Amex login info secure?

  • Thread starter Thread starter Mister.Fred.Ma
  • Start date Start date
M

Mister.Fred.Ma

I visited www.americanexpress.ca. The resulting webpage is not
secure, but the user is meant to provide login info. From my
experience with other login webpages, they are normally secure. I
understand that once you've logged in to your Amex account, the
session is secure thereafter. Should the login webpage be secure in
order to protect the login info? There is a small picture of a lock,
not at the corner of the browser, but in the loginregion of the page.
So it doesn't seem to me to be a browser status indicator. One would
expect that it represents a custom mechanism for security.
 
I would contact AMEX by phone and ask them. This looks like a phising scam.
I just went to www.americanexpress.com. The initial "home" page does not
appear to be secure, but there is a small "lock" symbol next to the "LOG IN"
box. This implies that after you login the link becomes secure. Better to
call and ask.
 
That's how logins work.

|The initial "home" page does not
| appear to be secure, but there is a small "lock" symbol next to the "LOG
IN"
| box. This implies that after you login the link becomes secure. Better to
| call and ask.
|
| "
 
Not necessarily. www.americanexpress.comredirects tohttps://home.americanexpress.com/home/mt_personal.shtml, so the login
itself is secure. My bank does the same thing. That's better than having
you enter a usename and password into an unsecured page.
Click to expand...

I looked up shtml on wikipedia. It doesn't exactly give the
impression that shtml is for security.

I did in fact phone Amex, but the front line person couldn't explain
the lack of https, or of a lock symbol in the lower right corner.

Again, the question here relates to security of authentication info,
not necessarily security of the session after logging in.
 
Hello,

Yes, the login information is presented in an insecure way.

But when you click the Login button, it submits to a HTTPS page so all your
login credentials are encrypted.

Possibly to reduce bandwidth usage on the home page.
 
Hello,

Yes, the login information is presented in an insecure way.

But when you click the Login button, it submits to a HTTPS page so all your
login credentials are encrypted.

Possibly to reduce bandwidth usage on the home page.
Click to expand...

Possibly...though there's enough eye candy to make that somewhat
puzzling. It's also strange that the security was built-in in such a
way as to avoid the common indicators that web users are taught to
look for.

On the other hand, a colleague found that going to www.americanexpress.com
allows one to log in, and the login page is secure.

Fred
 
My previous response somehow got run together, so you may have missed the
point I was trying to make. When I type www.americanexpress.com in the
address bar and press enter, I'm immediately redirected to
https://home.americanexpress.com/home/mt_personal.shtml, which is secure
by virtue of the "https" protocol. That's where the login boxes are, on a
secure page which causes the lock symbol to be displayed in the status
bar. Does that not happen for you?


I looked up shtml on wikipedia. It doesn't exactly give the
impression that shtml is for security.
Click to expand...
 
My previous response somehow got run together, so you may have missed the
point I was trying to make. When I typewww.americanexpress.comin the
address bar and press enter, I'm immediately redirected tohttps://home.americanexpress.com/home/mt_personal.shtml, which is secure
by virtue of the "https" protocol. That's where the login boxes are, on a
secure page which causes the lock symbol to be displayed in the status
bar. Does that not happen for you?
Click to expand...

Yes, it does. I missed the part where you use .com as the suffix
rather than .ca. That is the difference which caused the login page
to be secure. Weird, eh?
 
Yes, it does. I missed the part where you use .com as the suffix
rather than .ca. That is the difference which caused the login page
to be secure. Weird, eh?
Click to expand...

I suspect that the difference is in the way www.americanexpress.ca is set
up. Evidently the target of its redirect is not a secure page. I'll call
that a page construction error.

[email protected] said:
Not necessarily. www.americanexpress.comredirectstohttps://home.americanexpress.com/home/mt_personal.shtml, so the login
itself is secure. My bank does the same thing. That's better than having
you enter a usename and password into an unsecured page.
I looked up shtml on wikipedia. It doesn't exactly give the
impression that shtml is for security.
I did in fact phone Amex, but the front line person couldn't explain
the lack of https, or of a lock symbol in the lower right corner.
Again, the question here relates to security of authentication info,
not necessarily security of the session after logging in.
That's how logins work.
|The initial "home" page does not
| appear to be secure, but there is a small "lock" symbol next to the "LOG
IN"
| box. This implies that after you login the link becomes secure. Better to
| call and ask.
|
| "
Click to expand...
Click to expand...
Click to expand...
 
I suspect that the difference is in the waywww.americanexpress.ca is set
up. Evidently the target of its redirect is not a secure page. I'll call
that a page construction error
Click to expand...

I'm not an web-type person, but perhaps that login region is somehow
made secure, even though the page itself is not https. It has been
speculated among office people that this is hinted at by the picture
of a lock in the login region. To me, this way of setting up the web
page has 2 drawbacks.

First, it isn't clear whether the speculation is even true. For
example, the intended message might be that the session is secure
*after* login (which is true, since it becomes https after login).
It's hard to tell from a simple icon.

Second, even if it was true, the use of a non-https page removes all
the standard security indicators that a (duly diligent) user is taught
to look for -- namely, the https on the URL, and the lock at the
corner if IE (or whatever the equivalent is for firefox, since that's
what I normally use). Due diligence, therefore, requires a user to
not use that page.

Amex front line support is reluctant to even recognize the problem and
escalate it, though I did insist. Their position is that they "try
hard" to make "things" secure (though they couldn't say how) and if I
didn't like it, I shouldn't use it. Since this boils down to
inaccessibility to online services, I appreciate your pointing out
the .com alternative, which doesn't have this problem.

2nd line support left me a voicemail assuring me that he went through
a session, and all was secure. No mention was made of the fact that
the particular point of concern was securing the login info itself, as
well as the clear indication of having done so using standard security
indicators. So it isn't clear that the problem was properly
communicated; I would tend to think not, based on the misunderstanding
at front line support. An erroneous return phone number was
provided. The frustrating thing is that there is no email address to
raise this issue in documented manner, including documentation of the
tenuous communication. Hopefully, their anti-phishing email address
(the only one I can find) will forward this message to the right
department.

The surprising thing is that most users I spoke to didn't even notice
the problem because they don't pay attention to the security aspect,
particularly at login (or they had faith in the picture of the lock in
the login region, and decided to forgo the standard indicators). This
means there will be very little demand for a change to bring it in
line with standard security indicators.

In any case, I believe that I've done what I can to respond to the
issue, and I now leave it in their capable hands. Thanks once again
for pointing out the properly coded .COM webpage so that I can avoid
the problem on the .CA webpage.

Fred

Fred
 
2nd line support left me a voicemail assuring me that he went through
a session, and all was secure. No mention was made of the fact that
the particular point of concern was securing the login info itself, as
well as the clear indication of having done so using standard security
indicators. So it isn't clear that the problem was properly
communicated; I would tend to think not, based on the misunderstanding
at front line support. An erroneous return phone number was
provided. The frustrating thing is that there is no email address to
raise this issue in documented manner, including documentation of the
tenuous communication. Hopefully, their anti-phishing email address
(the only one I can find) will forward this message to the right
department.
Click to expand...

My guess is that the quality of support at Amex is such that they never
will understand the issue. That's true of most companies. I auapect that
the second line support person has no idea whether his session was secure
or not, and doesn't have the tools to determine the answer. A further
complication is that unless he was using a machine that was connecting
from outside their network, which is unlikely, his experience has no
relevance to yours.
In any case, I believe that I've done what I can to respond to the
issue, and I now leave it in their capable hands. Thanks once again
for pointing out the properly coded .COM webpage so that I can avoid
the problem on the .CA webpage.
Click to expand...

You're welcome. I'm glad I could help, even if it was mostly by accident.
 
Back
Top