American Express may have failed to encrypt data

Powered by SC Magazine
 

Credit card information not secured.

American Express may be in hot water after a computer engineer discovered a portion of the card brand's website, which claims to be secure, is sending private information in the clear.

Joe Damato wrote in a blog post Tuesday that he received a promotional email from American Express encouraging him to sign up for the Daily Wish service, through which cardholders can receive hefty discounts on a limited amount of merchandise, such as computers and camcorders.

If users click on the "Sign up for Daily Wish" button, they are prompted to enter personal information, such as name, card number, security code, expiration date and billing zip code, into a pop-up box. The box includes a "This page is secure" notification link, but upon further review, Damato found this not to be the case.

The domain for the sign-up box was not using "https," an encrypted form of information transfer, he said. Damato used the open-source packet analyser Wireshark to confirm that the (fake) information he entered into the form was delivered in clear text back to American Express' server.

The card company, in a tweet posted yesterday, said it was aware of the issue and investigating.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Myer CIO named retailer's new chief executive
Richard Umbers to lead data-driven retail strategy.
 
Empty terminals and mountains of data
Qantas CIO Luc Hennekens says no-one is safe from digital disruption.
 
BoQ takes $10m hit on Salesforce CRM
Regulatory hurdles end cloud pilot.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  35%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 3997

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 1368

Vote