker.

They have told me that they have the IP address but can’t share it with me, I wasn’t even going to ask about the audio recording, which I was sure they would not share. However, to ensure that I can take additional steps to protect myself and my contacts adequately, I need this information. Their reluctance concerns me. Is Chase concerned that providing these details would expose them to liability related to a lack of security? Is Chase concerned more about protecting the perpetrator than they are about protecting the integrity of their clients?

Chase — If I’m Right. Fix it & Reward me. Seriously.

While I anticipate some individuals in your organization might feel as though I am wrong or have avoided conventional routes by writing about this problem, I believe I am doing a public service, and, really by exposing this potential flaw, helping your organization and clients. Organizations like Facebook actually pay individuals to expose security flaws. While, operating with limited information, and while I could be incorrect, if I’m right and this article has exposed a security flaw, then you should seriously do the same by donating to a coronavirus charity, whose work has been delayed because of this distraction.

Keeping Your Account Safe

In addition to having secure, randomly generated, long passwords, stored in encrypted vaults and changing them routinely:

1) Add a verbal password to your account that needs to be provided when individuals call in and speak to a representative.

2) Use actual passwords for security questions or verbal passwords: Instead of using the name of your first pet, use an actual password and change it routinely. Your childhood best friends name, first car or pet’s name might be X*W&D#JDi instead of “Clifford”.

3) Use 2 step online verification and, if possible, try to limit this to only one phone number to receive a text. Avoid using emails or verification that can be checked/hacked into online.

4) Protect your phone with antivirus software and require a login for access.

Conclusions

In 2020, Hackers are everywhere. Banks should also take steps to eliminate human error contributing to security flaws. However, nothing is completely secure. Taking steps to secure weak links, especially for your financial accounts, can save you time and ensure that you are the only one with the flexibility to spend your hard-earned money.