Slashdot Mirror

There is a fourth one - phishing. You might call it a variant of typo-squatting, but actually it is not.

Phishing is similar to typosquatting in that the user is being redirected to the wrong domain. I agree that an organization-validated cert protects against this, especially among novice users who can't be trusted to stick to bookmarks. But a domain-validated cert might be enough if credentials aren't valuable enough to allow rapid irreparable damage before blocking the account, such as a forum or wiki account compared to a bank account.

There is a fifth attack vector - though none of the business of website owners or visitors. But EFF has made it their business to complain about it. It is the dragnet surveillance by TLAs. HTTPS prevents that too. "Let's Encrypt" sounds like an attack on that attack.

This counts as passive sniffing and occasionally MITM.

both - banks' padlock icon and Joe Sixpack's website's padlock icon look the same to me.

On Pin Eight, which uses a domain-validated certificate, Firefox shows me only a green lock. On Chase, which uses an organization-validated certificate with EV extensions, Firefox shows me a green lock plus "JPMorgan Chase & Co." in green.

It raises the question. Stop it.

For fucks sake it doesn't do that, either. That's not the question. There is no suggestion that the attackers simply lumbered across the data by going to http://www.chase.com./ They probably (based on the patterns of most recent attacks) used spear phishing across a huge section of the employee population, then individually targeted each mark that fell into the trap for maximum leverage on gaining external access.

My balls it is. The only place I've ever seen it as such is on slashdot, and here twice.

Want to see it in action? Look no further than the home page of the world's sixth largest bank:
https://locator.chase.com/

Hover over "Business" and "Commercial" and you will note that their definition of those two classes relies on the MM suffix. I don't blame you for never having even imagined a context where millions of dollars was relevant, but you will find that it's a big world out there.

I was just using https://www.ssllabs.com/ to check out some financial sites:

amhfcu.org : F, supports insecure SSL 2.0
tdbank.com - A-

republictt.com/ - not the local bank.. apparently uses java.. .ugh..
republicbank.com - powered/provided by intuit - A-

sjfcu.online-cu.com - B - due to not supporting TLS 1.2. (used by likely a few cu)

bankofamerica.com - inconsistent - B, A-
wellsfargo.com - B - due to not supporting TLS 1.2
paypal.com - A- uses mixed content on home page.. really?

secure.ally.com - B - TLS 1.2 capped
https://www.chase.com/ - A-

hsbc.com -asks for login name on insecure website.. otherwise a B

I'm not impressed. My ~$10 a month Dreamhost account can get me a B rating (with SSL kindly provided by https://www.startssl.com/ for free). And if they were running a newer version of Debian, I think it would be an A.

What is this?

And which relative path do you suggest they might use in their master page / global header so that it works in all cases:
from http://chase.com/
from https://chase.com/mortgages
from https://chase.com/banking
from https://chase.com/creditcards
from http://sub.chase.com/
from http://www.chase.com/external/something/yourpagehere.aspx

Yes, it is easy to anonymously give out random useless answers than to actually think about the question.

And which relative path do you suggest they might use in their master page / global header so that it works in all cases:
from http://chase.com/
from https://chase.com/mortgages
from https://chase.com/banking
from https://chase.com/creditcards
from http://sub.chase.com/
from http://www.chase.com/external/something/yourpagehere.aspx

Yes, it is easy to anonymously give out random useless answers than to actually think about the question.

And which relative path do you suggest they might use in their master page / global header so that it works in all cases:
from http://chase.com/
from https://chase.com/mortgages
from https://chase.com/banking
from https://chase.com/creditcards
from http://sub.chase.com/
from http://www.chase.com/external/something/yourpagehere.aspx

Yes, it is easy to anonymously give out random useless answers than to actually think about the question.

And which relative path do you suggest they might use in their master page / global header so that it works in all cases:
from http://chase.com/
from https://chase.com/mortgages
from https://chase.com/banking
from https://chase.com/creditcards
from http://sub.chase.com/
from http://www.chase.com/external/something/yourpagehere.aspx

Yes, it is easy to anonymously give out random useless answers than to actually think about the question.

And which relative path do you suggest they might use in their master page / global header so that it works in all cases:
from http://chase.com/
from https://chase.com/mortgages
from https://chase.com/banking
from https://chase.com/creditcards
from http://sub.chase.com/
from http://www.chase.com/external/something/yourpagehere.aspx

Yes, it is easy to anonymously give out random useless answers than to actually think about the question.

And which relative path do you suggest they might use in their master page / global header so that it works in all cases:
from http://chase.com/
from https://chase.com/mortgages
from https://chase.com/banking
from https://chase.com/creditcards
from http://sub.chase.com/
from http://www.chase.com/external/something/yourpagehere.aspx

Yes, it is easy to anonymously give out random useless answers than to actually think about the question.

Really? Bankrate.com lists the national average mortgage rate at 3.87% w/ a 30 year fixed, conforming loan. Patelco's current rate is 3.75% (3.822% APR) w/ no points. Chase is listing a 3.75% fixed, 30 year loan w/ 1.125 points at a 3.842% APR. NYU Credit Union is offering a 30 year, fixed, no points loan at 3.625% (3.650% APR).

So, yeah, credit unions can still be competitive... that's the reason why banks have fought tooth and nail to ensure that there are as many restrictions on membership as possible.

Also, you probably don't need to keep "a couple thousand" in the local bank. Many banks (especially credit unions) have very low balances requirement (mine is $5 for a savings account, $300 for a checking account).

Chase requires $1,500 minimum according to this page. If I go below that for even one day in a given month, Chase charges me $12. Or should I drop Chase in favor of a credit union already?

With Windows, you can search the internet and download what you need. As it is with Android.

Unless your bank won't make its check deposit application available as a downloadable .apk file. I visit Chase's page about its Quick Deposit application on my device, but all it says is "Get the Chase Mobile App from the App Store or Android Market." Specifically, "Chase Mobile App" is not clickable.

So if I learn of an Android application that I want to use, but it isn't on Amazon, AppsLib, SlideME, or direct APK download, how exactly should I word a request to the developer to make it available other than on Android Market? For example, my bank offers quick deposit of checks through a device's camera and makes an application to do this available through Android Market. But it appears to be exclusive to Android Market; searching for chase on Amazon, AppsLib, and SlideME doesn't list Chase's official application among any of the three sets of results. Nor does Chase.com provide a direct APK download; users are expected to scan a QR barcode that expands to a URL beginning with market://, which works only on devices with Android Market.

I just closed an account late last year with a bank I had done business with for 35 years, through mergers and acquisitions and all. They has no branch within 500 miles - I had moved away from them. How would you like to run over and pick up my cert for me?

A QR code would be fine, but how is it delivered? From their website? Which one? The fake one that presents me a cert from a CA in Uzbekistan? Beijing? Singapore? Do I trust the CA from East LA any more? Why?

For a decent attempt at multi-factor security, I need to be able to choose how I find the bank. So if I go to https://www.chase.com/ can I be certain it is the real, legitimate Chase site? How can I tell if it was falsified in DNS, with a cert from a compromised CA, and is just a passthrough to the 'real' Chase site...? When I get a call from the bank? when I read about it on CNN?

Can it be bulletproof any more?

That inconsistency is part of the trouble with the awesome bar. I don't go to Accuweather too often, but I've been there in the last couple of weeks. If I type in 'ac' or 'www.ac', my options are, in order:

http://ubuntuforums.org/showthread.php?t=662909&page=2
http://www.bluesnews.com/cgi-bin/board.pl?action=userinfo&user=
http://www.neatorama.com/2010/10/07/new-software-adjusts-actors-body-shapes-automatically/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Neatorama+(Neatorama)
https://chaseonline.chase.com/MyAccounts.aspx
http://www.accuweather.com/
http://www.lenovo.com/us/en/#ss

I find this asinine, but some people like it. That's fine. Give me the option to have something sane and consistent. As someone else mentioned elsewhere, if they would just put the items with exact matches at the beginning of the domain first on the list (or give the option for it), it would help a lot. Then they'd just have to work on how slow it is.

I had an account in my name like this one when I was 11

Thai prawn curry? You must have made a copy-paste mistake. I had a savings account when I was young, but it had my own name and my (adoptive) father's name on it. But a lot of parents are technophobes who keep their kids unbanked so that they can control their kids' spending and keep them from buying or using anything that is "not sold in stores".

Person-to-person transfers can be done electronically either online

I saw that Chase Bank recently added this service as well, and it's free between any Chase checking account and any U.S. bank account. It wasn't there before.

by telephone

What kind of fee does your bank charge for that?

I used their on-line service feed-back page to say I would do on-line banking with them unless they supported Chrome. I bet if enough people do that they will change their minds. Chase feedback link: https://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/email#

From the research paper:

We used wget to recursively download the financial institution websites during November and December of 2006. We chose to download the sites so that we had uninterrupted access and had a consistent, static view of each website. The websites may have fixed the design flaws mentioned in this paper after our initial download. Once we downloaded each website, we uses scripts to recursively traverse and analyze the HTML pages for certain patterns and identify the security design flaws.
...
4.3 Contact Information/Security Advice on Insecure Pages: We searched each web page for the string "contact", "information", or "FAQ". If those strings where found, we checked whether the page was protected with SSL. If not, then we considered it to contain the design flaw.

By this logic, even this page would cause Chase's site to fail. Also:

We searched each web page for the string "login". If the string was found, we searched the same page for the strings "username" or "user id" or "password". If the string "login" and "username" or "user id" or "password" were found on the same page, we then verified whether the page was displayed using the http protocol. If this was the case, we assumed this site contained the design flaw.

But my bank (which is not Chase) uses the phrase "sign in" instead of "login". Does this mean it is more secure?

Chase.com: They have the most annoying system where you have to call them and authorize whenever you try to login from a new IP address, and yet they send your password in cleartext!. (The login page is on the homepage and is not https. Every other credit card company I use has a https homepage...) I complained about it years ago but they still haven't done anything about it, except for adding the way overdone IP authorization feature!

In a related note, how come none of the credit card companies let you use special characters in your password? Do they want hackers to guess it?

Take the Chase.com homepage. It's got a login form right there (it doesn't matter if it's secure or not). If you were a victim of a man in the middle attack, the attacker could have rewritten the page to link to a different secure login server. Or, for example, could put in a different phone number to contact them.

Luckly some banks are FINALLY switching to all https, bankofamerica.com for example.

> To have a man-in-the-middle, all you need is a certificate signed by an authority that your computer trusts. The ISP can surely get that.

Give this man a cookie, or at least a mod point.

Once they manage to get your browser loaded up with a CA they control it is game over. Imagine, you type www.chase.com into your browser. Remember, THEY also operate your DNS. They resolve www.chase.com to an address they control and generate a certificate linking www.chase.com to that IP. Meanwhile their proxy server connects to the real https://www.chase.com/ and retrieves the homepage. Then their faked out server reencrypts the content and their inserted ad and sends it on to your browser which displays it with the lock intact.

This is what the various secure DNS proposals are intended to address. DNS hijacking allows almost any abuse in the higher layers.

Thus the problem with SSL, anyone can insert themselves and spoof as an endpoint. If I spoof as VeriSign and man in the middle attack you with the bank, there is no good way to protect against this.

One of the big problems with this system is that Verisign will put its signature on the public keys of criminals too. So for example a crook could maybe buy the domain bankofamericacardsite.com and ask Verisign to put a signature on the public key for that site. If Verisign isn't watching, and sometimes registrars process these things automatically, then the crook can get a genuine certificate that won't raise any red flags in your browser. So when you connect to Bank of America, you not only have to look for the s in httpS, you also have to make sure the domain is one owned by BofA, like bankofamerica.com and not bankofamericasneakylittlechange.com. There are a lot of little misspellings and minor variations of bank names, so you have to look for the exactly most common spelling of the organization's name in the domain name. If you're lucky your bank will own the common typos and variations of its name, but maybe it won't.

Unfortunately the banks don't make it easy for you. Some banks will use domains like accountaccess.com. How are you supposed to tell by looking that accountaccess.com is owned by your bank and not by some crook. You can't. (in fact accountaccess.com is owned by spammers, don't go there)

Another problem is that people don't know how to pick the domain name out of the URL. I'm not sure if this is a good enough way to describe it, but if you see a URL like

http://www.chasecriminal.com/ccpmapp/commercial/ho me/https://chasebank.com

the domain name is the word and the .com right before the third slash. In this case chasecriminal.com. Notice the fake https://chasebank.com/ at the end. The stuff over on the right hand side of the URL is just stuff that is internal to the computer that you are connecting to. A criminal can put nearly anything over there.

By the way, Chase seems to be one of the banks that doesn't allow secure logins. Even if you manually change http://chase.com/ to https://chase.com/ it automatically redirects you to the insecure page. It boggles the mind.

Also note that this doesn't just apply to banks. Any site where you enter a password or secure information ought not to use an insecure page for login. And don't forget that Slashdot doesn't use any encryption at all on its logins. Don't use the same password for your bank as you do for Slashdot

Watch for the s in https at the beginning. And don't login to sites with domains like paypalsecurity.com or chaseusers.com or anything but the most obvious domain name.

Thus the problem with SSL, anyone can insert themselves and spoof as an endpoint. If I spoof as VeriSign and man in the middle attack you with the bank, there is no good way to protect against this.

One of the big problems with this system is that Verisign will put its signature on the public keys of criminals too. So for example a crook could maybe buy the domain bankofamericacardsite.com and ask Verisign to put a signature on the public key for that site. If Verisign isn't watching, and sometimes registrars process these things automatically, then the crook can get a genuine certificate that won't raise any red flags in your browser. So when you connect to Bank of America, you not only have to look for the s in httpS, you also have to make sure the domain is one owned by BofA, like bankofamerica.com and not bankofamericasneakylittlechange.com. There are a lot of little misspellings and minor variations of bank names, so you have to look for the exactly most common spelling of the organization's name in the domain name. If you're lucky your bank will own the common typos and variations of its name, but maybe it won't.

Unfortunately the banks don't make it easy for you. Some banks will use domains like accountaccess.com. How are you supposed to tell by looking that accountaccess.com is owned by your bank and not by some crook. You can't. (in fact accountaccess.com is owned by spammers, don't go there)

Another problem is that people don't know how to pick the domain name out of the URL. I'm not sure if this is a good enough way to describe it, but if you see a URL like

http://www.chasecriminal.com/ccpmapp/commercial/ho me/https://chasebank.com

the domain name is the word and the .com right before the third slash. In this case chasecriminal.com. Notice the fake https://chasebank.com/ at the end. The stuff over on the right hand side of the URL is just stuff that is internal to the computer that you are connecting to. A criminal can put nearly anything over there.

By the way, Chase seems to be one of the banks that doesn't allow secure logins. Even if you manually change http://chase.com/ to https://chase.com/ it automatically redirects you to the insecure page. It boggles the mind.

Also note that this doesn't just apply to banks. Any site where you enter a password or secure information ought not to use an insecure page for login. And don't forget that Slashdot doesn't use any encryption at all on its logins. Don't use the same password for your bank as you do for Slashdot

Watch for the s in https at the beginning. And don't login to sites with domains like paypalsecurity.com or chaseusers.com or anything but the most obvious domain name.

for jp morgan chase use
https://chaseonline.chase.com/ and not their half assed
http://www.chase.com/ which has a partially secured page. Their info security officials should be fired for pinching pennies in this process.

for jp morgan chase use
https://chaseonline.chase.com/ and not their half assed
http://www.chase.com/ which has a partially secured page. Their info security officials should be fired for pinching pennies in this process.

I found the following logon URL within the Chase site, and bookmarked it. I now use it as my exclusive means of signing on:

https://chaseonline.chase.com/chaseonline/logon/ss o_logon.jsp

[Warning, Slashcode inserts whitespace within long URLs, though not in the href]

I don't trust their unsecured frontpage worth a damn.

Thanks,

    --kirby

Chase is truly screwed up. https://chase.com/ just gives you a cert for www.chase.com and then forwards you to their main unencrypted page. However, you can bookmark https://chaseonline.chase.com/ which redirects to https://chaseonline.chase.com/online/home/sso_co_h ome.jsp
Still, there's no reason why anyone should have to make an extra effort to get a secure log-on form to access a bank account.

Chase is truly screwed up. https://chase.com/ just gives you a cert for www.chase.com and then forwards you to their main unencrypted page. However, you can bookmark https://chaseonline.chase.com/ which redirects to https://chaseonline.chase.com/online/home/sso_co_h ome.jsp
Still, there's no reason why anyone should have to make an extra effort to get a secure log-on form to access a bank account.

Chase is truly screwed up. https://chase.com/ just gives you a cert for www.chase.com and then forwards you to their main unencrypted page. However, you can bookmark https://chaseonline.chase.com/ which redirects to https://chaseonline.chase.com/online/home/sso_co_h ome.jsp
Still, there's no reason why anyone should have to make an extra effort to get a secure log-on form to access a bank account.

But surely the huge gif with the padlock image makes it secure ;)

Seriously, it's because the home page isn't requested over https. If you type some false details in the username/password fields and hit return the page comes back over https. Or you can go straight to https://chaseonline.chase.com/colappmgr/colportal/ prospect?_nfpb=true&_pageLabel=page_logonform

...if you can do something to prevent a problem and you don't, you're just as responsible as anyone else involved.

This may be true if someone throws out/recycles whole applications. However, in the case of the Chase bank in the original article, their own guide to protecting your identity reccomended that "If you receive financial solicitations that you're not interested in, tear them up before throwing them away, so thieves can't use them to assume your identity." So they shouldn't be accepting torn-up applications anyway, as they have stated that ripped up applications are not valid.

But say that every person who receives a pre-approved credit card application that they don't want shreds it with a good cross-cut shredder before they throw it out/recycle it. If identity theives don't have any problems dumpster diving, what's to stop them from the simple act of stealing from outdoor mailboxes? Sure, everyone could invest in a postal box or a secure mail slot, but the mail is still not secure before it gets to the mailbox. Identity theives will always find a way to get at these applications. Your average Joe won't know that their mail has been stolen, either, because the offers were unsolicited, so they weren't expecting them!

Why should we suffer from potential identity theft over what is essentially an unsolicited marketing scheme?

The email origined from bloc17.suceava.rdsnet.ro which is a Romanian domain. I did a domain lookup of www.chase-all.com and got some interesting info:

Registrant:
Steve Rudway marrrk559@ya

The email origined from bloc17.suceava.rdsnet.ro which is a Romanian domain. I did a domain lookup of www.chase-all.com and got some interesting info:

Registrant:
Steve Rudway marrrk559@ya

The email origined from bloc17.suceava.rdsnet.ro which is a Romanian domain. I did a domain lookup of www.chase-all.com and got some interesting info:

Registrant:
Steve Rudway marrrk559@ya

Of course, were this actually the case, then what this would mean for educated technical users like thee and me is that any time you used Citibank's on-line website, and encounter the login, you ought to call 1-800-555-1212 to verify that Citibank Credit card customer service is still available from 1-800-950-5114, call that in turn, work your way through the phone menu, and politely ask the customer service representative to confirm that the accountonline.com domain is in fact under Citi's direct control.

However, having just checked, Citi.com is an alias for (as the https: certificate shows) the www.citibank.com server. While connecting to either over https: (or to the accountonline.com http: or https:), you are redirected to the http://www.citibank.com/ server; the top sign-on link is based on https://web.da-us.citibank.com/ for no apparent reason (but at least has the right subdomain), and the prominent "Sign on to your accounts" is merely a drop down of account types (such as credit card), redirecting you to a page on https://www.citibank.com/ — someone over there may have been learning from being a bad example. Where'd ya get the "accountonline.com" URL from?

On the other hand, Amex's secure site first coughs and chokes because the server certificate is actually for the akamai.net hosting server, before letting you through for sign in to an encrypted page... with an uncertain recipient. How many of their clients can say "man in the middle", d'ya think?

Of course, worst of the lot is Chase: in addition to your security lock idiocy, their secure server redirects back to the insecure server. Good for performance, really CRAPPY for security. The lock graphic isn't bad... but that should be the ONLY thing there, linking to a https: page with the login/password form. Possibly even one with minimal graphics. It's almost enough to make me apply for a Chase card, just so I can call them and give this as a reason for cancelling service... "I do a fair bit of internet shopping, and you obviously don't pay enough attention to internet security."

Actually, didn't they just snail mail me a card application...?

The location of the form is irrelevant, all that matters is that the action that it submits to is secured, and from a quick look at the HTML it is.


No, that's not enough. https gives you two things:

(1) it encrypts your answer, and
(2) it authenticates the site you're talking to.

The situation with Chase does not provide guarantee number 2: if they're not using https then you would have to check the source every single time to make sure that no hacker replaced some packets in flight to steal your account information.

I agree with the grandparent: login pages that don't use https: are a pityful security practice, regardless of whether the form gets submitted over https.

Chase - has a login on their insecure site http://www.chase.com/,

The location of the form is irrelevant, all that matters is that the action that it submits to is secured, and from a quick look at the HTML it is.

and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.

That I agree with; putting the padlock icon there is not a good idea.

Amex - does the same thing that Chase does on americanexpress.com.

I had to do a little more digging for this one, as the actual action of the form is set via a javascript function, but again, it's secured over SSL.

CitiBank - Another bad problem, weird domain names.

I agree with this point - a company really ought to pick a single domain name for a single purpose, and stick to it. Hanging domains off that (e.g. credit-cards.bank.com, accounts.bank.com) is fine, but having a bunch of totally unrelated domains with similar (or in some cases, not so similar) names is a bad idea.

Chase - has a login on their insecure site http://www.chase.com/, and puts a "lock" image on the page.

Chase - has a login on their insecure site http://www.chase.com/, and puts a "lock" image on the page. This does not teach users where the proper lock is and dumbs down security.

Amex - does the same thing that Chase does on americanexpress.com.

CitiBank - Another bad problem, weird domain names. While Citibank uses citi.com and citibank.com, they put their credit card login on "accountonline.com"... Users have gotten used to weird domain names, and just trust the site when they see the logo. They use another domain name when linking from emails!

• Chase.com lets you log in from an insecure webpage (the homepage) with a fake "security lock" image to make you think it's safe. This site is vunerable to man in the middle attacks and does not educate users to only login from a site that says https://chase.com/
• Some banks / credit cards use generic domains for loggging on. Citibank uses a domain called "accountonline.com" to login their users. Use one domain please.
• Promotional emails use 3rd party to track clicks. Bankone uses a domain called bfi0.com redirected to https://online.firstusa.com/bank/ to track clicks from email. I honestly couldn't tell if that was real or fake. It asks for SS & card number, a sure sign of phishing. It looks faker than most phishing emails I get. I honestly thought it was fake till I researched the site.

In a related note, you can put a lock icon on a web page with out using ssl at all. Take a look at the Chase Bank Homepage. They put a lock in the login box, making users think that the login box is secure, however, it's not completely secure because it's on an unsecured page. While indead, for most people, the login information will go straight to chase secure servers, it is possible to hack the users session. How? Easy, just modify the chase.com homepage before the user gets it. Either through DNS, proxy or xss. Whatever you do, don't login to your bank account from the chase homepage.

So .. corporate trainer?? is that the new code word for 'escort' in NYC??

You're an ass. No newsflash there, since that's something you (and everyone around you) already knows. Immature to boot.

You're also probably jelous of my girlfriend getting $2,000 a day to teach people at companies like Pfizer, CS First Boston, Merck, IBM and Astra Zenica how *not* to behave like 5 year olds. It's apparently not as easy as you might think! People in high power corporations can usually be pretty immature.

At any rate, I don't blame you for being jelous. I'm am too! I'd love to get that kind of money for what I do and I feel that I work much harder than she does.

But if you're serious about getting into her line of work, you can start by getting a PhD in Psychology, then working as a VP for a large bank for about 7 or 8 years before striking out on your own.

I knew I had a winner when she chatted me up on the subway because I was standing in front of her on the 6 train reading this book. A beautiful well spoken girl who can hang with me in a conversation about artificial intelligence? I don't blame you for wanting to be me!

Perhaps they should instead try to make movies that are good enough that people will want to see them in the theaters...

That was always my complaint about Honda and Toyota. Perhaps they should instead try to make cars that are good enough that people will want to buy them, rather than steal them.

Justify it anyway that you want. Stealing is still stealing.

Here is the URL: http://www.chase.com/pages/privacy/optout This is buried on chases web site.

The phone number: (800) 935-9935 -- To skip recorded markettroid speak press 9 to speak to a human. Tell the person about the opt-out.

Also make sure that you specify that you do *not* want any chase marketing phone calls either. This is shown on their sample web page "form", but most people wouldn't notice it, and they don't mention it when you want to "opt-out" either. They aren't happy, but thats tough. :)

Chase Bank is pretty good. (www.chase.com)

And I've heard that Fleet Bank works as well.

I don't mind trademarks, and I'd even go so far as saying that Chase Manhattan has a better claim on chase.com than I do, they being a commercial entity with a trademark. They also have a better claim on chase.org than I do, simply because they registered it before I did. But their claim is no better than mine for using Chase with any future top level domain. I should not be precluded from the opportunity to register it first (and neither should they).