6 new protections against the Chase mystery breach

How to guard your bank accounts and money when you have incomplete information about the threat

Published: October 07, 2014 06:30 PM

The security breach at JPMorgan Chase, which compromised the names, addresses, phone numbers, and e-mail addresses of 76 million households and seven million small businesses, remains something of a mystery, and that means consumers should take precautions even though the nation's largest bank has said it has seen no signs of fraudulant activity.

For example, Chase said that "there is no evidence that account information was compromised," not account numbers, passwords, user ID's, dates of birth, or Social Security numbers. But a subsequent report in The New York Times said that the cyberattackers had deep access to 90 Chase computer servers from June to July.

Because burglars don't normally leave your cash and credit cards on your kitchen table and instead steal your address book, security experts are suspicious that something bigger is afoot, even though they say they only know what they read in The Times, including a follow-up report that said nine other unnamed banks were similarly infiltrated.

"Did we get the full story from Chase?" said Jeff Williams, chief technology officer with Contrast Security, a California-based vendor of security monitoring technology. "I don’t think so."

"I think they're still scrambling to find what's the extent of the problem," said Barry Thompson, managing partner of Thompson Consulting Group, which provides risk assessment and advisory services to financial institutions. 

And the bank's disclosures to consumers have been carefully worded. "Here's what we know to date," is what the bank says on its home page. It's update says, "There is no evidence" that account numbers, passwords, user IDs, dates of birth, or Social Security numbers were compromised. 

A spokeswoman for Chase told Consumer Reports that she couldn't comment on the nature of the cyberattack, because of the criminal investigation in progress. But she denied the account of the attack given by unnamed newspaper sources. "The New York Times was not correct," said Patricia Wexler, the Chase spokeswoman, and she did not elaborate.

Thanks to federal regulations and consumer protections, account holders are not liable for fraud losses if they detect and report them to the bank promptly.

Without complete information, what should you do to protect yourself? Assume that there's more to guard against than you've been told, and take reasonable extra precautions.

1. Start with our advice from last week to hold down the fort from the breach of 1,000 other retailers hit by the same malware used against Home Depot—but not yet known—according to estimates by the U.S. Department of Homeland Security and the Secret Service.

2. Immediately change your Chase Mobile and online banking username and password. Chase said, "We don't believe that's necessary," but that's ridiculous. Passwords should be changed regularly, and after a breach is a great time to do it. We recommend you also change your Chase online and mobile account username while you're at it. Use strong passwords that are harder for hackers to crack. 

Data security breaches are a fact of life, so guarding your personally identifying information, financial data, and privacy is an everyday chore. Learn how to do it with Consumer Reports' Internet security guide.

3. Monitor your Chase (and other bank) accounts online for fraud activity now and in the future. We still recommend online and mobile banking, because it allows you to watch your account in real time from almost anywhere. Yes, it's now clear that Internet banking is not impervious to hacking, but "the convenience you get from banking digitally greatly supercedes any security risk," said Al Pascual, head of fraud and security research at Javelin Strategy and Research, a California-based financial services industry consulting firm. As part of your monitoring, watch out for changes to your debit card PIN.

4. Be suspicious of e-mails and phone calls from frauds who may masquerade as Chase. As we've previously reported, 22.5 percent of consumers who received notice of a security breach subsequently became victims of identity theft, according to a Javelin survey of 5,000 consumers. That's almost eight times the 2.9 percent ID fraud rate for consumers who hadn't received a breach notice.

If the Chase hackers only got your name, address, e-mail, and phone number, they don't have enough to commit financial fraud, so they will probably send you official-looking e-mails or call on the phone posing as Chase customer service to try to trick you into giving up the missing pieces, including your mother's maiden name, account username and password, date of birth, and Social Security number. Never give out any of that personal financial information online or over the phone when a stranger initiates contact with you, and learn to identify these so-called "phishing" attempts by following our advice.

These messages can look especialy authentic in the case of this breach, because the hackers also stole information about which lines of business you have with JPMorgan Chase, so they can refer to your checking, mortgage, private banking, credit card, or other account when attempting to persuade you that the fraud is genuine. 

Never click on any links in an e-mail or respond to pop-up windows that might suddenly open up requesting username and password. If you think the mesage is legitimate, independently find a Chase customer service phone number from your own research and call that, or visit your nearest branch.

If you're offered free credit monitoring or identity theft protection services by Chase or anyone else because of the Chase breach, do not click on any links or sign up. Chase is not offering those services, and such a deal could be a phishing attempt to get you to give up your Social Security number and other information.

5. Use Chase account alerts. Daily monitoring can be tedious, so automate some of the chore with account alerts that will send an e-mail or text message to your cell phone when specific potentially fraudulent activities occur. On checking, for example, you can set alerts to be sent if your balance falls below a specific amount, an outgoing wire transfer occurs, a new payee has been added to online bill pay, and an ATM withdrawal over a set amount happens.

Chase credit card alerts can set off alarm bells if an international charge is authorized, your available credit falls below what you expect, or a single charge to your card exceeds a set threshhold amount.  

6. If you find fraud, report it immediately. Chase and other financial institutions that lose your personal and financial data or give your money or credit to crooks will typically not hold you liable for the fraud losses, if you promptly report the theft. But there is also the hassle factor. How long will you have to get by with a drained bank account? By law banks have 10 days to straighten out your accounts and give you your money back, but most do so almost immediately, Pascual says. So get the clock running as soon as you discover a fraud.

—Jeff Blyskal (@JeffBlyskal on Twitter)


This report was updated on October 7, 2014 to include Chase's response to questions from Consumer Reports.

E-mail Newsletters

FREE e-mail Newsletters! Choose from cars, safety, health, and more!
Already signed-up?
Manage your newsletters here too.

Money News


Cars Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

See your savings


Mobile Get Ratings on the go and compare
while you shop

Learn more