funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Amex clueless about security--so what else is new?

From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>
Date: Thu, 6 Oct 2011 15:51:01 -0700
American Express is, as far as I know, alone among major financial institutions 
(for large values of "major") in sending out phish-like messages ( 
http://blogs.securiteam.com/index.php/archives/1328 ).  Pretty much every other 
bank has gotten the message: don't send email to your customers, and alert them 
that if they receive email, it's not from you.

(I'm still getting those messages, by the way.  Ironically, it's because I don't want 
them.  If I want to tell Amex to turn them off, the only way I can do that is to 
register to receive them.  Explain to me the logic underlying that process ...)

Amex is also alone in not providing an email account to which you can send 
phishing messages.  I guess Amex doesn't want to do any more takedowns than 
they absolutely have to.

As a security pro, I've got contacts; personal contacts; in many major banks and 
financial institutions.  These are people who work in phishing and malware 
takedowns, and I've encountered them in the course of my research into same 
over the years.  I've never come across anyone from Amex.  I've never had 
anyone from Amex in any of my seminars.

So, it is no great surprise that when a researcher recently found a gaping hole in 
Amex security, he had a very hard time letting Amex know about it:
http://qnrq.se/full-disclosure-american-express/

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
Alcohol, it seems, has the specific power to make *working-class*
people violent and abusive.  Which if you think about it is truly
miraculous--a much more impressive magical feat than rain-making.
                                  - Kate Fox, `Watching the English'
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: