American Express WTF



  •  I'm registering an AmEx online account so I can pay my bills on the internet.  One would expect that a company that has a large interest in security would require difficult-to-guess passwords:

     AmEx WTF

     

    A bonus WTF is the "password strength" meter.  Any valid 6-character password gets one bar, any valid 7-character password gets two bars (or three if there is more than two numbers in the password), and any valid 8-character password gets one bar plus the number of digits in the password (up to four bars, of course).  It doesn't appear to care whether the digits and letters are intermixed or not, or even whether the letters and digits are different.   Thus, "aaaaa555" is rated as a four-bar password.



  •  The Real WTF: You can make credit card transfers with a self-chosen password?



  •  Transfers?  I'm talking about logging on to americanexpress.com to pay my American Express bill.



  • @Heron said:

     Transfers?  I'm talking about logging on to americanexpress.com to pay my American Express bill.

     

    In that case, would you mind if someone paid your bill for you?



  • @dtech said:

    In that case, would you mind if someone paid your bill for you?

     

    Fair question... however the online account lets you set up the payment of other (non-AmEx) bills using your card.  So, for example, using nothing more than the AmEx online account, I can set up recurring payment of my cell phone bill, my netflix bill, my cable tv and internet bills, etc etc.  In other words, it does give people some access to my money.


  • Garbage Person

    @dtech said:

    @Heron said:

     Transfers?  I'm talking about logging on to americanexpress.com to pay my American Express bill.

     

    In that case, would you mind if someone paid your bill for you?

    I'd love it.

     I don't mind that the password system on the Amex site is so shit. This is simply because they can't do anything really damaging even if they get in. OH NO, SOMEONE MIGHT PAY MY BILL FOR ME. It's not like they can spend my frequent flier vouchers, either - those are handled on the airline's website.

    Can't see my existing banking details (other than the name of the bank), can't see or change any of my personal data (that all has to be done on the phone), can't get a copy of my card (that would be sent to my REAL address). All they can do is see where I spend my money (oh no!) and pay my fucking bill. 



  •  As I said, Weng, people can set up payment of other services using the AmEx online account, so they would, in fact, have access to your money.  Stop acting like it's idiotic to be concerned about security.



  • A large proportion of financial company web sites have similar restrictions.  A large proportion of financial companies use mainframes.  These restrictions look very similar to mainframe-type password restrictions I know of.

    Semi-dodgy conclusion: AmEx (and others) store our passwords on mainframes.

    And thus: why, oh why, mainframe people, why have you not created a password system with less restrictions????  I mean, I know EBCDIC is an abomination, but it does have (at least some) special characters!



  • @AssimilatedByBorg said:

    A large proportion of financial company web sites have similar restrictions.  A large proportion of financial companies use mainframes.  These restrictions look very similar to mainframe-type password restrictions I know of.

    Semi-dodgy conclusion: AmEx (and others) store our passwords on mainframes.

    And thus: why, oh why, mainframe people, why have you not created a password system with less restrictions????  I mean, I know EBCDIC is an abomination, but it does have (at least some) special characters!

    Oh yes. Case-insensitive passwords smell of RACF.

    But then, I do remember one particular banking system that uses SSHA on LDAP for password storage/authentication, which perfectly supports all that stuff. Yet, they still validate the "alphanumeric only" rule, so I suppose it has more to do with useless validation code still stuck somewhere in the app layer.



  • @Heron said:

    In other words, it does give people some access to my money.
    I only respond so that I may put the correct tag into the tag cloud.  Enjoy.



  • @Heron said:


    In that case, would you mind if someone paid your bill for you?

    It depends. I, for one, would be mildly concerned to discover that Abu Qatada had paid my credit card bill.



  • @dtech said:

    The Real WTF: You can make credit card transfers with a self-chosen password?

    I fail to see what difference this makes.  Having bank-supplied passwords only punishes people who aren't idiots by making their password harder to work with.  The idiots will find plenty of ways to have their money taken without such useless security theater.  I have never met someone who had their bank account or credit card compromised because of a weak password.  The one or two cases of identity theft or financial fraud were done with SSNs and good-old-fashioned paper checks. 



  • It'll take an average of 1.4 trillion login attempts to find your random 8 character password. They'll disable your login after the first 3 or so.



  • @dtfinch said:

    It'll take an average of 1.4 trillion login attempts There are 2.596148429267414e+33 possibilities in your to find your random 6 - 8 character password with the restrictions listed above. They'll disable your login after the first 3 or so.
     

    FTFY

    Yeah I think that it is pretty safe.  "Strong?" No, but good enough for most cases.  Plus it should take about 10.7 months to crack.



  •  I wouldn't be so much concerned about an over-the-web brute-force attack as about someone getting ahold of the password list - if they have a length and character restriction, they're most likely storing them in plaintext (after all, if they're storing a hash there's no reason to put a maximum length restriction, or a character restriction).  That, of course, is not safe.



  • @morbiuswilters said:

    I fail to see what difference this makes.  Having bank-supplied passwords only punishes people who aren't idiots by making their password harder to work with. 
     

    I don't know how it is in the VS, but over here (in Europe) banks have to pay back stolen money, unless there was proof it was the customer's own fault. If the customer upheld all of the banks security guidelines he is not to blame. So a password restriction like this could cost the bank money on our side of the atlantic, because a user who would choose "aaaaa1" as a password upheld all of the security restrictions and still got his money stolen.

     Besides, there is no real good reason not to protect the malinformed/stupid.



  • @dtech said:

    Besides, there is no real good reason not to protect the malinformed/stupid.

    Um, are you kidding?  Of course there is.  You're doing people no favors by insulating them from the consequences of their actions.  By building layer after layer of technological defenses to deal with the seemingly-endless expansion of human stupidity, you are guaranteeing they will never have to learn to protect themselves and should they even want to they will be faced with a system that is far more complex than it needs to be.  The problem is that you truly believe technology can take the place of human intelligence and judgement, which it cannot.  Technology should aid people in accomplishing their goals, not make their decisions for them.



  •  Except you're completely ignoring the fact not providing any defense (i.e. "insulating people from the consequences of their actions") is more expensive than providing a few relatively meager lines of defense.  Remember, it's not the end-user that suffers for getting his bank password stolen - it's the bank, which has to pay back the end-user.  Or do you think the bank shouldn't have to pay people back?  What do people do who get mugged and get their wallets stolen?  Should they have to pay for it?



  • @morbiuswilters said:

    The problem is that you truly believe technology can take the place of human intelligence and judgement, which it cannot. 
     

    I do not believe that. I just believe a self-chosen password with stupid restrictions benefits no-one. An assinged random password is safer and does not disadvantage anyone. You don't get to craft your own keys and locks either do you? When you go to the city hall they don't give you a pen and tell you to start drawing do they?



  • @Heron said:

    Except you're completely ignoring the fact not providing any defense (i.e. "insulating people from the consequences of their actions") is more expensive than providing a few relatively meager lines of defense.

    Who said anything about no defense?  User-supplied passwords are plenty of defense.

     

    @Heron said:

    Remember, it's not the end-user that suffers for getting his bank password stolen - it's the bank, which has to pay back the end-user.

    True.

     

    @Heron said:

    What do people do who get mugged and get their wallets stolen?  Should they have to pay for it?

    What in the hell do you think happens when you are mugged?  Nobody is there to give you the money that was stolen, dimwit.  If you are robbed, you are out the money.  What other possible way would it work?  Jesusfuck...  Of course, this has nothing to do with a bank which is an institution that is paid to keep money safe.  So obviously a bank has some responsibility for keeping your money safe.  It all comes down to whether reasonable measures were taken by the bank in protection of the money. 



  • @morbiuswilters said:

    The problem is that you truly believe technology can take the place of human intelligence and judgement, which it cannot.  Technology should aid people in accomplishing their goals, not make their decisions for them.
     

    Or as they say : "Artificial Inteligence is no match for Natural Stupidity" 


  • Discourse touched me in a no-no place

    @dtfinch said:

    They'll disable your login after the first 3 or so.

    Perfect DOS. One (financial) site I use have (to use) as login,

    1. email address,
    2. password

    <next screen>

    1. another password (random out of three - what's *your* favourite treacle?) 2.5 factor security, here we come.......

    If you know (1), but don't know (2) you can deny access for an annoying amount of time for the person for whom (1) belongs.

    Strangely you can have as many attempts at (3) as you like (well as many as I've bothered trying. Which is a lot more than getting (2) wrong.)

    I pointed out said problem some time ago. It still exists.


Log in to reply