Chase UR Points stolen. A little too easy.
 

Scammer knew a few details to call and get past security on the phone , seems the tried a few time before being successful
Onto the kicker and stupidity of chase, point of post.
- after passing security

Scammer “ i have lost my password and can’t get into my account”
Agent “ ok let me help you , here is a new password 1234scam”
Scammer “excellent thanks for you help , can you hang on the line whilst I make sure it works”
Agent “ sounds good”

scammer then gets access to the account and updates the profile to allow his cell and address etc to be the prmimary and seems like added app to his google phone.
then “transfers” my points to another chase account and off they go.
i also see in the history of access in the app / I was likely on hold to “security / fraud” whilst the points disappear

Absolutely pathetic from chase to just have such a total lapse or effective measures / we aren’t talking 100 points here
Reddit and likely here has similar examples . My pain is also now “ go change all your cards and passwords “
and fyi 2fa and all the bs is bypassed by the phone call

when I went thru all this I was like “ is that really it . Couldn’t be simpler ? Pathetic

Previous reports:

2022: https://www.flyertalk.com/forum/chas...ts-stolen.html

2019: https://www.flyertalk.com/forum/chas...-password.html

there is no otp or something to reset the password or when he tries to sign into the account or when he changes something so important as the primary phone no? sounds wrong that is all bypassed by the phone call

That was my point to post this / the only notice you get is
 

you just get an email “ you signed on with a new device “ and that was it no other notices , given the amount of points I would think I they have some extra security let alone basically no communication that someone accessed my account and changed everything
would love to know who their security lead is so I know to avoid that company when I move my accounts

The suggestion in the 2019 thread is to add a telephone password to your Chase account.

This can be done online: https://secure.chase.com/web/auth/da...rityandprivacy > Set up a security code...

redeeming points is 1 thing. but giving access while failing to properly verify caller's ID is another. also very alarming that you can change key details like your phone number without more checks, especially since your phone number is the 2nd FA. scammer is logging in with a new device, just reset password and want to change phone number. how does that not raise any red flag?

exactly my point ! Seems chase is inept at this point. Seems all a little too loose and easy . But the next day I transfer cash ( an actual lesser value and the fraud team calls - I am like maybe you should have done this yesterday )
folks shouldnt have to setup multi passwords . ( point of Mfa) Chase should have simple protocol - oh you lost your phone and you forgot your passwords ? Hmm we can help you out for up to $200 or whatever but if you want more we need more like dl verification and screen verify etc etc not difficult

Has this perhaps changed? I don't see this option in the Security & Privacy dashboard -- under the heading "Ways you can be more secure" the options are

• Update your profile so we can contact you.
• Activate alerts to help keep your finances safe.
• Use 2-Step verification for extra security at sign in.
• Update your username and password.

None of which seem to pertain to call-in security codes.

Posts in the 2022 thread seem to indicate you can (only?) change your verbal security code (defaults to mother's maiden name) by calling in.

I tested and copied that text just before making the post earlier today.

https://cimg0.ibsrv.net/gimg/www.fly...853e27d9b9.png

Notes:

1. I used the Chase website, not the app.
2. I have combined business and personal accounts, which means I use the business site.
3. I have Two Factor Authentication enabled.

The password you have to ask to give them over the phone and they add it - security protocol would say this secure password should actually be entered directly via a cloud computer vs an agent who could do whatever they wish with the most secret of passwords
in short you have been warned - my issue is who knows what other info they screen shot / downloaded etc which can help them hack my other bank accounts etc when asked chase also said they didn’t know what was accessed - again pathetic

I don't have the last item in the security menu.

Your points 1) and (3) are also true for me, but I do not have any business accounts so that may be the difference.

Even though the website says "tell us", the password is created online while logged into your Chase account, not by telephone, and they do send a 2FA code before it can be entered.

I did it / so this is not some hear say
when I reset / fixed everything I in essence went thru the same steps as the scammer

“ here is your new password “ and he reads it to me
then “ tell me a secret word or whatever for phone use “ and he adds it. Maybe online is possible never seen the option and didn’t feel
i need to given all the other security seemingly in place . Thought we were moving away from secret words
its laughably bad

I also did it yesterday, and I entered the Telephone password online.

Do you have 2fa and the telephone password?

I added the telephone password just now, (also have a combined business login), the telephone password is only for when calling into Chase yes?

I do not have 2fa for Chase yet, I use the Chase app on my phone almost daily, will the 2fa need to be input each app login?