back to article AmEx 'debug mode left site wide open', says hacker

An alleged vulnerability on American Express site exposed customers to a serious security risk before the credit card giant closed down a portion of its site on Thursday afternoon. Researcher Niklas Femerstrand claimed the problem arose because the debug mode of the site had inexplicably been left on, thus …


This topic is closed for new posts.
  1. Voland's right hand Silver badge

    Yet another bit of history repeating

    They used to store state on the customer machine so you could do all kinds of interesting things by playing with the cookies.

    When I tried to report it to them they subscribed me to a mandatory, no opt-out one month marketing campaign including cold calls so I know _WHAT_ kind of attention to expect to reporting any vulnerabilities in the future.

    I just cut the card and chucked it in the bin after that. They are persona non-grata in my household.

  2. Nightkiller

    Same old, same old

    These are the clowns I did battle with 3 years ago because they insisted on having customers log into their accounts through http. Needless to say, the well meaning person answering my call in that far away place had no clue either.

  3. Richard Pennington 1

    Debug mode ...

    ... That'll do nicely.

  4. Sir Cosmo Bonsor

    Can't say I'm surprised

    As an Amex cardholder, I'm always somewhat taken aback by the fact that they use pretty much the weakest possible 1-factor authentication (username, password) for what is essentially online banking. I imagine they only get away with it because they're not technically a bank.

    So this is probably the tip of the iceberg.

  5. Anonymous Coward
    Anonymous Coward

    PCI DSS anyone?

    LoL another case of do as I say not as I do....

    1. catphish

      Re: PCI DSS anyone

      If only PCI DSS covered points as sensible as this.

      It doesn't.

      1. Sk0yern

        2.2.3 Configure system security parameters to prevent misuse.

        6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.

        Is this web-server even in the cardholder data environment.

        I've seen lots of people complain about PCI DSS not beeing good enough, even in companies I have been employed. But still, they're not able to comply with some of the easiest requirements in PCI DSS. *sigh*

  6. Mystic Megabyte

    My work colleague was always going on about how wonderful his AmEx card was. Until we stayed at Milan's most expensive hotel for a couple of weeks and he was told that they don't accept it. LOL

    I have also seen gas stations that won't take it. I presume because they are slow payers. Big fat fail.

    1. Anonymous Coward
      Anonymous Coward

      The reason a lot of places wont take AmEx is because they charge a much higher processing fee for transactions. Each time you pay by card, the vendor is charged - hence why a lot of places insist on a minimum transaction price before accepting card payments. AmEx are an arrogant bunch they assume their brand is somehow worth more than the other card companies, and that vendors will put up with the increased charges in order to have a sign saying they take AmEx payments. Hence the Not The Nine O Clock News sketch ...

      1. Coward who is anonymous

        Not the nine o clock news...

        Make a reference like that and not throw in a link to YouTube?

        I've enjoyed that show ages ago. Remember anything more specific about that sketch? :-)

        1. Oninoshiko


          does charge the retailer more then most of the other card issuers for transaction, and this is why many places do not except them. This, though, is how they can afford to offer the vary nice concierge services they do.

          My company maintains an AmEx account, and except for the places that don't accept it, it's vary nice, but we also have Visa for just that reason. Their web site sometimes has issues, but I seem to always be able to get a vary nice customer support rep on the phone quickly to make them go away.

        2. Anonymous Coward
          Anonymous Coward

          You-tube link:

This topic is closed for new posts.

Other stories you might like