AmEx unprotected login site

Perry E. Metzger perry at piermont.com
Wed Jun 8 09:56:59 EDT 2005


Amir Herzberg <herzbea at macs.biu.ac.il> writes:
> Perry makes a lot of good points, but then gives a wrong example re
> Amex site (see below). Amex is indeed one of the unprotected login
> sites (see my `I-NFL Hall of Shame`,
> http://AmirHerzberg.com/shame.html). However, Amex is one of the few
> companies that actually responded seriously to my warning on this
> matter. In fact, I think they are the _only_ company that responded
> seriously - but failed to fix their site...
[...]

I'm surprised that they responded to you. I tried to get to respond to
my inquiries about it for weeks without any success.

I did get a nice letter from JP Morgan Chase telling me I was crazy
and that there is no security problem on their site (which suffers
from the same problem). I probably should publish it to assure the
dismissal of the people responsible for sending it to me.

> 2. They have a serious problem in using SSL in their homepage, and for
>    business reasons, they don't want to put the login on a different
>    page.

Well, those "business reasons" are pretty obviously an incorrect
balance of security and convenience, as I'm sure you would agree. The
inconvenience of having to click one more button to get to your
account is minimal -- almost unmeasurably small. The inconvenience of
the company having to explain to tens of thousands of people that
they've screwed them badly, along with all of the money lost, is
substantially higher. One day they'll be paying that second
inconvenience.

Many other financial institutions get this right, by the
way. Citigroup gets this right. If their customers can click onto
another page, so can customers of American Express, Chase, etc.

> below are the relevant parts of Perry's message... I think you'll
> agree you picked wrong example.

I don't agree. I think this is still a case of human frailty causing a
security problem, rather than some sort of technological issue.

If you know what the problem is and you decide not to do anything
about it because you believe that "for business reasons" you shouldn't
put the login on a separate page, you've got nothing to blame for your
future security problems other than yourself.

My point is simple. We have enough protocols, software, etc. to avoid
most of the security issues we have to deal with at this point. Most
of the remaining problem tends to be human beings. In this case, the
human beings security people who know better but give in when
management decides for what amounts to aesthetic reasons that it needs
a login on the front page that isn't protected by SSL.

> As I said, I agree with the above (and most of the removed stuff).
> But below you jumped to the wrong conclusions.

I disagree. I'll stand by most of what I said.

>> Every company should be telling its users never to type in their
>> credentials on a web page downloaded in the clear, but American
>> Express and lots of other companies train their users to get raped,

And they are indeed training their users to enter in security
credentials on unsecure pages.

>> and why do they do it? Not because they made some high level decision
>> to screw their users. Not because they can't afford to do things
>> right. It happens because some idiot web designer thought it was a

And if in this one case it turns out that they did indeed make a high
level decision to screw their users, so much the worse.

-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list