American Express fails miserably at basic security

This sounds scarier than it really is. Why? Because credit card companies focus on identifying fraudulent transactions rather than verifying your id.<p>From Bruce Scheier's blog[1]:<p>"But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the transaction, not the person, is the way to proceed.<p>"Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone or Internet, where no one verifies the signature or even that you have possession of the card.<p>"Even worse, no credit card company mandates secure storage requirements for credit cards. They don't demand that cardholders secure their wallets in any particular way. Credit card companies simply don't worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction."<p>[1]:<a href="http://www.schneier.com/essay-153.html" rel="nofollow">http://www.schneier.com/essay-153.html</a>

That's pretty terrible, but I'd say it's still more secure than most of the ways I transfer my credit card number. Twice I've needed a tow truck, and both times would you like to know how they charged my card? By picking up their radio and reading off all my info to the main office. All I'd need is a scanner to get dozens of valid credit card numbers a day.

Maybe. But their fraud detection is pretty good. I've seen some unauthorized charges before, and Amex has called me before I had any idea. I've also had unauthorized charges show up on a Citi card -- their customer support didn't care and refused to help me. I just paid the $60 (for some scam software, apparently) and canceled the card. So Citi may protect their numbers better, but Amex actually helps you when someone gets your number.<p>(I also had a Paypal debit card canceled for authorized charges. Needless to say, I just buy everything with the Amex. Good customer service, good interest rate, cash back.)

American Express also limits password for their online banking functions to less than 8 purely alphanumeric characters (no spaces, no special characters). If this alone wasn't bad enough, this almost certainly means that somewhere deep in the bowels of AmEx's software stack there's an ancient system where the password field is in plain-text.

It wouldn't matter at all if the handler was https. If the form is delivered over HTTP, a man in the middle can make it go wherever they want.

Just out of curiosity, what is the actual penalty to American Express for saying their page is secure while transmitting credit card numbers in plaintext?

That's just an ad for 'homerun'.<p>Find insecurity in competitors service, make loud blog noises, drop payload.

In the old mail order days my dad used to write the cc number on the order form, in plain text!

The F-bombs really don't add anything to an otherwise decent write-up. Use some more creative vocabulary.

"This page is secure"?<p>This comment is complementing American Express.

I canceled Identity Protect service at AMX after it routinely lagged (sometimes months) in notifying me of credit changes to my fico or whatever. It is sad to see people pay $14/month for that service which, best case scenario, notifies you after somebody jacked your card and has long since moved away to a foreign country. Then I canceled my card too!<p>Really identity thievery is an issue b/c of the banks + loan companies. They're perfectly willing to roll accounts with very little scrutiny and I don't understand why there are not class action lawsuits etc. to nail the lender not the jacked identity. Search on the "credit freeze" if you want the real solution.

Why would you even need the entire credit card number to sign up for a service likes this? That's what boggles my mind the most. Amex really only need enough data to identify one of their cardholderes in such a way that noone can sign up for someone else.<p>Name + billing address + four last digits should be enough? Or eight last. Or four last + CVC. Asking for everything that's required for a purchase is beyond dumb. To me, it's like giving out your password while talking to customer representatives, that's also something you don't do.

Reading the discussion about credit cards number security reminded me of this, that is worse than having some money stolen:<p><a href="http://news.ycombinator.com/item?id=1129797" rel="nofollow">http://news.ycombinator.com/item?id=1129797</a>

Unfortunately, most of today's "security" with regards to credit cards are merely there to deter the easy grabs. Any determined person could easily get anyone's details through a number of means.

I would be inclined to take this more seriously if there wasn't an enormous distorted AMEX logo at the top of the post.

Eye Opener..it's hard to believe but then you have proved it. Merchants need to take this up with banks.

The issue is as old as the internet itself - do not use your primary card. Open a special one for electronic use only with separate account instead.