Find A Massive Security Hole At American Express? If You're Not A Cardholder, It Doesn't Care
from the ouch dept
One of the general tenets of white hat security hackers is that when they find a vulnerability they alert the company first and allow them to fix things before they reveal the details. But what if it's impossible to reach anyone at the company? That Anonymous Coward points us to a recent case of someone discovering a serious zero-day vulnerability at American Express... and not only not not being able to find anyone to contact, but also being told that the company would pay more attention to him if he were a cardholer:To my great surprise American Express doesn’t allow anybody to contact them. Instead, you’re sent through their ten-year-old copyright noticed website’s first line support jungle to be attacked with questions ensuring that you’re a paying customer. If you’re not then you might as well not bother, unless you feel like speaking technical advanced 0day vulnerabilities with incompetent support personnel either through Twitter direct messages or phone. They will leave you no option of contacting them in a manner that circumvents any theoretical possibility they may have of boosting sales numbers.
The only acceptable contact methods that I found on their site were telephone, fax or physical mail to some typoed country called Swerige. I figured none of them were suitable for 0day reports and decided to turn to Twitter and ask for an e-mail address or some other modern protocol.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: reporting, security, security hole, vulnerabilities
Companies: american express
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Then again
[ link to this | view in chronology ]
Re: Re: Then again
Until this math is changed through higher and more painful penalties, it's going to stay that way.
[ link to this | view in chronology ]
Re:
Then you say why don't you find your own problems, most problems and bugs really require a second set of eyes, and my company definitely doesn't believe in agile practices. So really u just wait for someone to whine. And then you wait for the business people to decide how you spend your time.
[ link to this | view in chronology ]
Re: Re:
I do this kind of thing all the time. You just use their own ignorance against them and in the end actually help them.
[ link to this | view in chronology ]
Re:
http://searchengineland.com/using-google-code-search-to-find-vulnerable-sites-10146
http:// cybersaviours.wordpress.com/2011/02/20/how-to-find-out-if-a-website-is-vulnerable-to-sql-injection/
I once typed a version of wordpress to see how many vulnerable websites where out there and there was a lot including a lot of political websites.
[ link to this | view in chronology ]
Re: Under-Resourcing Of Customer Support
The whole existing credit card system is broken anyway. Think about it, anybody who knows your credit card number can help themselves to your bank account. Is that a disaster looking for somewhere to happen or what? The banks and the credit card companies know the system is broken, but they do not care, because they have largely diverted the losses to other people. When there is a fraudulent credit card transaction, first the loss goes to the cardholder. If the cardholder kicks up a big enough stink (not easy), then the loss goes to the merchant. The poor old merchants are just stuck, in most cases.
The stuff about complaints only being accepted from cardholders, is just a ruse to get the complainant to go away. They have a mountain of complaints already, adding another one is just a waste of time. Only a widespread consumer boycott of the broken credit card system would get the banks to fix it. There is no chance of the sheeple doing that, so the banks run the system, ignore the complaints and enjoy the profits.
[ link to this | view in chronology ]
Re: Re: Under-Resourcing Of Customer Support
[ link to this | view in chronology ]
Re: Re: Under-Resourcing Of Customer Support
[ link to this | view in chronology ]
Re: Re: Under-Resourcing Of Customer Support
Anyway, you can't boycott credit cards unless you don't care about building up credit. If you ever want to own a nice house, car, etc then you can't really boycott that stuff.
[ link to this | view in chronology ]
Re: Re: Re: Under-Resourcing Of Customer Support
Yes you can, just never use credit.
I never did for personal affairs, I always, always saved the money first and buy the things later.
Do you realize how much you pay in hidden fee's?
If you ever want to own a really nice house don't ever use credit for nothing save the money and pay it in hard cash nobody will ever turn that down.
[ link to this | view in chronology ]
Re: Re: Re: Re: Under-Resourcing Of Customer Support
Yeah, if you save $1000 a month, it will only take 25 years to get a $300,000 house. No problem, just save up!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Under-Resourcing Of Customer Support
Who cares about frugality; you should have WHAT YOU WANT WHEN YOU WANT IT, and to hell with the future!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Under-Resourcing Of Customer Support
You seem to be implying that 1) the term of a mortgage will be longer than your life and 2) if your mortgage isn't completely paid off when you die, then your heirs will be underwater on it. Neither assertion is correct.
Besides, if you don't want to borrow money to buy a house then don't, I truly don't care. But IMO it's silly to suggest saving up money to buy "a nice house". Either take out a mortgage, or just rent.
[ link to this | view in chronology ]
And sadly your right PrometheeFeu, until it is in the media no one cares, and by then as a customer you've already been screwed over for months/years.
This is someone tinkering around on his own dime, finding something really wrong and then trying to do the right thing.
We have all of these great stories about how hackers are evil blah blah blah blah blah.... The flipside of that coin is, until it is a bigger financial detriment to the company to pay out court awards, spend nothing to secure your systems. But the spin is always the evil hackers, never the corps who got an extra bonus for gutting their network security department.
Hackers tinker with things, they like to understand how they work. Hackers are not an evil criminal force covering the planet trying to rob everyone.
And muzak is the devil.
Given the high profile Sony, BART, CIA, etc etc etc "hacks" recently you'd think the corps would setup a phone number or something for white hats to get the people they need to talk to to fix.... er wait... they have no IT security people... nevermind...
[ link to this | view in chronology ]
I.T. Courts?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
And the phone number... is customer service... once they figured out he was not a customer... yeah not so interested any more.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
"DM me" is just another way of saying, "message me, a low customer service tech, about your intricate 0day exploit, and I'll pass it on to my manager, who will lose it in the shuffle."
For a vulnerability relating to a financial institution like American Express itself, I would think that they should take this very seriously.
[ link to this | view in chronology ]
Re: Re: Devils Cartographer
Should they lavish time/money on every crackpot (no offense meant) who calls and says "I can beat the system!"?
[ link to this | view in chronology ]
Re: Re: Re: Devils Cartographer
And if these corps were smart they would have contact info already provided to the community he is a part of.
Your talking about white hat hackers, who aren't likely to publicize a "white hat hacker" reporting line/email etc. They understand very well the trust they would be getting there, and would ensure it remaining viable.
Not all "security professionals" are exactly suit and tie people, but if it came down to making sure my system was secure I don't care if the expert had dreads and a TPB t-shirt on. Knowledge and skill should trump appearances. Ask Aaron Barr.
[ link to this | view in chronology ]
Re: Re: Re: Re: Devils Cartographer
I'm amused at the thought of these big corps, especially the financials, not caring about appearances. :)
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Ha!
My hat must be getting grayer by the day...
Oh wait that's just my hair.
[ link to this | view in chronology ]
Kinda smells like the second...
Otherwise, if you can't easily get to someone who can understand the problem, just look up a bunch of executive e-mail addresses, as well as generics, and blast the details to all of them. Someone will pay attention.
Unless it was more about the recognition.
;)
[ link to this | view in chronology ]
Re:
Do you think physicists enjoy being at parties and having to get out the coloring book version of physics 101 so that Bob from accounting can understand the conversation?
If he wanted recognition and was that obsessed with it he would have hacked the site and done something to leave a mark.
High end geeks tend to have little patience for people who demand to know how the technology works. They prefer talking to peers who know all of the basic concepts so your not explaining how a communication protocol works, they have all the basics down already.
These are the people who created the carrier pigeon protocol, and it only had packet loss in hunt season.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
"Hello, 911? I'd like to report that I saw someone trying to break into a local bank through a wall."
"OK sir, and are you a member of that bank?"
"Well... No, but-"
"I'm sorry, if you aren't a member, you need to call 912, our other support line. Thanks and good luck!"
"..."
[ link to this | view in chronology ]
I see nowhere in TFA where he tried any other reasonable avenues of communication. What I do see is that he decided that those avenues of communication were not appropriate (his decision) and that Twitter was, for some reason.
Sorry, non-story.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I'm not saying this makes it any better, I'm just wondering why he couldn't call.
[ link to this | view in chronology ]
Re: Re: Re:
Maybe he knew that customer support wouldn't have the first clue what to do with his information.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Since they won't listen...
[ link to this | view in chronology ]
Did you try abuse? Security?
http://www.co.sisqjustice.ca.us/contact.htm
[ link to this | view in chronology ]
Re: Did you try abuse? Security?
I was reading his twitter feed... very smart man.
They tried to hide the tool by putting the address to it in robots.txt and telling them not to look there.
Security through obscurity...
[ link to this | view in chronology ]
Why are you testing their security?
[ link to this | view in chronology ]
Re: Why are you testing their security?
[ link to this | view in chronology ]
Re: Why are you testing their security?
[ link to this | view in chronology ]
Re: Re: Why are you testing their security?
[ link to this | view in chronology ]
Re: Why are you testing their security?
In your world I guess doing something for altruistic (thats a big new word..look it up) reasons makes someone a dick?
interesting.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
American Express Company
World Financial Center
New York, NY 10285
212.640.2000
not that hard to find the corporate contact information.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
You obviously have no understanding of how and what a 0day can do.
In the time it would have taken for a letter to make it across the atlantic, the amount of damage that could have been done is HUGE.
And you expect someone on their own dime to shore up their services, and bear all of the burdens because they couldn't be bothered to secure the system in the first place.
You... out of the gene pool...
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Speaking of which.... *runs off to submit*
[ link to this | view in chronology ]
He's probably better off
[ link to this | view in chronology ]
I KNOW WHY!
If they KNOW about the vulnerability they have a duty to fix it or face class action lawsuits............
[ link to this | view in chronology ]
the answer
WOW! I just found a way to take money directly out of the CEO of AMEX's *personal* bank accounts.......
(5..4..3..2..1.)....cue call from Amex Security......
[ link to this | view in chronology ]
whois americanexpress.com = amexdns@aexp.com
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: why he didn't use the phone number supplied
To put it simply: He CAN'T call that number no matter what. It just doesn't work.
Which brings me to the next reason he's probably reluctant to phone, namely that Sweden is six (or seven, depeding on whether summer time is in effect) hours east of New York, meaning that for him to actually find someone to answer the phone in the other end he's going to have to call late in the afternoon or evening, local time.
As to the other options, snail mail or fax... well, I shouldn't have to comment on that, should I?
That said, he could probably have been a bit more creative in trying to find someone not shielded by first line support to talk to, had he tried for example googling for someone on linked in associated with Amex security as someone suggested here.
But the whole point is, why the h*ll should he have to??
He found/heard of/(re)searched/stumbled upon/whatever a serious security problem and as a good netizen he wanted to inform the party involved, and was unable to find someone to talk to, in part because he wasn't a customer.
That's not good security policy no matter how you look at it.
[ link to this | view in chronology ]
Re: Re: why he didn't use the phone number supplied
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Sadly, this is extremely common
Yet this has become the norm. Many clueless, lazy, cheap and ignorant admins will claim that this is necessary because of the levels of spam/abuse that arrives in these mailboxes. Of course, everyone with sufficient experience knows that's merely a flimsy excuse for their inability to handle a rudimentary task. Other equally-clueless admins will provide an idiotic web form that demands irrelevant information and forces correspondents into using a very limited communication method (i.e., one which does not support lengthy messages and/or attachments).
The ignorant newbies who do all this are of course the first ones to whine and cry foul when a researchers publicly disclose a problem.
[ link to this | view in chronology ]
Re: Sadly, this is extremely common
Do you think they have someone competent?
[ link to this | view in chronology ]
Re: Sadly, this is extremely common
Many admins today have inherited a system set up by us long beards (or suspender wearers....or both). Though many of us have established good practices, there's no guaranteeing that they are being followed by those who are now running the front lines.
[ link to this | view in chronology ]
sounds to me like this guy is a joke.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
And the article makes it clear that there is an element of expediency.
Oh, and this is a general member of the public using their own time and resources to try to notify a massive company to save that company pain and turmoil. So this due process had better be (a) relatively expedient and (b) not unreasonably burdensome.
[ link to this | view in chronology ]
Re:
What is that process, then? Maybe you can be helpful and let this guy know about it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
can't find out how to contact them?
[ link to this | view in chronology ]
Re: can't find out how to contact them?
[ link to this | view in chronology ]
Re: Re: can't find out how to contact them?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
That's a bit worry
[ link to this | view in chronology ]