Transterrestrial Musings  


Amazon Honor System Click Here to Pay

Space
Alan Boyle (MSNBC)
Space Politics (Jeff Foust)
Space Transport News (Clark Lindsey)
NASA Watch
NASA Space Flight
Hobby Space
A Voyage To Arcturus (Jay Manifold)
Dispatches From The Final Frontier (Michael Belfiore)
Personal Spaceflight (Jeff Foust)
Mars Blog
The Flame Trench (Florida Today)
Space Cynic
Rocket Forge (Michael Mealing)
COTS Watch (Michael Mealing)
Curmudgeon's Corner (Mark Whittington)
Selenian Boondocks
Tales of the Heliosphere
Out Of The Cradle
Space For Commerce (Brian Dunbar)
True Anomaly
Kevin Parkin
The Speculist (Phil Bowermaster)
Spacecraft (Chris Hall)
Space Pragmatism (Dan Schrimpsher)
Eternal Golden Braid (Fred Kiesche)
Carried Away (Dan Schmelzer)
Laughing Wolf (C. Blake Powers)
Chair Force Engineer (Air Force Procurement)
Spacearium
Saturn Follies
JesusPhreaks (Scott Bell)
Journoblogs
The Ombudsgod
Cut On The Bias (Susanna Cornett)
Joanne Jacobs


Site designed by


Powered by
Movable Type
Biting Commentary about Infinity, and Beyond!

« End The Torture | Main | Progress In Iraq »

Insecure

American Express has an insecure login. When you enter the URL http://www.americanexpress.com (a natural enough place to go take care of your accounts, and the address that comes on the bill), you're redirected to this page. Note that it's an "http" site, not an "https."

You can get a secure login by adding an "s" to the URL and reloading the page, but most people wouldn't know to do that, and you shouldn't have to. There's no link to a secure option, and they shouldn't even allow a non-secured login. This is kind of amazing for a company with the reputation of AmEx.

Posted by Rand Simberg at March 23, 2005 06:29 AM
TrackBack URL for this entry:
http://www.transterrestrial.com/mt-diagnostics.cgi/3551

Listed below are links to weblogs that reference this post from Transterrestrial Musings.
Insecure Credit Card Site
Excerpt:

AmericanExpress.com apparently has a security issue with its login window.
If you use that website to manage a credit card account, click that link up above to see what the problem is, and what you need to do to protect yourself.


Weblog: Yippee-Ki-Yay!
Tracked: March 23, 2005 06:48 AM
Comments

Another reason to drop my AmEx card when it comes up for renewal.

Posted by Barbara Skolaut at March 23, 2005 10:39 AM

If you take apart the HTML source you see that this is a javascript appliction that handles your name/passwd. This is then sent to a HTTPS server.
https://qwww48.americanexpress.com/en/intl?request_type=intl_CardsListHandler&Face=en_gb" name=ssosystem

The average user is supposed to "know" to check the certificates on any secure web site he/she accesses. In reality, I doubt anyone "knows" this, or knows how to do it in their browser. Your point is well taken because the user can't check certificate until a secure connection is made.

The typical system of "informing" the user that she/he is communicating securely with "who they think they are communicating with" is not terribly effective. And, yes, I do do this for a living.


Posted by Fred K at March 23, 2005 03:53 PM


Post a comment
Name:


Email Address:


URL:


Comments: