COMMAND
Chase Online Banking
SYSTEMS AFFECTED
Systems running Chase Online Banking (version 3.00, 11/14/97)
PROBLEM
Dorqus Maximus discovered a large security flaw in the Chase
Online Banking software. When you install the software, you can
select an offline password to run the program, so that
unauthorized people cannot look at your balances, number of
accounts, etc. (The software allows you to work offline, then
connect via modem when you want to initiate transfers, etc.)
Chase does not even encrypt the offline password, but rather
leaves it in plain text. For each user that uses the software,
there is a directory created with that username under the main
directory (i.e. C:\Chase\USERNAME).
If you have local access to a persons PC who has this software
installed on their computer, you can get their offline password
(which odds are is their online password is well). Here's how to
do it:
CD C:\WINDOWS (or wherever windows is installed on the machine)
EDIT COB.INI
and look for the following section (the file is pretty small):
[User List]
User1=USERNAME
User1DataPath=C:\Chase\USERNAME\
User1CustID=593845860683304858
LastUser=USERNAME
next,
CD C:\Chase\USERNAME
EDIT BANKSYS.DAT
and look for the User1CustID string (593845860683304858 in this
case), the word right next to it is the users offline password.
You can now run C:\Chase\cob.exe, and login as the user using
their offline password. There's a good chance that the offline
password is the same as their online password. Once you are
connected, you can make see their current balance information,
make transfers, even make payments.
SOLUTION
The Bank password was issued by Chase and changed by you the first
time you used Chase Online Banking. This password is only known
to you and is encrypted. The offline PC password is optional and
is designed to limit access to the Chase Online Banking Software.
If you choose to use the offline password, you can should use a
password different from your Bank password. You can change your
passwords at any time by selecting "Password" or "Security" from
the file menu. However, Chase made an update of the offline
password feature in the software and we will distribute this new
version to all customers shortly.