AmEx unprotected login site (was encrypted tapes, was Re: Papersabout "Algorithm hiding" ?)

Amir Herzberg herzbea at macs.biu.ac.il
Wed Jun 8 03:09:27 EDT 2005 

Perry makes a lot of good points, but then gives a wrong example re Amex 
site (see below). Amex is indeed one of the unprotected login sites (see 
my `I-NFL Hall of Shame`, http://AmirHerzberg.com/shame.html). However, 
Amex is one of the few companies that actually responded seriously to my 
warning on this matter. In fact, I think they are the _only_ company 
that responded seriously - but failed to fix their site... I had an 
interesting discussion with their security and web folks, and my 
conclusions are:

1. These are serious people who understand technology and security 
reasonably well. They are aware of many attacks, including much more 
advanced spoofing attacks (that can foil even an expert user of a 
`regular` browser - by regular I mean without improved security 
indicators like provided by TrustBar). Unfortunately, they use this 
awareness to justify to themselves the lack of protection (`why should I 
put a lock when some people know how to break it?`).

2. They have a serious problem in using SSL in their homepage, and for 
business reasons, they don't want to put the login on a different page.

3. They did not actually spell out the problem in using SSL in the 
homepage (like eTrade, for instance). But I think I know the reason 
(they didn't confirm or deny). I think the reason is that they host 
their site; in particlar, when I tried accessing it via https, I got an 
Akamai certificate... [I don't think they liked this observation; now 
you are led to the unprotected site]

4. Ultimately, what we have here is simply the `usability beats 
security` rule...

In fact, I'm bcc:ing their lead person, in case he wants to chip in and 
protect their professional image better than me (how about: `we 
reconsidered and will fix our login process`?)

below are the relevant parts of Perry's message... I think you'll agree 
you picked wrong example.
...
> The benefits, however, are very obvious and large, and the cost is as
> close to nil as anything gets in business.
...
> You want to understand the real problem in security? It isn't your
> constant mythical attention to "cost". It is human stupidity.
> 
> Have a look, for example, at 
> 
> http://www.americanexpress.com/
> 
> which encourages users to type in their credentials, in the clear,
> into a form that came from lord knows where and sends the information
> lord knows where. Spoof the site, and who would notice?


As I said, I agree with the above (and most of the removed stuff).
But below you jumped to the wrong conclusions.

> 
> Every company should be telling its users never to type in their
> credentials on a web page downloaded in the clear, but American
> Express and lots of other companies train their users to get raped,
> and why do they do it? Not because they made some high level decision
> to screw their users. Not because they can't afford to do things
> right. It happens because some idiot web designer thought it was a
> nice look, and their security people are too ignorant or too powerless
> to stop it, that's why.
> 
> It has nothing to do with cost. The largest non-bank card issuer in
> the world can pay for the fifteen minutes of time it would take to fix
> it by putting the login on a separate SSL protected page. It has
> nothing to do with "ease of use" or tools that default "safe". The
> problem is that they don't know there is anything to fix at a level
> of the firm that is capable of taking the decision to fix it.
> 


-- 
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list