
American Express fails miserably at basic security - ice799
http://timetobleed.com/warning-american-express-fails-miserably-at-basic-security/
======
edj
This sounds scarier than it really is. Why? Because credit card companies
focus on identifying fraudulent transactions rather than verifying your id.

From Bruce Scheier's blog[1]:

"But once you understand that the problem is fraudulent transactions, you
quickly realize that authenticating the transaction, not the person, is the
way to proceed.

"Again, think about credit cards. Store clerks barely verify signatures when
people use cards. People can use credit cards to buy things by mail, phone or
Internet, where no one verifies the signature or even that you have possession
of the card.

"Even worse, no credit card company mandates secure storage requirements for
credit cards. They don't demand that cardholders secure their wallets in any
particular way. Credit card companies simply don't worry about verifying the
cardholder or putting requirements on what he does. They concentrate on
verifying the transaction."

[1]:<http://www.schneier.com/essay-153.html>

~~~
tptacek
Strong disagree. In reality, and especially for small-ish transactions, card
companies are terrible at detecting fraud and customers are terrible at
noticing it. Criminals can make second-order money off innocuous transactions
through affiliate scams.

The only reason this isn't a big deal is that it remains incredibly easy for
attackers to get CC#'s without capturing packets off the wire.

~~~
DrJokepu
Don't know, obviously you know a lot more about this than me, but in my
experience as a consumer, at least my bank (HSBC UK) has been pretty good at
identifying fraudalent transactions on my account. They actually spot them
before I do and call me right away.

~~~
patio11
My credit card companies are so good at identifying fraud they've caught 17 of
my last 0 fraudulent transactions.

(OK, I sympathize: buying a thousand bucks of stuff in four transactions from
central Japan at 2 in the morning is not exactly typical behavior for a Bank
of America customer.)

~~~
lanstein
btw, as a fellow B of A customer who has had to deal with their crappy fraud
algorithm as recently as last week, apparently you can go into the branch and
have the 'fraud protection' removed.

------
pkulak
That's pretty terrible, but I'd say it's still more secure than most of the
ways I transfer my credit card number. Twice I've needed a tow truck, and both
times would you like to know how they charged my card? By picking up their
radio and reading off all my info to the main office. All I'd need is a
scanner to get dozens of valid credit card numbers a day.

~~~
mynameishere
I once gave my card to a waiter.

~~~
hugh3
A waiter stealing credit card numbers has a good chance of being caught
eventually. I assume the credit card companies do some basic data mining on
their stolen card database, and if card numbers start getting stolen shortly
after dining at a particular establishment then they'll track this down.

I googled "waiter stealing credit card numbers" and here's an example from
today's news of some folks who got caught:

<http://www.wjla.com/news/stories/0510/739156.html>

On the other hand if you have a radio scanner and are picking up numbers going
over the air from tow truck companies there's no traceable link between you
and anything in the database.

~~~
mseebach
No, but there'd be a link to tow-truck companies in your area, and perhaps
their not-exactly-PCI-compliant handling of credit-card numbers would be
exposed.

~~~
spohlenz
Who says it would be in your area though? You could travel the country and
probably find hundreds of instances of this sort of thing happening.

------
jrockway
Maybe. But their fraud detection is pretty good. I've seen some unauthorized
charges before, and Amex has called me before I had any idea. I've also had
unauthorized charges show up on a Citi card -- their customer support didn't
care and refused to help me. I just paid the $60 (for some scam software,
apparently) and canceled the card. So Citi may protect their numbers better,
but Amex actually helps you when someone gets your number.

(I also had a Paypal debit card canceled for authorized charges. Needless to
say, I just buy everything with the Amex. Good customer service, good interest
rate, cash back.)

------
InclinedPlane
American Express also limits password for their online banking functions to
less than 8 purely alphanumeric characters (no spaces, no special characters).
If this alone wasn't bad enough, this almost certainly means that somewhere
deep in the bowels of AmEx's software stack there's an ancient system where
the password field is in plain-text.

~~~
bradgessler
AMEX isn't the only one with arcane password restrictions. Most banks limit
the characters to an alphanumeric subset of ASCII with a few characters like
_, and -. It makes no sense.

If that wasn't bad enough, look at how services like Mint have to interface
with these institutions? When will something like OAuth come into play at
banks?

I'd love to charter a bank on the premise of superior online service.

~~~
gry
I wonder about this, same for my bank. My theory is alphanumeric plus one,
maybe two symbols means there is a lower probability of some sort of SQL
injection. Perhaps a greater risk for exposing one account, but lower risk for
exposing many.

It's the only explanation I can come up with.

~~~
natrius
It's a good explanation, but it can only be valid if they store passwords in
plain text. No financial institution would do that, right?

~~~
jlangenauer
I'd dare say that if a financial institution ever had a situation where an
attacker could see any part of their database, they'd have far bigger problems
to deal with.

------
tptacek
It wouldn't matter at all if the handler was https. If the form is delivered
over HTTP, a man in the middle can make it go wherever they want.

------
jeff18
Just out of curiosity, what is the actual penalty to American Express for
saying their page is secure while transmitting credit card numbers in
plaintext?

~~~
eli
If someone steals my card number, they're the ones on the hook.

Edit: mkull is probably right in the vast majority of cases

~~~
mkull
wrong.. if someone steals the card number, the merchant who accepts the
fraudulent transaction is on the hook. Not AMEX

~~~
xenophanes
That sounds awful. Credit card fraud is mostly paid for by merchants??

~~~
jacquesm
The card issuer has two parties they can stick the charge to, one is the
merchant, the other their customer.

The merchant is the easy way out, they're not going to cancel their connection
with the card issuer because that's their bottom line. Sticking the charge to
the customer is harder because the customer will cancel.

Follow the path of the least resistance: stick it to the merchant.

Now if they did the right thing, they'd fix their acceptance rules and a bunch
of security issues and eat the remainder of the charges.

Fat chance of that happening any day soon.

~~~
hugh3
This is actually sensible, since it shifts the responsibility for verifying
the customer's identity onto the merchant, and lets merchants figure out
exactly how much trouble they want to go to in order to do this. Some places
will demand a photo ID to go along with your credit card transaction. On the
other hand, some places like Starbucks don't even make you sign the receipt --
they figure the small number of coffees which get charged to stolen credit
cards are well worth the ability to keep the line moving.

~~~
ptomato
Per the merchant agreements, they _cannot_ deny you the sale if you don't want
to show your ID. Also, the credit card companies no longer require signatures
for purchases under $20 (possibly $25?) which is why Starbucks doesn't require
you to sign any more.

------
jacquesm
That's just an ad for 'homerun'.

Find insecurity in competitors service, make loud blog noises, drop payload.

~~~
recampbell
Really, just an ad?

Amex's lack of security is no less interesting if it's discovered by a
competitor. It's a pretty serious mistake by an organization you would expect
to be more careful and knowledgeable about these things.

~~~
JoachimSchipper
True, but read the comments. The organization reporting this is little better.
("Encrypted on the client" - which means they would be horribly exposed to
man-in-the-middle attacks...)

------
dalore
In the old mail order days my dad used to write the cc number on the order
form, in plain text!

------
ams6110
The F-bombs really don't add anything to an otherwise decent write-up. Use
some more creative vocabulary.

~~~
ice799
sorry bro i write the way i talk. also: "shit, piss, fuck, cunt, cocksucker,
motherfucker, and tits."

------
kaddar
"This page is secure"?

This comment is complementing American Express.

------
hans
I canceled Identity Protect service at AMX after it routinely lagged
(sometimes months) in notifying me of credit changes to my fico or whatever.
It is sad to see people pay $14/month for that service which, best case
scenario, notifies you after somebody jacked your card and has long since
moved away to a foreign country. Then I canceled my card too!

Really identity thievery is an issue b/c of the banks + loan companies.
They're perfectly willing to roll accounts with very little scrutiny and I
don't understand why there are not class action lawsuits etc. to nail the
lender not the jacked identity. Search on the "credit freeze" if you want the
real solution.

------
henrikschroder
Why would you even need the entire credit card number to sign up for a service
likes this? That's what boggles my mind the most. Amex really only need enough
data to identify one of their cardholderes in such a way that noone can sign
up for someone else.

Name + billing address + four last digits should be enough? Or eight last. Or
four last + CVC. Asking for everything that's required for a purchase is
beyond dumb. To me, it's like giving out your password while talking to
customer representatives, that's also something you don't do.

------
DeusExMachina
Reading the discussion about credit cards number security reminded me of this,
that is worse than having some money stolen:

<http://news.ycombinator.com/item?id=1129797>

------
someone_here
Unfortunately, most of today's "security" with regards to credit cards are
merely there to deter the easy grabs. Any determined person could easily get
anyone's details through a number of means.

~~~
amdev
Sure, but why not grab low hanging fruit?

------
treblig
I would be inclined to take this more seriously if there wasn't an enormous
distorted AMEX logo at the top of the post.

~~~
ice799
i don't do graphics bro sorry

------
kadhinn
Eye Opener..it's hard to believe but then you have proved it. Merchants need
to take this up with banks.

------
c00p3r
The issue is as old as the internet itself - do not use your primary card.
Open a special one for electronic use only with separate account instead.

