funsec mailing list archives
Amex clueless about security--so what else is new?
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>
Date: Thu, 6 Oct 2011 15:51:01 -0700
American Express is, as far as I know, alone among major financial institutions (for large values of "major") in sending out phish-like messages ( http://blogs.securiteam.com/index.php/archives/1328 ). Pretty much every other bank has gotten the message: don't send email to your customers, and alert them that if they receive email, it's not from you. (I'm still getting those messages, by the way. Ironically, it's because I don't want them. If I want to tell Amex to turn them off, the only way I can do that is to register to receive them. Explain to me the logic underlying that process ...) Amex is also alone in not providing an email account to which you can send phishing messages. I guess Amex doesn't want to do any more takedowns than they absolutely have to. As a security pro, I've got contacts; personal contacts; in many major banks and financial institutions. These are people who work in phishing and malware takedowns, and I've encountered them in the course of my research into same over the years. I've never come across anyone from Amex. I've never had anyone from Amex in any of my seminars. So, it is no great surprise that when a researcher recently found a gaping hole in Amex security, he had a very hard time letting Amex know about it: http://qnrq.se/full-disclosure-american-express/ ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org Alcohol, it seems, has the specific power to make *working-class* people violent and abusive. Which if you think about it is truly miraculous--a much more impressive magical feat than rain-making. - Kate Fox, `Watching the English' victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Amex clueless about security--so what else is new? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Oct 06)