Re: Plaintext passwords in Chase Online Banking

dorqusFREEK.COM

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Chip Salzenberg: "Re: Perl bugs (was Re: another /tmp race: `perl -e')"
• Previous message: Theo de Raadt: "Re: another /tmp race: `perl -e' opens temp file not safely"
• In reply to: dorqus maximus: "Plaintext passwords in Chase Online Banking"

This is the text of an email that I sent to Chase Customer Service with
regards to this problem:

 Date: 3/8/98
 Subject: Security flaw in the software

 Hi.  I have discovered that the users offline password is kept in plain
 text in a file on the PC.  This is pretty bad, as I am sure that a lot of
 times the users offline password is the same as their online password, so
 all someone needs to get access to someone elses accounts is a few
 minutes alone wiht someone's PC who has the software on it.  It is a trivial
 matter to get the plaintext offline password, and it requires no special
 tools or programs.  I have exact details on how to do this, and I have
 already posted the directions to a full-disclosure security list.

 Please let me know what you are planning to do about this, as this is
 obviously a major problem.  If the PC side of the software is insecure,
 how can I be guaranteed that the server side is secure as well?

We'll see what reply I get from them (if any)

Dorqus Maximus

• Next message: Chip Salzenberg: "Re: Perl bugs (was Re: another /tmp race: `perl -e')"
• Previous message: Theo de Raadt: "Re: another /tmp race: `perl -e' opens temp file not safely"
• In reply to: dorqus maximus: "Plaintext passwords in Chase Online Banking"