The Chase Online Activation Codes have less than 8 digits of entropy
This blog post is self-explanatory from both the title and Figure 1: the Chase Online Action Codes (i.e., MFA) use 8 digits, but the entropy may be effectively less by at least an order of magnitude because the first digit appears to be constant. It was derived from 63 codes delivered via email for more than a year (between Nov 25th 2021 and Feb 19th 2023). This experiment was conducted after I suspected that that leading constant could not possibly be an accident.
“Once is happenstance. Twice is coincidence. Three times is enemy action.”
— Ian Fleming
Okay, but who cares? Depends. Even if Chase intended on at most 7 digits of entropy (which is fair if you assume other defences such as rate-limiting — something Meta forgot — the iPhone still uses 6-digit passcodes by default), the fact remains that an attacker outside of Chase infrastructure (who nevertheless knows your username and password, but has no access to your email or phone number) could always correctly guess the first digit of the entire code, so they might as well just reduce its size to what they are looking for. Of course, it remains to be seen whether anyone else is vulnerable to this problem; hence, this blog post. If so, one does wonder how this managed to slip past their cybersecurity organisation (if any): don’t they use their own products?
All this is to say that, at the end of the day, one (especially big banks like Chase) should move MFA away from SMS (weakest) and TOTP (unusable) to hardware (especially security keys). Better yet — just get rid of passwords (what a bad idea in retrospect for both security and usability) altogether in favour of Passkeys (wherever possible). Someone tell Mr. Musk that he could have saved millions of dollars this way (and Twitter users so that they stop complaining unnecessarily, cybersecurity experts notwithstanding: there ain’t no such thing as a free lunch).
P.S. Dear JPMC: I tried to follow responsible disclosure, but could not find anything on your convoluted website that would put me directly in touch with your cybersecurity organisation. Please don’t close my bank accounts or sue me, thanks.
