Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label american express. Show all posts

American Express Breach: Safeguarding Your Finances Amidst Third-Party Data Exposure

 

In a recent development, American Express has issued a warning to its customers regarding a potential data breach originating from a third-party merchant processor. Although the breach did not directly involve American Express systems, the credit card data of several Card Members may have been compromised. 

The data breach notification, filed with the state of Massachusetts under "American Express Travel Related Services Company," reveals that a third-party service provider engaged by various merchants experienced unauthorized access to its system. This breach led to the exposure of American Express Card account numbers, names, and card expiration data. 

While specific details such as the number of affected customers, the identity of the breached merchant processor, and the exact timeline of the attack remain undisclosed, American Express assures that its owned or controlled systems were not compromised. The notification is being shared with customers as a precautionary measure. 

American Express, in response to inquiries, emphasized its commitment to promptly investigating and notifying the appropriate regulatory authorities when a data security incident occurs. The company is also actively identifying impacted customers and providing notifications under applicable laws and regulations. 

Notably, American Express customers impacted by the breach will not be held responsible for any fraudulent charges resulting from the compromise of their credit card information. To assist customers in safeguarding their finances, the company recommends reviewing account statements over the next 12 to 24 months and reporting any suspicious activity. 

Additionally, American Express suggests enabling instant notifications through their mobile app. This feature ensures that customers receive timely alerts regarding potential fraud and notifications for every purchase made. Proactive monitoring becomes crucial in detecting and addressing any unauthorized transactions promptly. 

In the wake of a data breach, one effective precautionary measure is to consider requesting a new card number. Cybercriminals often attempt to monetize stolen credit card information on underground marketplaces. By obtaining a new card number, customers can add an extra layer of security to mitigate potential risks associated with compromised data. As customers navigate the aftermath of the American Express data breach, staying vigilant and proactive becomes paramount. 

The financial landscape is continuously evolving, and incidents like these highlight the importance of robust security measures and collaborative efforts between financial institutions and customers. The American Express data breach serves as a reminder of the ever-present cybersecurity challenges. By staying informed, leveraging available security features, and taking proactive steps to secure financial accounts, customers can fortify their defenses against potential threats in an increasingly digital world.

American Express Faces Criticism Over Weak Password Policies

 



American Express found itself under scrutiny as users raised eyebrows over their seemingly weak password policies. The requirements, limiting passwords to 6 to 8 characters with a narrow scope of allowed characters, have sparked concerns about the vulnerability of user accounts. This has ignited a broader conversation about the importance of robust password practices and the need for companies to adapt to advancing cybersecurity standards.

Upon investigation, it was discovered that a user who raised the issue received a response from American Express, defending their policy. The email claimed that the website employs 128-bit encryption, making passwords composed solely of letters and numbers more secure. The rationale behind avoiding special characters was explained as a measure to thwart hacking software, which supposedly recognizes them easily.

However, security experts argue that this explanation is flawed. The concept of password "entropy," representing the variety of possible values, is critical in assessing the strength of a password. American Express's limitations on character types result in low password entropy, potentially compromising user accounts. The assertion that hackers can easily identify non-alphabetic characters is debunked by cybersecurity experts who emphasise that allowing special characters and longer passwords enhances security.

Moreover, the email defended the 8-character limit by claiming it reduces keyboard contact, purportedly preventing hacking software from deciphering passwords based on common key presses. However, critics argue that the opposite is true – encouraging longer and more complex passwords would provide greater protection against hacking attempts.

In an effort to address the apprehensions voiced by users, American Express sought to reassure its clientele by emphasising the implementation of robust security measures. The company highlighted the presence of advanced monitoring systems meticulously designed to promptly identify any instances of irregular or potentially fraudulent activity related to card usage. Despite this assurance, a palpable sense of scepticism lingers among users, casting doubt upon the efficacy of the prevailing password policy. This incredulity suggests that, for users, the confidence in the overall security posture of their accounts may be influenced by factors beyond the mere detection of suspicious activities, placing a spotlight on the ongoing debate regarding the adequacy of the current password protocols in place.

The controversy has surfaced a review of American Express's password policies. It remains to be seen whether the company will adapt its approach to align with modern cybersecurity standards. As users await potential changes, the debate serves as a reminder of the importance of robust password practices and the need for companies to stay vigilant in the confounding world of online security.


An Online Date Led to an Inquiry into 'Systemic' Failures at American Express

 

Last summer, John Smith* had just returned to Sydney after more than a decade abroad when he met someone online. He began chatting with a man named Tahn Daniel Lee on the dating app Grindr. Lee was undergoing treatment for COVID at the time, so they communicated online for a few weeks before meeting in Sydney's Surry Hills for their first date - a Japanese dinner followed by Messina ice cream. The date would be one of many in a relationship that progressed quickly before taking a dark turn when Smith began to suspect Lee was watching his bank accounts.

The Age and The Sydney Morning Herald can disclose that American Express, one of the world's largest financial companies, would not only dismiss Smith's initial complaint without proper investigation but would also provide misleading information during an external inquiry. It comes after two major ASX-listed companies, Optus and Medibank, revealed sensitive identification and health data to criminals, igniting a national debate about how to best deal with emerging cyber threats.

The "insider threat," according to cybersecurity experts, is a major risk, and the Privacy Commissioner's inability to penalize companies that violate the law has created a culture of impunity among corporate Australia.

“Because, what is the recourse? Businesses just aren’t doing the risk management that’s required. The tone starts from the top, ” says former Australian Federal Police investigator turned cyber expert Nigel Phair.

Smith's first assumption of Lee was that he had a charming smile, and the relationship developed quickly. Lee worked as a relationship manager for American Express Centurion, an exclusive club for black cardholders who spend at least $500,000 per year.

Smith had a platinum American Express card from living in the United States, but Lee suggested he sign up in Australia so he could illustrate how to maximize the benefits. He consented and began using American Express as his primary banking card shortly thereafter. After a series of comments about items Smith had purchased, places he had been, or payments he had made, he became skeptical that Lee was watching his transactions.

“I asked him how he was able to do this without my consent or authority (one-time pin etc), and he replied, ‘because the system is completely open, I have god mode’,” Smith wrote in a complaint later filed with American Express.

Smith has autism, and while he is classified as "high functioning," he occasionally struggles to recognize inappropriate behavior. He noticed "warning signs" about Lee but ignored them while traveling to Hawaii and Hamilton Island with his new partner, he claims.

During one of these trips, Smith became uneasy with the manner in which Lee discussed his clients' affairs, including major food distributor Primo Foods, which he claimed siphoned millions of dollars to the Cayman Islands. Lee later texted, "FYI, everything I tell you about work is highly confidential." 

By April, he had attempted to end the relationship and had warned Lee that he would report his behavior to American Express. Lee reacted negatively to this. He begged Smith to continue the relationship and, at one point, called Smith's close friend out of the blue to persuade her not to file a complaint. This was the breaking point. He was hell-bent on reporting Lee.

Amex: ‘No inappropriate access’

At the same time, another American Express employee noticed unusual activity on Smith's account. Lee was subjected to an internal investigation, which swiftly cleared him of any wrongdoing. On May 26, the company wrote to Smith, claiming Lee was not in a position to access his account and, in any case, there was training and processes in place to protect customer data.

Unconvinced, Smith asked American Express to confirm that Lee's access to his account had been blocked and reported the Primo Foods discussions. Smith claims that the following week, during a phone call, he was told that if Lee had looked at his account, it was no big deal because they were partners, and discussing Centurion's clients was also no cause for concern.

Smith filed a complaint with the Privacy Commissioner, who directed it to the Australian Financial Complaints Authority. AFCA immediately requested a meeting with American Express to verify that Lee had lost the rights to Smith's account.

The company's response was quick, but it turned out to be incorrect.  “We confirm that the employee has no access to [Smith]’s account,” Amex responded.

In subsequent letters between AFCA, Smith, and American Express, the company continued to imply that there had been no inappropriate access or violation of privacy laws. Until the plot shifted. In August, three months after Lee's suspicious activity was discovered, Smith was notified by American Express that Lee had indeed accessed his personal information.  

Lee accessed Smith's private account nine times between February and April of this year, according to digital access logs. American Express then stated that while it was impossible to prevent Lee from accessing the account, he would be disciplined and the account would be monitored to ensure no further intrusions.

“American Express is unable to practically restrict American Express employees from being able to access any specific Card member data. We acknowledge that [Smith] feels uncomfortable with his previous partner access to his personal information and have made every effort to implement controls to further protect his data,” the company wrote in a letter.

In a final decision issued this month, AFCA determined that American Express violated privacy laws by letting Lee to access his accounts without authorization both before and after the relationship. It awarded Smith $2000 in damages but did not order an apology or absolve the company of any wrongdoing.

“I am satisfied the financial firm has investigated the matters raised by the complainant, and in the circumstances, it has responded appropriately,” AFCA found.

American Express declined to answer specific questions about how it investigated Smith's complaint or what action it took against Lee, but stated it maintains the "highest levels of integrity" and has cooperated with AFCA.

“Whilst they made a determination against us, they concluded that American Express had investigated and responded appropriately,” the company said. “We are satisfied that this matter poses no risk to the integrity of our systems. Protecting the privacy of our customers and the integrity of our systems remains our utmost priority.”

Current laws allow for fines of up to $2.2 million for each unauthorized access. The federal government is considering raising the penalty to $50 million per breach, which would mean that American Express could have faced penalties totaling $450 million for the nine breaches.

“Companies need to take this issue around unauthorized access to information more seriously because the penalties are significant,” CyberCX privacy law expert David Batch says. “But in reality, the Privacy Commissioner has historically not handed down those fines.”

Smith was informed in October that AFCA's systemic issues team had agreed to investigate American Express's handling of Smith's case. This team investigates serious violations and systemic issues and has the authority to refer cases to other regulators, such as the Privacy Commissioner, however, its findings are a little transparent. AFCA was unable to comment on whether the promised investigation would be carried out.

According to Nigel Phair, Professor of Cybersecurity at the University of New South Wales, the "insider threat" is a major concern for businesses, where the actions of rogue employees can jeopardize the security of the entire organization.

He claims that the government's failure to implement harsh penalties on companies that mishandle their customers' data fosters a culture of impunity among Australian corporations.

For Smith, American Express and the system designed to hold companies accountable have let him down. He now makes a point of only using the card in ways that do not reveal his location. Requests for comment from Lee and Primo Foods were not returned.

*Not his real name. He asked that his identity be kept confidential.

Phishing Scam Targeting American Express Customers

Armorblox security researchers discovered a brand new phishing campaign targeting American Express customers. Threat actors sent emails to lure American Express cardholders into opening an attachment and trying to get access to their confidential data and their accounts. Also, the hackers created a fake setup process for an “American Express Personal Safe Key” attack. 

The emails sent by hackers to customers urged them to create this account to protect their system from phishing attacks. Once you click the given link, it takes you to a fake page that asks for private data such as social security number, mother's maiden name, date of birth, email, and all American Express card details, including codes and expiration date. 

Additionally, the group of threat actors crafted the counterfeit webpage smartly to resemble the original American Express login page, including a logo, a link to download the American Express app, and navigational links. 

“The victims of this targeted email attack were prompted to open the attachment in order to view the secure message. Upon opening the attachment, victims were greeted with a message announcing additional verification requirements for the associated account. The urgency was instilled within the victims through the inclusion of the language, “This is your last chance to confirm it before we suspend it”, and a prompt for victims to complete a one-time verification process that was needed as part of a global update from the American Express team,” Armorblox security blog reads. 

Armorblox security researchers further added in their blog that, the hackers try to create a sense of urgency within the victim's mind that the sent email is essential and should be opened at once. Once the customer opens the link, the email appears as a legitimate email communication from American Express. 

“The language used within this attachment evoked a sense of trust in the victim, with the inclusion of the American Express logo in the top left and a signature that made the message seem to have come from the American Express Customer Service Team,” Armorblox security blog reads. 

Armorblox co-founder and CEO DJ Sampath said that financial institutions are often targeted with credential phishing scams. The main targets of this phishing scam are American Express charge card holders.