AmEx unprotected login site (was encrypted tapes, was Re: Papersabout "Algorithm hiding" ?)
Jerrold Leichter
jerrold.leichter at smarts.com
Wed Jun 8 14:25:20 EDT 2005
| Perry makes a lot of good points, but then gives a wrong example re Amex site
| (see below). Amex is indeed one of the unprotected login sites (see my `I-NFL
| Hall of Shame`, http://AmirHerzberg.com/shame.html). However, Amex is one of
| the few companies that actually responded seriously to my warning on this
| matter. In fact, I think they are the _only_ company that responded seriously
| - but failed to fix their site... I had an interesting discussion with their
| security and web folks, and my conclusions are:
|
| 1. These are serious people who understand technology and security
| reasonably well. They are aware of many attacks, including much more
| advanced spoofing attacks (that can foil even an expert user of a `regular`
| browser - by regular I mean without improved security indicators like
| provided by TrustBar). Unfortunately, they use this awareness to justify to
| themselves the lack of protection (`why should I put a lock when some people
| know how to break it?`)....
|
| 4. Ultimately, what we have here is simply the `usability beats security`
| rule...
If you look at their site now, they *claim* to have fixed it: The login box
has a little lock symbol on it. Click on that, and you get a pop-up window
discussing the security of the page. It says that although the page itself
isn't protected, "your information is transmitted via a secure environment".
No clue as to what exactly they are doing, hence if it really is secure.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list