Find A Massive Security Hole At American Express? If You're Not A Cardholder, It Doesn't Care
from the ouch dept
One of the general tenets of white hat security hackers is that when they find a vulnerability they alert the company first and allow them to fix things before they reveal the details. But what if it’s impossible to reach anyone at the company? That Anonymous Coward points us to a recent case of someone discovering a serious zero-day vulnerability at American Express… and not only not not being able to find anyone to contact, but also being told that the company would pay more attention to him if he were a cardholer:
To my great surprise American Express doesn?t allow anybody to contact them. Instead, you?re sent through their ten-year-old copyright noticed website?s first line support jungle to be attacked with questions ensuring that you?re a paying customer. If you?re not then you might as well not bother, unless you feel like speaking technical advanced 0day vulnerabilities with incompetent support personnel either through Twitter direct messages or phone. They will leave you no option of contacting them in a manner that circumvents any theoretical possibility they may have of boosting sales numbers.
The only acceptable contact methods that I found on their site were telephone, fax or physical mail to some typoed country called Swerige. I figured none of them were suitable for 0day reports and decided to turn to Twitter and ask for an e-mail address or some other modern protocol.
Filed Under: reporting, security, security hole, vulnerabilities
Companies: american express
Comments on “Find A Massive Security Hole At American Express? If You're Not A Cardholder, It Doesn't Care”
Why tell a company they have a vulnerability? If they won’t give you the time of day you have another, much more supportive group of people that know what your time is worth…
I remember finding a vulnerability in a couple of smallish websites. I dutifully tried to bring it to their attention. I never heard back from any of them and they never fixed it. I have come to the conclusion that security is just not something that most developers think or know anything about. As for the business people… well, let’s not go there… They won’t care until the PR guy shows up with newspaper articles of your database being broken into.
Re: Then again
Mebbe it only seems that way ‘cuz you don’t hear about the guys who really know their shiznit on security stuff…
Re: Re: Then again
Or more likely, the cost of a breach is much less than the cost of fix a potential breach.
Until this math is changed through higher and more painful penalties, it’s going to stay that way.
Re: Re:
honestly as a developer, not a web developer mind you, i find software to always be in some stage of advanced beta. We are always on a deadline and we never pick what we fix first. bug reports come in go into a database and then 5 business people meet on Wednesday to figure out which ones get fixed. If it isn’t gonna bring immediate sales no one cares.
Then you say why don’t you find your own problems, most problems and bugs really require a second set of eyes, and my company definitely doesn’t believe in agile practices. So really u just wait for someone to whine. And then you wait for the business people to decide how you spend your time.
Re: Re: Re:
Agile just makes it worse since it makes it easier for business to micro manage features. Before that I would just quite the features they wanted and add the time it takes to fix the security issue as well. They have no clue how code works so then later on if they do decide to fix the security bug, just use that time to fix some other bug.
I do this kind of thing all the time. You just use their own ignorance against them and in the end actually help them.
Re: Re:
If you used Google to find the vulnerable websites you probably wouldn’t be able to contact them all.
http://searchengineland.com/using-google-code-search-to-find-vulnerable-sites-10146
http://cybersaviours.wordpress.com/2011/02/20/how-to-find-out-if-a-website-is-vulnerable-to-sql-injection/
I once typed a version of wordpress to see how many vulnerable websites where out there and there was a lot including a lot of political websites.
Re: Under-Resourcing Of Customer Support
Fixing bugs and security holes is a form of customer support, which never gets any love because it is not perceived as having an influence on sales. That is wrong, of course, but the corporate psychopaths do not care about other people in general, so customer support gets starved of money, routinely.
The whole existing credit card system is broken anyway. Think about it, anybody who knows your credit card number can help themselves to your bank account. Is that a disaster looking for somewhere to happen or what? The banks and the credit card companies know the system is broken, but they do not care, because they have largely diverted the losses to other people. When there is a fraudulent credit card transaction, first the loss goes to the cardholder. If the cardholder kicks up a big enough stink (not easy), then the loss goes to the merchant. The poor old merchants are just stuck, in most cases.
The stuff about complaints only being accepted from cardholders, is just a ruse to get the complainant to go away. They have a mountain of complaints already, adding another one is just a waste of time. Only a widespread consumer boycott of the broken credit card system would get the banks to fix it. There is no chance of the sheeple doing that, so the banks run the system, ignore the complaints and enjoy the profits.
Re: Re: Under-Resourcing Of Customer Support
I’ve found it extremely easy to dispute credit card charges. You’re right though, it’s broken. Two factor authentication would be nice, but probably too expensive and inconvenient to put into place.
Re: Re: Under-Resourcing Of Customer Support
If support@example.com is not right there, clear as day, on their website, then they have volunteered to be notified of their security vulnerabilities by having them published for all to see. Publish anonymously on any willing white-hat security site, then get on with your life.
Re: Re: Under-Resourcing Of Customer Support
I was pretty much with you until you said “sheeple.” Really? Really?
Anyway, you can’t boycott credit cards unless you don’t care about building up credit. If you ever want to own a nice house, car, etc then you can’t really boycott that stuff.
Re: Re: Re: Under-Resourcing Of Customer Support
???
Yes you can, just never use credit.
I never did for personal affairs, I always, always saved the money first and buy the things later.
Do you realize how much you pay in hidden fee’s?
If you ever want to own a really nice house don’t ever use credit for nothing save the money and pay it in hard cash nobody will ever turn that down.
Re: Re: Re:2 Under-Resourcing Of Customer Support
If you ever want to own a really nice house don’t ever use credit for nothing save the money and pay it in hard cash nobody will ever turn that down.
Yeah, if you save $1000 a month, it will only take 25 years to get a $300,000 house. No problem, just save up!
Re: Re: Re:3 Under-Resourcing Of Customer Support
Yeah, just pay DOUBLE what the house is worth so you can fail to pay it off before you croak, leaving your kids holding the bag!
Who cares about frugality; you should have WHAT YOU WANT WHEN YOU WANT IT, and to hell with the future!
Re: Re: Re:4 Under-Resourcing Of Customer Support
Yeah, just pay DOUBLE what the house is worth so you can fail to pay it off before you croak, leaving your kids holding the bag!
You seem to be implying that 1) the term of a mortgage will be longer than your life and 2) if your mortgage isn’t completely paid off when you die, then your heirs will be underwater on it. Neither assertion is correct.
Besides, if you don’t want to borrow money to buy a house then don’t, I truly don’t care. But IMO it’s silly to suggest saving up money to buy “a nice house”. Either take out a mortgage, or just rent.
You tell the company so that they can actually fix it. But this is in the fantasy land where corporations are actually held accountable for craptastic failures to not use the most basic tools to protect the customer information. (We call them SONY)
And sadly your right PrometheeFeu, until it is in the media no one cares, and by then as a customer you’ve already been screwed over for months/years.
This is someone tinkering around on his own dime, finding something really wrong and then trying to do the right thing.
We have all of these great stories about how hackers are evil blah blah blah blah blah…. The flipside of that coin is, until it is a bigger financial detriment to the company to pay out court awards, spend nothing to secure your systems. But the spin is always the evil hackers, never the corps who got an extra bonus for gutting their network security department.
Hackers tinker with things, they like to understand how they work. Hackers are not an evil criminal force covering the planet trying to rob everyone.
And muzak is the devil.
Given the high profile Sony, BART, CIA, etc etc etc “hacks” recently you’d think the corps would setup a phone number or something for white hats to get the people they need to talk to to fix…. er wait… they have no IT security people… nevermind…
Re: I.T. Courts?
If we can introduce a system which, if an informed I.T. professional sent warning about a security hole and a financial group choose to neglect, he could file a complaint and get that organization find people to fix it, or will get into trouble.
Is it just me or did others see the “DM me” and the phone number provided? Taking the discussion to DM absolutely seems like the appropriate action here. Where’s the dirt?
Re: Re:
Because someone hired to manage their twitter presence seems well versed in being able to understand vulnerabilities in their system. And she could have DM’d him… but do you really want Courtney deciding if a 0day is worth bumping up the line to her boss in PR?
And the phone number… is customer service… once they figured out he was not a customer… yeah not so interested any more.
Re: Re:
The dirt is that the twitter account is served by 1st line support staff at the very best… and he is trying to find a way to get straight thru the jungle of expert systems and tiered support lines to talk to someone that will actually understand what he has to say.
Re: Re:
The phone number looks like it just points to a customer service number.
“DM me” is just another way of saying, “message me, a low customer service tech, about your intricate 0day exploit, and I’ll pass it on to my manager, who will lose it in the shuffle.”
For a vulnerability relating to a financial institution like American Express itself, I would think that they should take this very seriously.
Re: Re: Devils Cartographer
On the other hand:
Should they lavish time/money on every crackpot (no offense meant) who calls and says “I can beat the system!”?
Re: Re: Re: Devils Cartographer
He had verifiable proof that was quickly and easily verifiable.
And if these corps were smart they would have contact info already provided to the community he is a part of.
Your talking about white hat hackers, who aren’t likely to publicize a “white hat hacker” reporting line/email etc. They understand very well the trust they would be getting there, and would ensure it remaining viable.
Not all “security professionals” are exactly suit and tie people, but if it came down to making sure my system was secure I don’t care if the expert had dreads and a TPB t-shirt on. Knowledge and skill should trump appearances. Ask Aaron Barr.
Re: Re: Re:2 Devils Cartographer
Not that this is at all your point…
I’m amused at the thought of these big corps, especially the financials, not caring about appearances. 🙂
Re: Re:
You need to be friends with a user to DM them. I doubt they’re friends on Twitter.
Ha!
“perhaps black hat hackers are merely white hats who got tired of the muzak on hold…“
My hat must be getting grayer by the day…
Oh wait that’s just my hair.
Is this about not being able to contact someone, or just not getting the recognition from someone who can appreciate what was found?
Kinda smells like the second…
Otherwise, if you can’t easily get to someone who can understand the problem, just look up a bunch of executive e-mail addresses, as well as generics, and blast the details to all of them. Someone will pay attention.
Unless it was more about the recognition.
😉
Re: Re:
Not so much appreciate as understands.
Do you think physicists enjoy being at parties and having to get out the coloring book version of physics 101 so that Bob from accounting can understand the conversation?
If he wanted recognition and was that obsessed with it he would have hacked the site and done something to leave a mark.
High end geeks tend to have little patience for people who demand to know how the technology works. They prefer talking to peers who know all of the basic concepts so your not explaining how a communication protocol works, they have all the basics down already.
These are the people who created the carrier pigeon protocol, and it only had packet loss in hunt season.
Re: Re: Re:
I think that actually is a human weakness, we don’t like to find easy ways to explain things to others and that is a problem to everyone.
Re: Re: Re: Re:
Sometimes there aren’t easy ways to explain things, hence the amount of time it takes someone to become an expert. Difficult concepts can’t always be simplified. Moreover, simplifying it down turns into the equivalent of telling someone what you do in terms a 5-year old understands. If you do a good job, they’ll think your job is simple and won’t give it the appreciation it deserves or you’ll fail at the task and just waste your time.
swerige means sweden
Re: Re:
yeah, not exactly.
Re: Re:
i thought it was Sverige
Imagine the police had that sort of service?
“Hello, 911? I’d like to report that I saw someone trying to break into a local bank through a wall.”
“OK sir, and are you a member of that bank?”
“Well… No, but-“
“I’m sorry, if you aren’t a member, you need to call 912, our other support line. Thanks and good luck!”
“…”
Once he exhausted the whole “use twitter to try to find the best person to talk to” this became news?
I see nowhere in TFA where he tried any other reasonable avenues of communication. What I do see is that he decided that those avenues of communication were not appropriate (his decision) and that Twitter was, for some reason.
Sorry, non-story.
Re: Re:
because calling an 800 number from .se is cheap and easy to get routed to someone in a call center halfway around the world who will be the chosen one who will understand what the issue was.
Re: Re: Re:
I am sure two non-native english speakers speaking english to each other is a really fun conversation to be a part of too.
Re: Re: Re: Re:
especially with something as non-technical as a 0day web exploit
Re: Re: Re:
And he expected better results with twitter? I’m sorry, if you’re intelligent enough to track down a 0day you can do better than this guy in attempting to find a fruitful avenue of communication.
Re: Re: Re: Re:
It’s the second time you said that, but there is no basis for it. He balked at the suggestion of using twitter.
When did the telephone stop being a modern protocol? Even if you don’t have a phone there are plenty of free ways to place phone calls through a computer connected to the internet.
Re: Re:
because they wouldn’t talk to him anymore after he told them he wasn’t a card holder, its in the first paragraph
Re: Re: Re:
Except he didn’t call, he went through the website and twittered and in fact on twitter he said that he was not available by phone.
I’m not saying this makes it any better, I’m just wondering why he couldn’t call.
Re: Re: Re: Re:
I’m not saying this makes it any better, I’m just wondering why he couldn’t call.
Maybe he knew that customer support wouldn’t have the first clue what to do with his information.
Re: Re:
He would be wasting his time. Customer Support for many companies is notoriously shoddy. Even then, corporations have no legal or financial responsibility to fix any vulnerabilities.
Since they won't listen...
You might as well just do nothing further… or simply release the details of the exploit, and let American Express resolve it on there own after the damage is done.
Did you try abuse? Security?
Why didn’t you email their abuse address? security@ is also commonly monitored by CERT teams.
http://www.co.sisqjustice.ca.us/contact.htm
Re: Did you try abuse? Security?
and this is common knowledge to people outside the US, just stuff an email to a couple addresses that may or maynot be monitored and hope that the company who drew a freaking bullseye around the hole in the system will fix it?
I was reading his twitter feed… very smart man.
They tried to hide the tool by putting the address to it in robots.txt and telling them not to look there.
Security through obscurity…
Why are you testing their security?
Since you aren’t a customer? So you can sell it to them? Slag them off? You seem either clueless or a bit of a dick.
Re: Why are you testing their security?
yeah what a dick he took this hack and stole a bunch of peoples info then sold the 0day to a hacker ring for a cool half a million and is now on a beach fuc….oh wait no he attempted to tell the company, got sick of trying and publicly released it so they would hear about it, what a dick.
Re: Why are you testing their security?
Are you an idiot? Serious question.
Re: Re: Why are you testing their security?
No you are the idiot, fool.
Re: Why are you testing their security?
because he wanted to HELP other human beings to NOT get ripped off?
In your world I guess doing something for altruistic (thats a big new word..look it up) reasons makes someone a dick?
interesting.
It shouldn’t be necessary, but I’ve resorted to this kind of technique to find someone to disclose to before now : http://lmgtfy.com/?q=inurl%3Alinkedin+american+express+security
Please notice that Mike has added a tremendous amount of information in how this story is presented and it is affecting everyone?s opinions of the twitter dialog. Mike is the one who called this “a serious zero-day vulnerability? and a ?massive security hole.? It might be that seious, but Niklas just called it a ?security vulnerability? and then seemed incapable of summarizing the threat. I don?t know the details of the exploit, but he could have said ?I have found a way to steal AmEx card numbers from another web site such as Amazon, and can demonstrate how this works.? I think that would have gotten more attention.
Re: Re:
If you read about what exactly the exploit is from the guy himself, you’ll see that theres no way to impart the seriousness of what he found to the average call centre monkey. He tried to follow the white hat security model to the fullest, but that model is a 2-way street, and Amex didn’t do its part.
Executive Offices
American Express Company
World Financial Center
New York, NY 10285
212.640.2000
not that hard to find the corporate contact information.
Re: Re:
No kidding, the person reporting the problem acted like an idiot and then blamed Amex.
Re: Re:
*boggle*
You obviously have no understanding of how and what a 0day can do.
In the time it would have taken for a letter to make it across the atlantic, the amount of damage that could have been done is HUGE.
And you expect someone on their own dime to shore up their services, and bear all of the burdens because they couldn’t be bothered to secure the system in the first place.
You… out of the gene pool…
Re: Re: Re:
Apparently you missed the phone number in that post. If it is so important then why not pay for the long distance call?
Re: Re: Re: Re:
The phone number for card member services, where once the call center person asks for his card number and he doesn’t have one they stop caring about anything he has to say.
All in all I am sure Mike is just happy it submitted something not copyright related for once. 🙂
Speaking of which…. *runs off to submit*
He's probably better off
They’d just try to prosecute him for finding a hole, anyway.
I KNOW WHY!
If you don’t tell them about the vulnerability they can claim later they have no knowledge of it, no-one’s to blame and no one in management gets fired……
If they KNOW about the vulnerability they have a duty to fix it or face class action lawsuits…………
the answer
The following post on any website searchable by google would have got their attention:
WOW! I just found a way to take money directly out of the CEO of AMEX’s *personal* bank accounts…….
(5..4..3..2..1.)….cue call from Amex Security……
whois americanexpress.com = amexdns@aexp.com
security “researcher” == fail
I’m curious why he refused to use the phone number he was given to contact them.
Re: why he didn't use the phone number supplied
If I’m not mistaken, an 800 number is a toll free number in the United States. Well, have you ever tried calling one from abroad? That’s one of the problems here. This guy is (like me) situated in Sweden, which as some of you may know is OUTSIDE the US borders.
To put it simply: He CAN’T call that number no matter what. It just doesn’t work.
Which brings me to the next reason he’s probably reluctant to phone, namely that Sweden is six (or seven, depeding on whether summer time is in effect) hours east of New York, meaning that for him to actually find someone to answer the phone in the other end he’s going to have to call late in the afternoon or evening, local time.
As to the other options, snail mail or fax… well, I shouldn’t have to comment on that, should I?
That said, he could probably have been a bit more creative in trying to find someone not shielded by first line support to talk to, had he tried for example googling for someone on linked in associated with Amex security as someone suggested here.
But the whole point is, why the h*ll should he have to??
He found/heard of/(re)searched/stumbled upon/whatever a serious security problem and as a good netizen he wanted to inform the party involved, and was unable to find someone to talk to, in part because he wasn’t a customer.
That’s not good security policy no matter how you look at it.
Re: Re: why he didn't use the phone number supplied
For some years now, U.S. 800/888/877/866 numbers CAN be dialed from other countries, though they’re not toll-free, usual calling rates apply.
This might have been said already, but my solution would be to just leak the vulnerability (anonymously of course). Let them learn security the hard way. (but then I’m an asshole)
Sadly, this is extremely common
RFC 2142 specifies role account email addresses (e.g., “postmaster”) which all domains must/should support in order to facilitate communication. Any operation which does not support at least the mandatory addresses is clearly incompetently managed — and quite foolish, as it has deliberately cut itself off from free expert assistance.
Yet this has become the norm. Many clueless, lazy, cheap and ignorant admins will claim that this is necessary because of the levels of spam/abuse that arrives in these mailboxes. Of course, everyone with sufficient experience knows that’s merely a flimsy excuse for their inability to handle a rudimentary task. Other equally-clueless admins will provide an idiotic web form that demands irrelevant information and forces correspondents into using a very limited communication method (i.e., one which does not support lengthy messages and/or attachments).
The ignorant newbies who do all this are of course the first ones to whine and cry foul when a researchers publicly disclose a problem.
Re: Sadly, this is extremely common
The protection for leaving the debug console up and open was to exclude it specifically by name from robots.txt
Do you think they have someone competent?
Re: Sadly, this is extremely common
A sadly good number of companies online today have never bothered to understand the RFCs. Today, you don’t need to read and RFC to get up and on the net.
Many admins today have inherited a system set up by us long beards (or suspender wearers….or both). Though many of us have established good practices, there’s no guaranteeing that they are being followed by those who are now running the front lines.
there’s actually a due process that you’re suppose to follow with regard to submitting a new undiscovered vulnerability. and it’s not to use twitter.
sounds to me like this guy is a joke.
Re: Re:
There’s probably a protocol to follow if you get a paycheck for it. This guy did it independently. The man has no obligations to AmEx. Unless he exploited the vuln he did nothing morally wrong.
Re: Re:
Care to highlight where one finds this due process, in particular with respect to a general member of the public submitting to American Express?
And the article makes it clear that there is an element of expediency.
Oh, and this is a general member of the public using their own time and resources to try to notify a massive company to save that company pain and turmoil. So this due process had better be (a) relatively expedient and (b) not unreasonably burdensome.
Re: Re:
there’s actually a due process that you’re suppose to follow with regard to submitting a new undiscovered vulnerability.
What is that process, then? Maybe you can be helpful and let this guy know about it.
And it sounds to me like he’s trying very hard to follow protocol here but can’t even get off the starting blocks. I don’t see any revelation of vulnerability details on the twitter feed in question, do you? In fact, isn’t the joke really that there are people who doesn’t even bother to read what they’re commenting on?
can't find out how to contact them?
http://lmgtfy.com/?q=american+express+contact
Re: can't find out how to contact them?
You. Out of the gene pool.
Re: Re: can't find out how to contact them?
Hey thats my line!
It’s really beneficial to use a mediator during these circumstances.
That's a bit worry
Amex is a perfect example of a company whose only goal is money over everything. I hope the security issues have been addressed, as I was considering becoming a Amex member.