Find A Massive Security Hole At American Express? If You're Not A Cardholder, It Doesn't Care

from the ouch dept

One of the general tenets of white hat security hackers is that when they find a vulnerability they alert the company first and allow them to fix things before they reveal the details. But what if it's impossible to reach anyone at the company? That Anonymous Coward points us to a recent case of someone discovering a serious zero-day vulnerability at American Express... and not only not not being able to find anyone to contact, but also being told that the company would pay more attention to him if he were a cardholer:
To my great surprise American Express doesn’t allow anybody to contact them. Instead, you’re sent through their ten-year-old copyright noticed website’s first line support jungle to be attacked with questions ensuring that you’re a paying customer. If you’re not then you might as well not bother, unless you feel like speaking technical advanced 0day vulnerabilities with incompetent support personnel either through Twitter direct messages or phone. They will leave you no option of contacting them in a manner that circumvents any theoretical possibility they may have of boosting sales numbers.

The only acceptable contact methods that I found on their site were telephone, fax or physical mail to some typoed country called Swerige. I figured none of them were suitable for 0day reports and decided to turn to Twitter and ask for an e-mail address or some other modern protocol.
As TAC mentioned in his submission, perhaps black hat hackers are merely white hats who got tired of the muzak on hold...


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 1:50pm

    Why tell a company they have a vulnerability? If they won't give you the time of day you have another, much more supportive group of people that know what your time is worth...

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    PrometheeFeu (profile), Oct 11th, 2011 @ 1:59pm

    I remember finding a vulnerability in a couple of smallish websites. I dutifully tried to bring it to their attention. I never heard back from any of them and they never fixed it. I have come to the conclusion that security is just not something that most developers think or know anything about. As for the business people... well, let's not go there... They won't care until the PR guy shows up with newspaper articles of your database being broken into.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    :Lobo Santo (profile), Oct 11th, 2011 @ 2:14pm

    Re: Then again

    Mebbe it only seems that way 'cuz you don't hear about the guys who really know their shiznit on security stuff...

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    That Anonymous Coward (profile), Oct 11th, 2011 @ 2:17pm

    You tell the company so that they can actually fix it. But this is in the fantasy land where corporations are actually held accountable for craptastic failures to not use the most basic tools to protect the customer information. (We call them SONY)

    And sadly your right PrometheeFeu, until it is in the media no one cares, and by then as a customer you've already been screwed over for months/years.

    This is someone tinkering around on his own dime, finding something really wrong and then trying to do the right thing.
    We have all of these great stories about how hackers are evil blah blah blah blah blah.... The flipside of that coin is, until it is a bigger financial detriment to the company to pay out court awards, spend nothing to secure your systems. But the spin is always the evil hackers, never the corps who got an extra bonus for gutting their network security department.

    Hackers tinker with things, they like to understand how they work. Hackers are not an evil criminal force covering the planet trying to rob everyone.

    And muzak is the devil.

    Given the high profile Sony, BART, CIA, etc etc etc "hacks" recently you'd think the corps would setup a phone number or something for white hats to get the people they need to talk to to fix.... er wait... they have no IT security people... nevermind...

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 2:17pm

    Is it just me or did others see the "DM me" and the phone number provided? Taking the discussion to DM absolutely seems like the appropriate action here. Where's the dirt?

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    BearGriz72 (profile), Oct 11th, 2011 @ 2:21pm

    Ha!

    "perhaps black hat hackers are merely white hats who got tired of the muzak on hold..."

    My hat must be getting grayer by the day...
    Oh wait that's just my hair.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    That Anonymous Coward (profile), Oct 11th, 2011 @ 2:22pm

    Re:

    Because someone hired to manage their twitter presence seems well versed in being able to understand vulnerabilities in their system. And she could have DM'd him... but do you really want Courtney deciding if a 0day is worth bumping up the line to her boss in PR?

    And the phone number... is customer service... once they figured out he was not a customer... yeah not so interested any more.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Planespotter (profile), Oct 11th, 2011 @ 2:22pm

    Re:

    The dirt is that the twitter account is served by 1st line support staff at the very best... and he is trying to find a way to get straight thru the jungle of expert systems and tiered support lines to talk to someone that will actually understand what he has to say.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    David Liu (profile), Oct 11th, 2011 @ 2:24pm

    Re:

    The phone number looks like it just points to a customer service number.

    "DM me" is just another way of saying, "message me, a low customer service tech, about your intricate 0day exploit, and I'll pass it on to my manager, who will lose it in the shuffle."

    For a vulnerability relating to a financial institution like American Express itself, I would think that they should take this very seriously.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 2:27pm

    Is this about not being able to contact someone, or just not getting the recognition from someone who can appreciate what was found?

    Kinda smells like the second...

    Otherwise, if you can't easily get to someone who can understand the problem, just look up a bunch of executive e-mail addresses, as well as generics, and blast the details to all of them. Someone will pay attention.

    Unless it was more about the recognition.

    ;)

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 2:29pm

    swerige means sweden

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    :Lobo Santo (profile), Oct 11th, 2011 @ 2:29pm

    Re: Re: Devils Cartographer

    On the other hand:

    Should they lavish time/money on every crackpot (no offense meant) who calls and says "I can beat the system!"?

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    That Anonymous Coward (profile), Oct 11th, 2011 @ 2:38pm

    Re: Re: Re: Devils Cartographer

    He had verifiable proof that was quickly and easily verifiable.
    And if these corps were smart they would have contact info already provided to the community he is a part of.
    Your talking about white hat hackers, who aren't likely to publicize a "white hat hacker" reporting line/email etc. They understand very well the trust they would be getting there, and would ensure it remaining viable.

    Not all "security professionals" are exactly suit and tie people, but if it came down to making sure my system was secure I don't care if the expert had dreads and a TPB t-shirt on. Knowledge and skill should trump appearances. Ask Aaron Barr.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    matics (profile), Oct 11th, 2011 @ 2:39pm

    Imagine the police had that sort of service?

    "Hello, 911? I'd like to report that I saw someone trying to break into a local bank through a wall."

    "OK sir, and are you a member of that bank?"

    "Well... No, but-"

    "I'm sorry, if you aren't a member, you need to call 912, our other support line. Thanks and good luck!"

    "..."

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Dan_Stephans (profile), Oct 11th, 2011 @ 2:40pm

    Once he exhausted the whole "use twitter to try to find the best person to talk to" this became news?

    I see nowhere in TFA where he tried any other reasonable avenues of communication. What I do see is that he decided that those avenues of communication were not appropriate (his decision) and that Twitter was, for some reason.

    Sorry, non-story.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 2:41pm

    When did the telephone stop being a modern protocol? Even if you don't have a phone there are plenty of free ways to place phone calls through a computer connected to the internet.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Jeff, Oct 11th, 2011 @ 2:43pm

    Since they won't listen...

    You might as well just do nothing further... or simply release the details of the exploit, and let American Express resolve it on there own after the damage is done.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 2:44pm

    Did you try abuse? Security?

    Why didn't you email their abuse address? security@ is also commonly monitored by CERT teams.

    http://www.co.sisqjustice.ca.us/contact.htm

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    That Anonymous Coward (profile), Oct 11th, 2011 @ 2:45pm

    Re:

    Not so much appreciate as understands.
    Do you think physicists enjoy being at parties and having to get out the coloring book version of physics 101 so that Bob from accounting can understand the conversation?

    If he wanted recognition and was that obsessed with it he would have hacked the site and done something to leave a mark.

    High end geeks tend to have little patience for people who demand to know how the technology works. They prefer talking to peers who know all of the basic concepts so your not explaining how a communication protocol works, they have all the basics down already.

    These are the people who created the carrier pigeon protocol, and it only had packet loss in hunt season.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    bjupton (profile), Oct 11th, 2011 @ 2:46pm

    Re: Re: Re: Re: Devils Cartographer

    Not that this is at all your point...

    I'm amused at the thought of these big corps, especially the financials, not caring about appearances. :)

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    bjupton (profile), Oct 11th, 2011 @ 2:51pm

    Re:

    yeah, not exactly.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 2:53pm

    Why are you testing their security?

    Since you aren't a customer? So you can sell it to them? Slag them off? You seem either clueless or a bit of a dick.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    That Anonymous Coward (profile), Oct 11th, 2011 @ 2:56pm

    Re:

    because calling an 800 number from .se is cheap and easy to get routed to someone in a call center halfway around the world who will be the chosen one who will understand what the issue was.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    That Anonymous Coward (profile), Oct 11th, 2011 @ 2:59pm

    Re: Did you try abuse? Security?

    and this is common knowledge to people outside the US, just stuff an email to a couple addresses that may or maynot be monitored and hope that the company who drew a freaking bullseye around the hole in the system will fix it?

    I was reading his twitter feed... very smart man.
    They tried to hide the tool by putting the address to it in robots.txt and telling them not to look there.
    Security through obscurity...

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous American, Oct 11th, 2011 @ 3:04pm

    Re: Re: Then again

    Or more likely, the cost of a breach is much less than the cost of fix a potential breach.

    Until this math is changed through higher and more painful penalties, it's going to stay that way.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 3:06pm

    Re:

    i thought it was Sverige

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 3:07pm

    Re: Re:

    I am sure two non-native english speakers speaking english to each other is a really fun conversation to be a part of too.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 3:07pm

    Re:

    because they wouldn't talk to him anymore after he told them he wasn't a card holder, its in the first paragraph

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 3:10pm

    Re: Why are you testing their security?

    yeah what a dick he took this hack and stole a bunch of peoples info then sold the 0day to a hacker ring for a cool half a million and is now on a beach fuc....oh wait no he attempted to tell the company, got sick of trying and publicly released it so they would hear about it, what a dick.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 3:12pm

    Re: Re: Re:

    especially with something as non-technical as a 0day web exploit

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 3:12pm

    Re: Why are you testing their security?

    Are you an idiot? Serious question.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    Dan_Stephans (profile), Oct 11th, 2011 @ 3:14pm

    Re: Re:

    And he expected better results with twitter? I'm sorry, if you're intelligent enough to track down a 0day you can do better than this guy in attempting to find a fruitful avenue of communication.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Simon, Oct 11th, 2011 @ 3:28pm

    It shouldn't be necessary, but I've resorted to this kind of technique to find someone to disclose to before now : http://lmgtfy.com/?q=inurl%3Alinkedin+american+express+security

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Jim_G, Oct 11th, 2011 @ 3:30pm

    Please notice that Mike has added a tremendous amount of information in how this story is presented and it is affecting everyone’s opinions of the twitter dialog. Mike is the one who called this "a serious zero-day vulnerability” and a “massive security hole.” It might be that seious, but Niklas just called it a “security vulnerability” and then seemed incapable of summarizing the threat. I don’t know the details of the exploit, but he could have said “I have found a way to steal AmEx card numbers from another web site such as Amazon, and can demonstrate how this works.” I think that would have gotten more attention.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 3:36pm

    Re: Re: Why are you testing their security?

    No you are the idiot, fool.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    blaktron (profile), Oct 11th, 2011 @ 3:45pm

    Re:

    If you read about what exactly the exploit is from the guy himself, you'll see that theres no way to impart the seriousness of what he found to the average call centre monkey. He tried to follow the white hat security model to the fullest, but that model is a 2-way street, and Amex didn't do its part.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 4:15pm

    Re:

    honestly as a developer, not a web developer mind you, i find software to always be in some stage of advanced beta. We are always on a deadline and we never pick what we fix first. bug reports come in go into a database and then 5 business people meet on Wednesday to figure out which ones get fixed. If it isn't gonna bring immediate sales no one cares.

    Then you say why don't you find your own problems, most problems and bugs really require a second set of eyes, and my company definitely doesn't believe in agile practices. So really u just wait for someone to whine. And then you wait for the business people to decide how you spend your time.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 4:16pm

    Executive Offices

    American Express Company
    World Financial Center
    New York, NY 10285
    212.640.2000

    not that hard to find the corporate contact information.

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    That Anonymous Coward (profile), Oct 11th, 2011 @ 4:17pm

    All in all I am sure Mike is just happy it submitted something not copyright related for once. :)

    Speaking of which.... *runs off to submit*

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 4:27pm

    Re:

    No kidding, the person reporting the problem acted like an idiot and then blamed Amex.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Jayce, Oct 11th, 2011 @ 4:36pm

    He's probably better off

    They'd just try to prosecute him for finding a hole, anyway.

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    hmm (profile), Oct 11th, 2011 @ 4:43pm

    I KNOW WHY!

    If you don't tell them about the vulnerability they can claim later they have no knowledge of it, no-one's to blame and no one in management gets fired......

    If they KNOW about the vulnerability they have a duty to fix it or face class action lawsuits............

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    hmm (profile), Oct 11th, 2011 @ 4:47pm

    Re: Why are you testing their security?

    because he wanted to HELP other human beings to NOT get ripped off?

    In your world I guess doing something for altruistic (thats a big new word..look it up) reasons makes someone a dick?

    interesting.

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    ike, Oct 11th, 2011 @ 4:47pm

    Re: Re: Re:

    It's the second time you said that, but there is no basis for it. He balked at the suggestion of using twitter.

     

    reply to this | link to this | view in thread ]

  45.  
    icon
    That Anonymous Coward (profile), Oct 11th, 2011 @ 4:48pm

    Re:

    *boggle*
    You obviously have no understanding of how and what a 0day can do.
    In the time it would have taken for a letter to make it across the atlantic, the amount of damage that could have been done is HUGE.
    And you expect someone on their own dime to shore up their services, and bear all of the burdens because they couldn't be bothered to secure the system in the first place.

    You... out of the gene pool...

     

    reply to this | link to this | view in thread ]

  46.  
    icon
    hmm (profile), Oct 11th, 2011 @ 4:49pm

    the answer

    The following post on any website searchable by google would have got their attention:

    WOW! I just found a way to take money directly out of the CEO of AMEX's *personal* bank accounts.......

    (5..4..3..2..1.)....cue call from Amex Security......

     

    reply to this | link to this | view in thread ]

  47.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 5:13pm

    Re: Re:

    Agile just makes it worse since it makes it easier for business to micro manage features. Before that I would just quite the features they wanted and add the time it takes to fix the security issue as well. They have no clue how code works so then later on if they do decide to fix the security bug, just use that time to fix some other bug.

    I do this kind of thing all the time. You just use their own ignorance against them and in the end actually help them.

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Dwayne, Oct 11th, 2011 @ 5:37pm

    Re:

    You need to be friends with a user to DM them. I doubt they're friends on Twitter.

     

    reply to this | link to this | view in thread ]

  49.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 5:46pm

    Re:

    If you used Google to find the vulnerable websites you probably wouldn't be able to contact them all.

    http://searchengineland.com/using-google-code-search-to-find-vulnerable-sites-10146
    http:// cybersaviours.wordpress.com/2011/02/20/how-to-find-out-if-a-website-is-vulnerable-to-sql-injection/

    I once typed a version of wordpress to see how many vulnerable websites where out there and there was a lot including a lot of political websites.

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 5:50pm

    Re: Re:

    I think that actually is a human weakness, we don't like to find easy ways to explain things to others and that is a problem to everyone.

     

    reply to this | link to this | view in thread ]

  51.  
    icon
    Chris Maresca (profile), Oct 11th, 2011 @ 6:05pm

    whois americanexpress.com = amexdns@aexp.com

    security "researcher" == fail

     

    reply to this | link to this | view in thread ]

  52.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 7:19pm

    I.T. Courts?

    If we can introduce a system which, if an informed I.T. professional sent warning about a security hole and a financial group choose to neglect, he could file a complaint and get that organization find people to fix it, or will get into trouble.

     

    reply to this | link to this | view in thread ]

  53.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 7:21pm

    Re: Under-Resourcing Of Customer Support

    Fixing bugs and security holes is a form of customer support, which never gets any love because it is not perceived as having an influence on sales. That is wrong, of course, but the corporate psychopaths do not care about other people in general, so customer support gets starved of money, routinely.

    The whole existing credit card system is broken anyway. Think about it, anybody who knows your credit card number can help themselves to your bank account. Is that a disaster looking for somewhere to happen or what? The banks and the credit card companies know the system is broken, but they do not care, because they have largely diverted the losses to other people. When there is a fraudulent credit card transaction, first the loss goes to the cardholder. If the cardholder kicks up a big enough stink (not easy), then the loss goes to the merchant. The poor old merchants are just stuck, in most cases.

    The stuff about complaints only being accepted from cardholders, is just a ruse to get the complainant to go away. They have a mountain of complaints already, adding another one is just a waste of time. Only a widespread consumer boycott of the broken credit card system would get the banks to fix it. There is no chance of the sheeple doing that, so the banks run the system, ignore the complaints and enjoy the profits.

     

    reply to this | link to this | view in thread ]

  54.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 7:30pm

    I'm curious why he refused to use the phone number he was given to contact them.

     

    reply to this | link to this | view in thread ]

  55.  
    icon
    nasch (profile), Oct 11th, 2011 @ 7:37pm

    Re: Re: Under-Resourcing Of Customer Support

    I've found it extremely easy to dispute credit card charges. You're right though, it's broken. Two factor authentication would be nice, but probably too expensive and inconvenient to put into place.

     

    reply to this | link to this | view in thread ]

  56.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 8:01pm

    Re: Re: Under-Resourcing Of Customer Support

    If support@example.com is not right there, clear as day, on their website, then they have volunteered to be notified of their security vulnerabilities by having them published for all to see. Publish anonymously on any willing white-hat security site, then get on with your life.

     

    reply to this | link to this | view in thread ]

  57.  
    identicon
    Anonymous Coward, Oct 11th, 2011 @ 9:31pm

    Re: Re:

    Apparently you missed the phone number in that post. If it is so important then why not pay for the long distance call?

     

    reply to this | link to this | view in thread ]

  58.  
    identicon
    Parker, Oct 11th, 2011 @ 9:55pm

    This might have been said already, but my solution would be to just leak the vulnerability (anonymously of course). Let them learn security the hard way. (but then I'm an asshole)

     

    reply to this | link to this | view in thread ]

  59.  
    identicon
    RIch Kulawiec, Oct 12th, 2011 @ 4:36am

    Sadly, this is extremely common

    RFC 2142 specifies role account email addresses (e.g., "postmaster") which all domains must/should support in order to facilitate communication. Any operation which does not support at least the mandatory addresses is clearly incompetently managed -- and quite foolish, as it has deliberately cut itself off from free expert assistance.

    Yet this has become the norm. Many clueless, lazy, cheap and ignorant admins will claim that this is necessary because of the levels of spam/abuse that arrives in these mailboxes. Of course, everyone with sufficient experience knows that's merely a flimsy excuse for their inability to handle a rudimentary task. Other equally-clueless admins will provide an idiotic web form that demands irrelevant information and forces correspondents into using a very limited communication method (i.e., one which does not support lengthy messages and/or attachments).

    The ignorant newbies who do all this are of course the first ones to whine and cry foul when a researchers publicly disclose a problem.

     

    reply to this | link to this | view in thread ]

  60.  
    icon
    Benny L (profile), Oct 12th, 2011 @ 5:04am

    Re: why he didn't use the phone number supplied

    If I'm not mistaken, an 800 number is a toll free number in the United States. Well, have you ever tried calling one from abroad? That's one of the problems here. This guy is (like me) situated in Sweden, which as some of you may know is OUTSIDE the US borders.

    To put it simply: He CAN'T call that number no matter what. It just doesn't work.

    Which brings me to the next reason he's probably reluctant to phone, namely that Sweden is six (or seven, depeding on whether summer time is in effect) hours east of New York, meaning that for him to actually find someone to answer the phone in the other end he's going to have to call late in the afternoon or evening, local time.

    As to the other options, snail mail or fax... well, I shouldn't have to comment on that, should I?

    That said, he could probably have been a bit more creative in trying to find someone not shielded by first line support to talk to, had he tried for example googling for someone on linked in associated with Amex security as someone suggested here.

    But the whole point is, why the h*ll should he have to??

    He found/heard of/(re)searched/stumbled upon/whatever a serious security problem and as a good netizen he wanted to inform the party involved, and was unable to find someone to talk to, in part because he wasn't a customer.

    That's not good security policy no matter how you look at it.

     

    reply to this | link to this | view in thread ]

  61.  
    identicon
    Anonymous Coward, Oct 12th, 2011 @ 5:28am

    Re: Re: Re:

    Sometimes there aren't easy ways to explain things, hence the amount of time it takes someone to become an expert. Difficult concepts can't always be simplified. Moreover, simplifying it down turns into the equivalent of telling someone what you do in terms a 5-year old understands. If you do a good job, they'll think your job is simple and won't give it the appreciation it deserves or you'll fail at the task and just waste your time.

     

    reply to this | link to this | view in thread ]

  62.  
    icon
    That Anonymous Coward (profile), Oct 12th, 2011 @ 6:04am

    Re: Re: Re:

    The phone number for card member services, where once the call center person asks for his card number and he doesn't have one they stop caring about anything he has to say.

     

    reply to this | link to this | view in thread ]

  63.  
    icon
    That Anonymous Coward (profile), Oct 12th, 2011 @ 6:07am

    Re: Sadly, this is extremely common

    The protection for leaving the debug console up and open was to exclude it specifically by name from robots.txt

    Do you think they have someone competent?

     

    reply to this | link to this | view in thread ]

  64.  
    identicon
    Anonymous Coward, Oct 12th, 2011 @ 6:10am

    Re: Re: Under-Resourcing Of Customer Support

    I was pretty much with you until you said "sheeple." Really? Really?

    Anyway, you can't boycott credit cards unless you don't care about building up credit. If you ever want to own a nice house, car, etc then you can't really boycott that stuff.

     

    reply to this | link to this | view in thread ]

  65.  
    identicon
    ejes, Oct 12th, 2011 @ 6:27am

    there's actually a due process that you're suppose to follow with regard to submitting a new undiscovered vulnerability. and it's not to use twitter.

    sounds to me like this guy is a joke.

     

    reply to this | link to this | view in thread ]

  66.  
    icon
    Benny L (profile), Oct 12th, 2011 @ 6:35am

    And it sounds to me like he's trying very hard to follow protocol here but can't even get off the starting blocks. I don't see any revelation of vulnerability details on the twitter feed in question, do you? In fact, isn't the joke really that there are people who doesn't even bother to read what they're commenting on?

     

    reply to this | link to this | view in thread ]

  67.  
    identicon
    Anonymous Coward, Oct 12th, 2011 @ 6:44am

    Re:

    There's probably a protocol to follow if you get a paycheck for it. This guy did it independently. The man has no obligations to AmEx. Unless he exploited the vuln he did nothing morally wrong.

     

    reply to this | link to this | view in thread ]

  68.  
    icon
    greg.fenton (profile), Oct 12th, 2011 @ 7:09am

    Re: Sadly, this is extremely common

    A sadly good number of companies online today have never bothered to understand the RFCs. Today, you don't need to read and RFC to get up and on the net.

    Many admins today have inherited a system set up by us long beards (or suspender wearers....or both). Though many of us have established good practices, there's no guaranteeing that they are being followed by those who are now running the front lines.

     

    reply to this | link to this | view in thread ]

  69.  
    icon
    greg.fenton (profile), Oct 12th, 2011 @ 7:14am

    Re:

    Care to highlight where one finds this due process, in particular with respect to a general member of the public submitting to American Express?

    And the article makes it clear that there is an element of expediency.

    Oh, and this is a general member of the public using their own time and resources to try to notify a massive company to save that company pain and turmoil. So this due process had better be (a) relatively expedient and (b) not unreasonably burdensome.

     

    reply to this | link to this | view in thread ]

  70.  
    identicon
    Anonymous Coward, Oct 12th, 2011 @ 7:36am

    Re: Re: Re: Under-Resourcing Of Customer Support

    ???

    Yes you can, just never use credit.
    I never did for personal affairs, I always, always saved the money first and buy the things later.

    Do you realize how much you pay in hidden fee's?

    If you ever want to own a really nice house don't ever use credit for nothing save the money and pay it in hard cash nobody will ever turn that down.

     

    reply to this | link to this | view in thread ]

  71.  
    icon
    nasch (profile), Oct 12th, 2011 @ 9:07am

    Re:

    there's actually a due process that you're suppose to follow with regard to submitting a new undiscovered vulnerability.

    What is that process, then? Maybe you can be helpful and let this guy know about it.

     

    reply to this | link to this | view in thread ]

  72.  
    icon
    nasch (profile), Oct 12th, 2011 @ 9:12am

    Re: Re: Re: Re: Under-Resourcing Of Customer Support

    If you ever want to own a really nice house don't ever use credit for nothing save the money and pay it in hard cash nobody will ever turn that down.

    Yeah, if you save $1000 a month, it will only take 25 years to get a $300,000 house. No problem, just save up!

     

    reply to this | link to this | view in thread ]

  73.  
    identicon
    dave, Oct 12th, 2011 @ 9:33am

    can't find out how to contact them?

     

    reply to this | link to this | view in thread ]

  74.  
    identicon
    Anonymous Coward, Oct 12th, 2011 @ 10:40am

    Re:

    He would be wasting his time. Customer Support for many companies is notoriously shoddy. Even then, corporations have no legal or financial responsibility to fix any vulnerabilities.

     

    reply to this | link to this | view in thread ]

  75.  
    identicon
    S, Oct 12th, 2011 @ 1:23pm

    Re: Re: Re: Re: Re: Under-Resourcing Of Customer Support

    Yeah, just pay DOUBLE what the house is worth so you can fail to pay it off before you croak, leaving your kids holding the bag!

    Who cares about frugality; you should have WHAT YOU WANT WHEN YOU WANT IT, and to hell with the future!

     

    reply to this | link to this | view in thread ]

  76.  
    icon
    Mike Raffety (profile), Oct 12th, 2011 @ 3:42pm

    Re: Re: why he didn't use the phone number supplied

    For some years now, U.S. 800/888/877/866 numbers CAN be dialed from other countries, though they're not toll-free, usual calling rates apply.

     

    reply to this | link to this | view in thread ]

  77.  
    identicon
    S, Oct 12th, 2011 @ 3:46pm

    Re: can't find out how to contact them?

    You. Out of the gene pool.

     

    reply to this | link to this | view in thread ]

  78.  
    icon
    nasch (profile), Oct 12th, 2011 @ 9:02pm

    Re: Re: Re: Re: Re: Re: Under-Resourcing Of Customer Support

    Yeah, just pay DOUBLE what the house is worth so you can fail to pay it off before you croak, leaving your kids holding the bag!

    You seem to be implying that 1) the term of a mortgage will be longer than your life and 2) if your mortgage isn't completely paid off when you die, then your heirs will be underwater on it. Neither assertion is correct.

    Besides, if you don't want to borrow money to buy a house then don't, I truly don't care. But IMO it's silly to suggest saving up money to buy "a nice house". Either take out a mortgage, or just rent.

     

    reply to this | link to this | view in thread ]

  79.  
    identicon
    Anonymous Coward, Oct 13th, 2011 @ 6:37am

    Re: Re:

    Except he didn't call, he went through the website and twittered and in fact on twitter he said that he was not available by phone.

    I'm not saying this makes it any better, I'm just wondering why he couldn't call.

     

    reply to this | link to this | view in thread ]

  80.  
    icon
    nasch (profile), Oct 13th, 2011 @ 10:53am

    Re: Re: Re:

    I'm not saying this makes it any better, I'm just wondering why he couldn't call.

    Maybe he knew that customer support wouldn't have the first clue what to do with his information.

     

    reply to this | link to this | view in thread ]

  81.  
    icon
    That Anonymous Coward (profile), Oct 13th, 2011 @ 11:22pm

    Re: Re: can't find out how to contact them?

    Hey thats my line!

     

    reply to this | link to this | view in thread ]

  82.  
    identicon
    Steve Tadrellis, Dec 16th, 2011 @ 8:46pm

    It's really beneficial to use a mediator during these circumstances.

     

    reply to this | link to this | view in thread ]

  83.  

    That's a bit worry

    Amex is a perfect example of a company whose only goal is money over everything. I hope the security issues have been addressed, as I was considering becoming a Amex member.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This