Who Has Bad Security Practices? Chase Does!

Chase/BankOne/FirstUSA follow bad security practices. They send notification emails to credit cardholders using domains other than the obvious ones. (It’s bad enough that they do business under those three different URLs to begin with. A merger should either retain distinct brand identities and URLs or merge them, not expect consumers to remember which companies are parts of which other companies.)

The email comes from an address at cardmemberservices.com and directs the cardholder to login there, as well. This is a bad idea, because this is exactly what phishers do. Financial institutions shouldn’t use other domains because doing so makes it harder to tell phish from real correspondence. It’s not sufficient that the email contains the cardholder’s name—in this epoch of internet scams, it’s not implausible that the scammers could have email addresses paired to names (or even to partial credit card numbers). An institution that doesn’t understand why it should have clear unforgeable lines of identity in its communications signals that it doesn’t really understand IT security.

This lapse in judgment doesn’t necessarily mean that Chase/BankOne/FirstUSA can’t be trusted. It’s just not a good sign.