COMMAND

    Chase Online Banking

SYSTEMS AFFECTED

    Systems running Chase Online Banking (version 3.00, 11/14/97)

PROBLEM

    Dorqus  Maximus  discovered  a  large  security  flaw in the Chase
    Online Banking software.  When  you install the software, you  can
    select  an  offline   password  to  run   the  program,  so   that
    unauthorized  people  cannot  look  at  your  balances,  number of
    accounts,  etc.  (The  software  allows  you to work offline, then
    connect via modem when you want to initiate transfers, etc.)

    Chase  does  not  even  encrypt  the  offline password, but rather
    leaves it in plain  text.  For each  user that uses the  software,
    there is  a directory  created with  that username  under the main
    directory (i.e. C:\Chase\USERNAME).

    If you have  local access to  a persons PC  who has this  software
    installed on their  computer, you can  get their offline  password
    (which odds are is their online password is well).  Here's how  to
    do it:

        CD C:\WINDOWS (or wherever windows is installed on the machine)
        EDIT COB.INI

    and look for the following section (the file is pretty small):

        [User List]
        User1=USERNAME
        User1DataPath=C:\Chase\USERNAME\
        User1CustID=593845860683304858
        LastUser=USERNAME

    next,

        CD C:\Chase\USERNAME
        EDIT BANKSYS.DAT

    and look  for the  User1CustID string  (593845860683304858 in this
    case), the word right next to it is the users offline password.

    You can  now run  C:\Chase\cob.exe, and  login as  the user  using
    their offline password.   There's a good  chance that the  offline
    password  is  the  same  as  their  online password.  Once you are
    connected, you  can make  see their  current balance  information,
    make transfers, even make payments.

SOLUTION

    The Bank password was issued by Chase and changed by you the first
    time you used Chase Online  Banking.  This password is  only known
    to you and is encrypted.  The offline PC password is optional  and
    is designed to limit access to the Chase Online Banking  Software.
    If you choose to  use the offline password,  you can should use  a
    password different from  your Bank password.  You can change  your
    passwords at any time  by selecting "Password" or  "Security" from
    the  file  menu.   However,  Chase  made  an update of the offline
    password feature in the software  and we will distribute this  new
    version to all customers shortly.