‘Some’ security just doesn’t cut it

JPMorgan Chase is big on security. If you try and access your online account from another computer you first get an email verifying the request. But for those who have ever selected the “remember my user ID” check box (shown below) there is a huge security threat.

Chase - Remember my user ID

Once this has been selected entering the wrong password takes you to an inner page where password confirmation is performed. Here are the 2 steps.

Entering wrong password:

Chase bank wrong password

Notice in the image above I entered a 4 digit password (which is incorrect).

For some reason the inner page automatically populates the password with the ‘correct’ password. Shown below is the 8 digit correct password:

Chase - forgot user id

All you (or anyone else trying to hack your account) needs to do now is press ‘Log on’.

The truth is that I don’t know why the confirmation page auto populates the password. And I don’t know how to turn it off, short of clearing cache which will be remove all stored forms from all websites (I do not want this).

I bring this up because if a regulation/security intensive organization like Chase can make this error it is only fair to assume many many retailers must be making the same usability mistakes.

2 thoughts on “‘Some’ security just doesn’t cut it

  1. I’m amazed – that is a real security breach! Seems like a programmatic oversight on the back end. Kudos to you for finding it -I hope they’ve fixed it by now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s