Oh, great, e-mail notifications

| Comments (7) |
My United Mileage Plus Visa has just been taken over by Chase. In order to let me use their online site they want me to agree to the usual onerous terms, including:
1. Scope of Communications to Be Provided in Electronic Form. When you use a product or service to which this Disclosure applies, you agree that we may provide you with any Communications in electronic format, and that we may discontinue sending paper Communications to you, unless and until you withdraw your consent as described below. Your consent to receive electronic communications and transactions includes, but is not limited to:

* All legal and regulatory disclosures and communications associated with the product or service available through the Online Service for your Account
* Notices or disclosures about a change in the terms of your Account or associated payment feature and responses to claims
* Privacy policies and notices

2. Method of Providing Communications to You in Electronic Form. All Communications that we provide to you in electronic form will be provided either (1) via e-mail, (2) by access to a web site that we will designate in an e-mail notice we send to you at the time the information is available, or (3) to the extent permissible by law, by access to a web site that we will generally designate in advance for such purpose.

Now, this seems extraordinarily undesirable. Like many other people, I have heavy-duty spam filtering, which is why I prefer my notifications in paper form. That way I'm sure I get it. Unfortunately, Chase doesn't seem to want to give me that option.

Also, did you catch that clever bit about "a web site that we will designate in an e-mail notice we send to you at the time the information is available". So, basically, I'm just to read some e-mail that's supposedly from Chase and then go to a Web site where I key in my login information to get access to this alleged communication? Outstanding!

UPDATE: I just spoke to Susan ***** from Chase on the phone, and indeed there's no way to opt out of this feature. If you want to use the site you need to agree to these terms. I mentioned the phishing concern and she says "phishing e-mails are easy to spot" because they ask you to type in your information--not at all like what happens when I dereference the link that Chase gives me in their e-mail. When I do that they only ask for my username and password.


It sounds like a great tool for a phisher!

"This isn't phishing, we only ask for your username and password" :)

Yeah, a little more work as now you have to have your bot go access the account, but hey...

It's worse than that: (3) to the extent permissible by law, by access to a web site that we will generally designate in advance for such purpose.

Which means they won't send you notices at all, you have to go every day, or several times a day, to look at their website to see if your card now carries a $100-per-transaction "consumer convenience fee." That's assuming you can get to their site through your employer's nanny filter or that you reach their site instead of some DNS-cache-poisoner's phishing site when you use a cybercafe.


I am so glad in my heart that my little credit union is allowing me to bank by the secure US Postal Service, protected by the brave postal people.


Chase is not the only company that has this problem. I've gotten messages from places like
Consumer Reports and m-w.com that looked for all the world like real phishing attempts. These were a couple I was bored enough to investigate, anyway. The CR message redirected to a link asking for information (incl. cc) to renew a subscription. In both cases, the link url domains and whois information did not "match." I was eventually told by someone at the respective companies that the messages were "the real thing."

You may find the following presentation entertaining and/or depressing:


This talk, given last year at the APWG meeting in San Jose, displays a series of actual customer communications from legitimate financial institutions, shows how well they impersonate phishing messages, and makes some observations on how this is training consumers to be susceptible to phishing. Powerpoint on Windows may be required to hear the audio narration.

In general, for consumers to distinguish between legitimate communications and phishing, they actually have to be different. All too often under current practices, the differences are too subtle for a typical consumer to discern.

Well, given the most recent guidance by the OCC - simple social engineering attacks like phishing will get much more difficult to perform successfully.

Anecdotally, large financial institutions are claiming that phishing is less of an issue as crime committed by the "trusted agent" - a family member or such...

Finally, I do agree that banks tend to mix marketing and business way too much. Phone calls, emails, and even letters from my bank asking me to buy something else is annoying and intruding.

Hey, they just emailed me: http://pi1.informatik.uni-mannheim.de/phleisch/pmails/show/33

And their Website at http://www.jangup.com/scv_board/BANNER/index.html looks sooo nice. Only username and passwort. So it can't be phishing, can it?

Leave a comment