« End The Torture |
Main
| Progress In Iraq »
Insecure
American Express has an insecure login. When you enter the URL http://www.americanexpress.com (a natural enough place to go take care of your accounts, and the address that comes on the bill), you're redirected to this page. Note that it's an "http" site, not an "https."
You can get a secure login by adding an "s" to the URL and reloading the page, but most people wouldn't know to do that, and you shouldn't have to. There's no link to a secure option, and they shouldn't even allow a non-secured login. This is kind of amazing for a company with the reputation of AmEx.
Posted by Rand Simberg at March 23, 2005 06:29 AM
TrackBack URL for this entry:
http://www.transterrestrial.com/mt-diagnostics.cgi/3551
Listed below are links to weblogs that reference
this post from
Transterrestrial Musings.
Insecure Credit Card Site
Excerpt: AmericanExpress.com apparently has a security issue with its login window.
If you use that website to manage a credit card account, click that link up above to see what the problem is, and what you need to do to protect yourself.
Weblog: Yippee-Ki-Yay!
Tracked: March 23, 2005 06:48 AM
Comments
Another reason to drop my AmEx card when it comes up for renewal.
Posted by Barbara Skolaut at March 23, 2005 10:39 AM
If you take apart the HTML source you see that this is a javascript appliction that handles your name/passwd. This is then sent to a HTTPS server.
https://qwww48.americanexpress.com/en/intl?request_type=intl_CardsListHandler&Face=en_gb" name=ssosystem
The average user is supposed to "know" to check the certificates on any secure web site he/she accesses. In reality, I doubt anyone "knows" this, or knows how to do it in their browser. Your point is well taken because the user can't check certificate until a secure connection is made.
The typical system of "informing" the user that she/he is communicating securely with "who they think they are communicating with" is not terribly effective. And, yes, I do do this for a living.
Posted by Fred K at March 23, 2005 03:53 PM
Post a comment