A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says. Among other things, the cross-site scripting (XSS) error on americanexpress.com allows attackers to steal users' …
Tell me about it
I watched as a store wrote down my credit card information, including my CVV code. I told them it was a violation of PCI rules to store the number, and it could result in a $100k fine. They got rude with me and told me to go call the credit card company if I had a problem. I called Visa, hopeing to report the merchant, and get them sued out of existance, but low an behold I spent half an hour arguing with low-level Visa employees trying to report the merchant before I gave up. Fuck the credit card companies, they don't give a damn about your security, or even their own rules. Those rules are put in place to make you & the vendors pay for losses, not actually to protect anyone but themselves.
You have too much time on your hands.
No he hasn't.
Reporting web site malfunctions
American Express has lots of company.
A surprising number of BIG websites go to great lengths to block anyone from submitting notification of an error. Ever tried to find an email address on the Ebay site about a problem with one of their webpages? Good luck! I think there's one there, but buried a long ways below the home page and very hard to find.
Google's another. They seem to have recently been tinkering with their system, changing Streetview's operation in particular, and for at least a while Google Maps was not working as it should.
Express hacking lane, aisle 3, no waiting.
This is just one of the reasons I won't ever touch AE cards!
Procedure for reporting vulnerabilities.
Seems simple to me, just needs documenting:
1) Identify security hole.
2) Tell world + dog about it.
3) Wait for Tech press to write critical article and ask AmEx for comment.
4) AmEx reads article.
5) AmEx craps itself.
6 AmEx fixes problem.
Seems to work too. The problem here is that he was trying to bypass this simple procedure by contacting Amex directly.....
Seeing the apathy expressed by BlueGreen pissed me off...
So I wrote to Visa USA's PCI compliance division to report the merchant and my bank. We'll see if it goes anywhere.
The whole CVV thing pisses me off because it is a stupidly naive idea to think that, since the problem was that merchants were copying the credit card number, to add the expiration date. Then when merchants started storing that, they decide to add the "zip code". Then when that gets stored, they decide to add one more peice of information, as if people weren't gonna write that down too, regardless of the regs.
We really need unique transaction identifiers, and I am glad to finally see them coming (see related Reg articles). But until then, seeing such apathy, and even deliberate violation of my privacy enrages me. Nothing would be more satisfying than to see something actually get done in my case. I'll post back here if anything comes of it.
@AC "Express Hacking"
I find my Amex card is good for scraping frost from the windscreen. At least it's one of the few cards I carry that has no other discernible function - so if it gets mangled I don't care :-)
Its worse for the merchant . . .
Amex/Visa/MC will fine the merchant HUGE amounts of money for PCI violations, even if there has been NO financial loss! If you aren't PCI complaint, you can be fined $250,000 for the FIRST "offense", and there is no real way to know if the problem is yours, the software, the gateway, the accepting bank, or the card company's. Of course, you know exactly who they are going to blame and try to collect from.
So the safest thing to do is simply stop taking credit cards on your website. Use the alternatives, Paypal (which sucks big time) and Google Checkout (just as bad), but at least if there is a problem, it is THEIR problem, not yours. If you don't ever write down or store anyone's card number, then you're off the hook. You could even . . . wait for it . . . take cash. (Or checks.)
According to a MC/Visa survey, it turns out that 80% of companies, big and little, who take credit cards are not yet PCI compliant, and don't expect to be within two years. To date, there have been no fewer than THREE absolutely drop-dead deadlines for mandatory PCI compliance or you will absolutely die, and all three have passed, with whimpers instead of bangs.
PCI compliance is total BS, it simply isn't going to work, and it is nothing more than a "blame someone else" response to cover their own slovenly business and computer practices. The emperor is stark, staring naked.
wait he suppose to get screwed over and take it ??? what happens if the store gets hacked ??
damn you are fool
@Brent Gardner: "Seeing the apathy expressed by BlueGreen pissed me off... "
Brent, read it again. I was criticising Simpson for putting you down. I support what you are doing.
I'm loving the point of contact for security issues being the PR department. Not sure it says anything good about the tech industry though...
Sorry, BlueGreen, you are correct, my response was supposed to be directed @Simpson. Sorry about that.
@Miami Mike, I feel our sympathy for the merchants as well. The regulations are ridiculous and the fines are strict. But something as stupid as writing down the CVV on a piece of paper and sticking it in filling cabinet? I mean that isn't like its accidental storage by your automated backup system or something. That is just sheer stupidity, or deliberate disregard for the purpose of the CVV, one of the two.
Actually, when I asked them about it, they said Visa told them they needed to run the card with the CVV to show that it was physically present. So their brilliant idea? Write it down, go back to the main office, and run it there. An obvious intentional fraud. They are essentially lying to Visa saying the card is physically present when it is not.
That being said, the PCI docs all seem to imply electronic storage, and I didn't see anything about writing the number down on paper, but I can only assume they mean storage of any kind, disk, abacus, whatever.
While we're on the subject of CVV numbers...
... how do services like Amazon One-Click [pat. pending ;-)] work within the law? With these services, you don't have to enter in any credit card details, so in order to process the transaction, they must be storing the CVV number.
Or do they get exempted from having to provide a CVV number by the card companies "because they're Amazon" and therefore "beyond reproach"?