In the “more scary than you thought” department, even the largest credit card companies are not immune to making large, gaping mistakes in online security.
Unix man Joe Damato has recently uncovered what appears to be a flagrant abdication of even the most basic rules of security online by American Express. As a warning, if you are an American Express card holder, it may be prudent to avoid online banking in the short term.
Mr. Damato uncovered the hole while poking through a rewards form from his credit card company, a mundane enough task. When presented with a form that appeared via lightbox and requested among other things his credit card number, expiration date, and security code, he took a look under the hood. Why not, if you have the know how, right?
What he found was a bit sad. Not only was American Express not using Secure Hypertext Transfer Protocol (HTTPS), but upon a employing a “wireshark packet sniff” using fake information a perhaps comically funny mistake was made. American Express was sending the data (which would contain full credit card numbers, and the like) back to their servers in plain text. No encryption, no hiding, no scrambling, no nothing. Don’t believe me? Look at this (click for larger):
In short American Express is having everyone run about dead naked online without their knowledge, free for the picking and scamming.
If you think that this is a bit unacceptable, tell American Express on Twitter. I truly hope that Citibank is doing a better job. This is the sort of thing that makes us all blink twice before using cards online.