Find A Massive Security Hole At American Express? If You're Not A Cardholder, It Doesn't Care

from the ouch dept

One of the general tenets of white hat security hackers is that when they find a vulnerability they alert the company first and allow them to fix things before they reveal the details. But what if it’s impossible to reach anyone at the company? That Anonymous Coward points us to a recent case of someone discovering a serious zero-day vulnerability at American Express… and not only not not being able to find anyone to contact, but also being told that the company would pay more attention to him if he were a cardholer:

To my great surprise American Express doesn?t allow anybody to contact them. Instead, you?re sent through their ten-year-old copyright noticed website?s first line support jungle to be attacked with questions ensuring that you?re a paying customer. If you?re not then you might as well not bother, unless you feel like speaking technical advanced 0day vulnerabilities with incompetent support personnel either through Twitter direct messages or phone. They will leave you no option of contacting them in a manner that circumvents any theoretical possibility they may have of boosting sales numbers.

The only acceptable contact methods that I found on their site were telephone, fax or physical mail to some typoed country called Swerige. I figured none of them were suitable for 0day reports and decided to turn to Twitter and ask for an e-mail address or some other modern protocol.

As TAC mentioned in his submission, perhaps black hat hackers are merely white hats who got tired of the muzak on hold…

Filed Under: , , ,
Companies: american express

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Find A Massive Security Hole At American Express? If You're Not A Cardholder, It Doesn't Care”

Subscribe: RSS Leave a comment
83 Comments
PrometheeFeu (profile) says:

I remember finding a vulnerability in a couple of smallish websites. I dutifully tried to bring it to their attention. I never heard back from any of them and they never fixed it. I have come to the conclusion that security is just not something that most developers think or know anything about. As for the business people… well, let’s not go there… They won’t care until the PR guy shows up with newspaper articles of your database being broken into.

Anonymous Coward says:

Re: Re:

honestly as a developer, not a web developer mind you, i find software to always be in some stage of advanced beta. We are always on a deadline and we never pick what we fix first. bug reports come in go into a database and then 5 business people meet on Wednesday to figure out which ones get fixed. If it isn’t gonna bring immediate sales no one cares.

Then you say why don’t you find your own problems, most problems and bugs really require a second set of eyes, and my company definitely doesn’t believe in agile practices. So really u just wait for someone to whine. And then you wait for the business people to decide how you spend your time.

Anonymous Coward says:

Re: Re: Re:

Agile just makes it worse since it makes it easier for business to micro manage features. Before that I would just quite the features they wanted and add the time it takes to fix the security issue as well. They have no clue how code works so then later on if they do decide to fix the security bug, just use that time to fix some other bug.

I do this kind of thing all the time. You just use their own ignorance against them and in the end actually help them.

Anonymous Coward says:

Re: Re:

If you used Google to find the vulnerable websites you probably wouldn’t be able to contact them all.

http://searchengineland.com/using-google-code-search-to-find-vulnerable-sites-10146
http://cybersaviours.wordpress.com/2011/02/20/how-to-find-out-if-a-website-is-vulnerable-to-sql-injection/

I once typed a version of wordpress to see how many vulnerable websites where out there and there was a lot including a lot of political websites.

Anonymous Coward says:

Re: Under-Resourcing Of Customer Support

Fixing bugs and security holes is a form of customer support, which never gets any love because it is not perceived as having an influence on sales. That is wrong, of course, but the corporate psychopaths do not care about other people in general, so customer support gets starved of money, routinely.

The whole existing credit card system is broken anyway. Think about it, anybody who knows your credit card number can help themselves to your bank account. Is that a disaster looking for somewhere to happen or what? The banks and the credit card companies know the system is broken, but they do not care, because they have largely diverted the losses to other people. When there is a fraudulent credit card transaction, first the loss goes to the cardholder. If the cardholder kicks up a big enough stink (not easy), then the loss goes to the merchant. The poor old merchants are just stuck, in most cases.

The stuff about complaints only being accepted from cardholders, is just a ruse to get the complainant to go away. They have a mountain of complaints already, adding another one is just a waste of time. Only a widespread consumer boycott of the broken credit card system would get the banks to fix it. There is no chance of the sheeple doing that, so the banks run the system, ignore the complaints and enjoy the profits.

Anonymous Coward says:

Re: Re: Under-Resourcing Of Customer Support

I was pretty much with you until you said “sheeple.” Really? Really?

Anyway, you can’t boycott credit cards unless you don’t care about building up credit. If you ever want to own a nice house, car, etc then you can’t really boycott that stuff.

Anonymous Coward says:

Re: Re: Re: Under-Resourcing Of Customer Support

???

Yes you can, just never use credit.
I never did for personal affairs, I always, always saved the money first and buy the things later.

Do you realize how much you pay in hidden fee’s?

If you ever want to own a really nice house don’t ever use credit for nothing save the money and pay it in hard cash nobody will ever turn that down.

nasch (profile) says:

Re: Re: Re:4 Under-Resourcing Of Customer Support

Yeah, just pay DOUBLE what the house is worth so you can fail to pay it off before you croak, leaving your kids holding the bag!

You seem to be implying that 1) the term of a mortgage will be longer than your life and 2) if your mortgage isn’t completely paid off when you die, then your heirs will be underwater on it. Neither assertion is correct.

Besides, if you don’t want to borrow money to buy a house then don’t, I truly don’t care. But IMO it’s silly to suggest saving up money to buy “a nice house”. Either take out a mortgage, or just rent.

That Anonymous Coward (profile) says:

You tell the company so that they can actually fix it. But this is in the fantasy land where corporations are actually held accountable for craptastic failures to not use the most basic tools to protect the customer information. (We call them SONY)

And sadly your right PrometheeFeu, until it is in the media no one cares, and by then as a customer you’ve already been screwed over for months/years.

This is someone tinkering around on his own dime, finding something really wrong and then trying to do the right thing.
We have all of these great stories about how hackers are evil blah blah blah blah blah…. The flipside of that coin is, until it is a bigger financial detriment to the company to pay out court awards, spend nothing to secure your systems. But the spin is always the evil hackers, never the corps who got an extra bonus for gutting their network security department.

Hackers tinker with things, they like to understand how they work. Hackers are not an evil criminal force covering the planet trying to rob everyone.

And muzak is the devil.

Given the high profile Sony, BART, CIA, etc etc etc “hacks” recently you’d think the corps would setup a phone number or something for white hats to get the people they need to talk to to fix…. er wait… they have no IT security people… nevermind…

That Anonymous Coward (profile) says:

Re: Re:

Because someone hired to manage their twitter presence seems well versed in being able to understand vulnerabilities in their system. And she could have DM’d him… but do you really want Courtney deciding if a 0day is worth bumping up the line to her boss in PR?

And the phone number… is customer service… once they figured out he was not a customer… yeah not so interested any more.

David Liu (profile) says:

Re: Re:

The phone number looks like it just points to a customer service number.

“DM me” is just another way of saying, “message me, a low customer service tech, about your intricate 0day exploit, and I’ll pass it on to my manager, who will lose it in the shuffle.”

For a vulnerability relating to a financial institution like American Express itself, I would think that they should take this very seriously.

That Anonymous Coward (profile) says:

Re: Re: Re: Devils Cartographer

He had verifiable proof that was quickly and easily verifiable.
And if these corps were smart they would have contact info already provided to the community he is a part of.
Your talking about white hat hackers, who aren’t likely to publicize a “white hat hacker” reporting line/email etc. They understand very well the trust they would be getting there, and would ensure it remaining viable.

Not all “security professionals” are exactly suit and tie people, but if it came down to making sure my system was secure I don’t care if the expert had dreads and a TPB t-shirt on. Knowledge and skill should trump appearances. Ask Aaron Barr.

Anonymous Coward says:

Is this about not being able to contact someone, or just not getting the recognition from someone who can appreciate what was found?

Kinda smells like the second…

Otherwise, if you can’t easily get to someone who can understand the problem, just look up a bunch of executive e-mail addresses, as well as generics, and blast the details to all of them. Someone will pay attention.

Unless it was more about the recognition.

๐Ÿ˜‰

That Anonymous Coward (profile) says:

Re: Re:

Not so much appreciate as understands.
Do you think physicists enjoy being at parties and having to get out the coloring book version of physics 101 so that Bob from accounting can understand the conversation?

If he wanted recognition and was that obsessed with it he would have hacked the site and done something to leave a mark.

High end geeks tend to have little patience for people who demand to know how the technology works. They prefer talking to peers who know all of the basic concepts so your not explaining how a communication protocol works, they have all the basics down already.

These are the people who created the carrier pigeon protocol, and it only had packet loss in hunt season.

Anonymous Coward says:

Re: Re: Re: Re:

Sometimes there aren’t easy ways to explain things, hence the amount of time it takes someone to become an expert. Difficult concepts can’t always be simplified. Moreover, simplifying it down turns into the equivalent of telling someone what you do in terms a 5-year old understands. If you do a good job, they’ll think your job is simple and won’t give it the appreciation it deserves or you’ll fail at the task and just waste your time.

Dan_Stephans (profile) says:

Once he exhausted the whole “use twitter to try to find the best person to talk to” this became news?

I see nowhere in TFA where he tried any other reasonable avenues of communication. What I do see is that he decided that those avenues of communication were not appropriate (his decision) and that Twitter was, for some reason.

Sorry, non-story.

That Anonymous Coward (profile) says:

Re: Did you try abuse? Security?

and this is common knowledge to people outside the US, just stuff an email to a couple addresses that may or maynot be monitored and hope that the company who drew a freaking bullseye around the hole in the system will fix it?

I was reading his twitter feed… very smart man.
They tried to hide the tool by putting the address to it in robots.txt and telling them not to look there.
Security through obscurity…

Anonymous Coward says:

Re: Why are you testing their security?

yeah what a dick he took this hack and stole a bunch of peoples info then sold the 0day to a hacker ring for a cool half a million and is now on a beach fuc….oh wait no he attempted to tell the company, got sick of trying and publicly released it so they would hear about it, what a dick.

Jim_G says:

Please notice that Mike has added a tremendous amount of information in how this story is presented and it is affecting everyone?s opinions of the twitter dialog. Mike is the one who called this “a serious zero-day vulnerability? and a ?massive security hole.? It might be that seious, but Niklas just called it a ?security vulnerability? and then seemed incapable of summarizing the threat. I don?t know the details of the exploit, but he could have said ?I have found a way to steal AmEx card numbers from another web site such as Amazon, and can demonstrate how this works.? I think that would have gotten more attention.

That Anonymous Coward (profile) says:

Re: Re:

*boggle*
You obviously have no understanding of how and what a 0day can do.
In the time it would have taken for a letter to make it across the atlantic, the amount of damage that could have been done is HUGE.
And you expect someone on their own dime to shore up their services, and bear all of the burdens because they couldn’t be bothered to secure the system in the first place.

You… out of the gene pool…

Benny L (profile) says:

Re: why he didn't use the phone number supplied

If I’m not mistaken, an 800 number is a toll free number in the United States. Well, have you ever tried calling one from abroad? That’s one of the problems here. This guy is (like me) situated in Sweden, which as some of you may know is OUTSIDE the US borders.

To put it simply: He CAN’T call that number no matter what. It just doesn’t work.

Which brings me to the next reason he’s probably reluctant to phone, namely that Sweden is six (or seven, depeding on whether summer time is in effect) hours east of New York, meaning that for him to actually find someone to answer the phone in the other end he’s going to have to call late in the afternoon or evening, local time.

As to the other options, snail mail or fax… well, I shouldn’t have to comment on that, should I?

That said, he could probably have been a bit more creative in trying to find someone not shielded by first line support to talk to, had he tried for example googling for someone on linked in associated with Amex security as someone suggested here.

But the whole point is, why the h*ll should he have to??

He found/heard of/(re)searched/stumbled upon/whatever a serious security problem and as a good netizen he wanted to inform the party involved, and was unable to find someone to talk to, in part because he wasn’t a customer.

That’s not good security policy no matter how you look at it.

RIch Kulawiec (profile) says:

Sadly, this is extremely common

RFC 2142 specifies role account email addresses (e.g., “postmaster”) which all domains must/should support in order to facilitate communication. Any operation which does not support at least the mandatory addresses is clearly incompetently managed — and quite foolish, as it has deliberately cut itself off from free expert assistance.

Yet this has become the norm. Many clueless, lazy, cheap and ignorant admins will claim that this is necessary because of the levels of spam/abuse that arrives in these mailboxes. Of course, everyone with sufficient experience knows that’s merely a flimsy excuse for their inability to handle a rudimentary task. Other equally-clueless admins will provide an idiotic web form that demands irrelevant information and forces correspondents into using a very limited communication method (i.e., one which does not support lengthy messages and/or attachments).

The ignorant newbies who do all this are of course the first ones to whine and cry foul when a researchers publicly disclose a problem.

greg.fenton (profile) says:

Re: Sadly, this is extremely common

A sadly good number of companies online today have never bothered to understand the RFCs. Today, you don’t need to read and RFC to get up and on the net.

Many admins today have inherited a system set up by us long beards (or suspender wearers….or both). Though many of us have established good practices, there’s no guaranteeing that they are being followed by those who are now running the front lines.

greg.fenton (profile) says:

Re: Re:

Care to highlight where one finds this due process, in particular with respect to a general member of the public submitting to American Express?

And the article makes it clear that there is an element of expediency.

Oh, and this is a general member of the public using their own time and resources to try to notify a massive company to save that company pain and turmoil. So this due process had better be (a) relatively expedient and (b) not unreasonably burdensome.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...