twofactorauth icon indicating copy to clipboard operation
twofactorauth copied to clipboard

Published 20 hours ago verified publisher icon 2factorauth

Update Chase

Open vindicatorr opened this issue 3 years ago • 6 comments
trafficstars

Site name

Chase

Site URL

https://www.chase.com/

Update reason

The methods of 2FA that it supports have changed.

Additional information

While your listing is correct based on what their web site states:

When you sign in for the first time or with a device we don't recognize, we'll ask you for your username, password and a temporary identification code, which we'll send you by phone, email or text message....

*https://www.chase.com/digital/resources/privacy-security/security/how-we-protect-you I can definitively make the claim that is no longer the case based on my experience that changed last month, continuing today, along with my recorded call to them where they said the text/phone number for VOIP was removed, and they never even notified the customers that it was happening.

Before leaving them, I left them a message that included that link and line.

Issue Eligibility

  • [X] The issue I'm creating is not a duplicate of an existing issue.
  • [X] The issue I'm creating is not a duplicate of an existing pull request

vindicatorr avatar Apr 08 '22 21:04 vindicatorr

I don't understand what you're trying to convey here @vindicatorr. Are you saying that someone social engineered Chase to remove 2FA on your account?

2fa.directory lists if a service provides 2FA to their customers, not how well customer service agents from that service respond to social engineering attacks. So if that indeed is the reason for your ticket I suggest you contact someone like Joseph Cox as they would be better suited to bring attention to such issues.

Carlgo11 avatar Apr 08 '22 23:04 Carlgo11

No no. There was no social engineering. The agent stated:

that feature has been recently removed for the security of the account. So chase wouldn't allow you to use other numbers like Google numbers or Skype numbers.

When I asked when customers would be notified of such change, they said:

You wouldn't be notified for this. We also remove the feature of you choosing your email as part of the authentication process. We only allow cellphone numbers as an option to receive the code.

This was all recorded, and I typed it out as I was listening to it again.

Now with all that said, I did post on Reddit about this, and a user mentioned they use VOIP (we are both using GV) and that it is still working for them: https://www.reddit.com/r/CreditCards/comments/tzcnts/alternative_to_chase_regarding_one_time/ so I can't explain why the agent is explicitly stating they only allow cellphone numbers, yet it still (presumably) works for that commentor. You'll see another user mention that it still works for them as well, but that other user that said it VOIP didn't work for Citi, yet it does for that user.

It's all very strange. I had searched on twitter and reddit and saw other instances of codes no longer being sent to customers, so this is all very new indeed, as I stated about it having worked before last month.

What I can definitively say, from my own personal experience, "email" is no longer an option. On the login verification code page, you are given 2 (really 3) options: Text/SMS, Voice call (receive code by automated system), and technically the 3rd option is for you to call them to get the code.

vindicatorr avatar Apr 09 '22 00:04 vindicatorr

Okay so you'd like the email 2FA option removed and some note about SMS/Calls to VOIP services aren't supported?

Carlgo11 avatar Apr 09 '22 15:04 Carlgo11

Correct, regarding "email 2FA". As for the VOIP aspect, I would say "yes" as well, but maybe hold off for a bit...

When chase replied to my message, they stated:

The phone number we have on file is listed as a home phone number, and we would be unable to send a text. The ability to receive codes to your email address is no longer available, which is for security.

Yet, I've been doing 2FA for the longest time without issue and only had the voice option left recently which finally went away altogether.

I'm giving them ONE chance, if it is related to their system having my phone number labeled as "Home" being the issue. The "one chance" is to have them change that "label" to "Mobile" so I can test if that will make it still work.

I'll keep you aprised about the outcome.

EDIT0: 2 days later, not looking good. As they only just today managed to switch the "label" to "Mobile" (which won't take effect for a few days according to them), the user I was corresponding with in that thread made an update today stating it's now failing for them. I figure I'll be able to definitively state the outcome in a few days.

vindicatorr avatar Apr 09 '22 15:04 vindicatorr

So for an update, email is definitely not an option, verified again by an agent via their "secure messages". Yet a previous agent said the code could be emailed. No one there knows what they're doing.

Like I said, they changed the label from "Home" to "Home, Mobile" (I only asked for "Mobile"), and managed to get the 2FA code via the "voice call " option just now. The Text/SMS option still won't send the code to my number.

We'll see how long this lasts, but I won't hold my breath, given how things had played out.

vindicatorr avatar Apr 14 '22 21:04 vindicatorr

Just for shiggles, since I was looking for a comment I made before and was reminded of this, I DID manage to get a text/SMS from chase just now. So I don't know if that relates to the "Home,Mobile" I mentioned before or what.

vindicatorr avatar Sep 03 '22 04:09 vindicatorr