Seems the only thing that would stop this is the phone password being setup. 2FA wouldn't stop it. If you use the chase app and faceid 2fa doesn't slow down your current interaction so you may as well turn it on.

Chase enabled 2FA on my accounts sometime last year. I seldom use the smartphone app, but 2FA is not used when accessing the app, only the website. I created a telephone password yesterday while working on this thread. I seldom contact any card issuer by telephone, but my understanding is that the password is "only" used when calling.

Even if CS gave a new password, 2FA is required to be authenticated on a new device. So do you have 2FA on or not?

Yes I have 2fa and your assumption isn't correct. 2fa is not required for this scam/ theft etc.
as above I in essence went through the same steps on the phone call with chase. "Here is the new password" and once they are into your account they update the personal details section. All very basic.

2FA is required when logging into your chase account on a new device. Your device already has the cookies. Delete your cookies and you will see you are prompted for 2FA again.

ok so how is it so in my app I can see the windows device scammer accessed my account and iPhone 11 - access my account . Neither devices exist within my home. And I repeat 2fa existed on my devices for a considerable time

I am simply pointing out that the process you have described is not empirical proof that 2FA was not triggered. You should remove any devices which are not associated with you. Additionally, in your chase account under 2FA is email enabled?

appreciate the trying to be helpful. But you don't need to question the validity of what I am saying, been around / smart enough to know what's on and off. Yes I do get some folks this maybe a valid query. Not applicable here.
I have said numerous times 2fa is on / was on/ still on. The only security feature that Chase has added since is the phone password, which I feel the implementation is poor. Other banks "please hold whilst I transfer to the auto system and enter your secure password" vs Chase "please tell me your password" like thats real secure...

Yes - obviously removed the scammers devices. Chase folks did it, all a bit late. And again points to failures - multiple attempts to access over phone + access on brand new device + add a new phone number to my account = absolutely nothing from Chase.

I wish others well - I will be closing my account, as clearly the scamster downloaded some recent transaction details and I now have to deal with them trying to access those accounts as they obviously now garnered more info from Chase to help with my identity "picture". And Chase bank 'sorry' means nothing with 3 days of BS scam calls (also common as the scammer dumps your info to try and overwhelm your emails/ phone to divert your attention) along with trying to second guess what else they are trying to do..

So just to confirm (I admit I am a bit confused), what you are saying is that with 2FA enabled, your Chase account can (and was) accessed on new devices with a new password that was set by Chase customer service? That would seem to be a major bug in the 2FA implementation.

I just recently used a new iPad that, to the best of my knowledge, had never accessed my Chase account with the Chase app. And the app/site sent me a text code to my phone number.

YES and if you have a look at Reddit / other forums will see it happened to others. Also just did a test to see if chase understands the difference between iPhone Safari version vs the app and it does. The history in the Chase app shows "iPhone 11 Chase app" which was the scammer along with a Windows machine a few minutes before the app was logged in. Lastly to highlight the stupidity, so they "merged" my points to another chase account, but isn't that only possible to family members/ household/ etc. If they get a class action/ audit of the procedures will be an F.