Plaintext passwords in Chase Online Banking

dorqus maximus (dorqus@FREEK.COM)
Sun, 08 Mar 1998 02:15:57 -0500

I discovered a large security flaw in the Chase Online Banking software.
(version 3.00, 11/14/97)

When you install the software, you can select an offline password to run
the program, so that unauthorized people cannot look at your balances,
number of accounts, etc. (The software allows you to work offline, then
connect via modem when you want to initiate transfers, etc.)

Chase does not even encrypt the offline password, but rather leaves it
in plain text.

For each user that uses the software, there is a directory created with that
username under the main directory (i.e. C:\Chase\USERNAME).

If you have local access to a persons PC who has this software installed
on their computer, you can get their offline password (which odds are is
their online password is well)

Here's how to do it.

CD C:\WINDOWS (or wherever windows is installed on the machine)
EDIT COB.INI, and look for the following section (the file is pretty
small)

[User List]
User1=USERNAME
User1DataPath=C:\Chase\USERNAME\
User1CustID=593845860683304858
LastUser=USERNAME

next,
CD C:\Chase\USERNAME
EDIT BANKSYS.DAT and look for the User1CustID string (593845860683304858
in this case), the word right next to it is the users offline password.

you can now run C:\Chase\cob.exe, and login as the user using their
offline password. There's a good chance that the offline password is
the same as their online password. Once you are connected, you can
make see their current balance information, make transfers, even make
payments.

I have not yet brought this to the attention of Chase, as I figured
I'd post it here first, then let them know that I have publicly disclosed
this information, so it will be in their best interest to fix it.

Dorqus Maximus