Tag Archives: security

American Express’s Security Problem: Awful password system

The NYT has a shocking story about a man who accidentally “hacked” his way into someone else’s American Express account. Allan Goldstein, an honest man, immediately called American Express’s customer support to notify them of the accidental breach. He got a rep in India, and then several others who had no clue what the issue was. It took more than twenty days later, six different American Express customer service reps, and a call from a New York Times writer for American Express to get on the ball.

This is the AmEx flack’s explanation:

Ms. Alfonso confirmed Mr. Goldstein’s story for me. She called the problem “an unusual case of two customers coincidentally having nearly identical log-in information, which led one card member to inadvertently log in to another card member’s account.”

Nearly identical log-in information? So perhaps Goldstein and this mystery lady’s account had the same name and the same password? What are the chances of that happening?

Well, pretty slim, but not out of this world, thanks to American Express’s astonishingly weak password protocols. I started an account with them more than a year ago and was amazed to find out that I could not create a password greater than 8 characters. I just checked, and it’s no different today:

Not only is it eight characters, but case doesn’t matter, and non-alphanumeric characters don’t work:

Your Password should:

* Contain 6 to 8 characters – at least one letter and one number (not case sensitive)
* Contain no spaces or special characters (e.g., &, >, *, $, @)
* Be different from your User ID and your last Password

Is there any other major online service today that has such a primitive, limited space for passwords? Eight alphanumeric characters was considered good enough back in the 1970s. Think about it; even your MySpace account has stronger security than your $10,000-limit credit card (ok, don’t know that for sure…it’s been awhile since I had a MySpace account).

Coincidentally, this week the NYT had a story about weak passwords, from a security analysis of the 32 million passwords stolen from the idiots at RockYou:

In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.

Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.

The problem with an eight-character alphanumeric password limit is that not only is there a limited choice of passwords, but you have less room to make easy-to-remember-but-secure passwords. For example, I’ve used phrases from favorite stories and songs. Something like: “itwastheBestOfTim3$” (this is not particularly secure, since it’s a composition of dictionary words, but you get the idea). So even though there is room for hundreds of billions of password combo…that space is only helpful if human beings can be relied on to generate random strings for passwords. The above NYT article suggests they can’t…so Joe Average, instead of being able to make up something like Password123456!, is limited by AmEx to Passwrd1. Neither is a very strong password, but there’s a chance for many more coincidental collisions in the latter case.

The terrible customer service that Mr. Goldstein experienced is galling…but the root of the problem, assuming the flack’s explanation is correct, is AmEx’s antiquated password-storage system. I hope they don’t keep it in plaintext, as the security-lax folks at RockYou did.

Snowulf wrote about this back in 2007.

Christmas Terror Bombing Hearings: So why don’t we just put EVERYONE on the no-fly list

From Politco (“Obama officials snipe at terror hearing”):

But Director of National Intelligence Dennis Blair fought back, arguing the no-fly list has been subject to political pressure to take names off the list because it was causing problems for ordinary citizens.

“The pressure since 2008 been to make it smaller,” he said. “Shame on us for giving into that pressure. We have now greatly expanded the no-fly list since what it was on Dec. 24.”

Boy, it just sounds like the only downside to expanding the no-fly list are annoying a few civil libertarians, right? What if those negative-nancies could be ignored? Would security be improved if we, say, put everyone on the list?

The most immediate downside to the average person is, of course, the increase in time at the security checkout and the number of strange hands patting you down.

But, the real kicker, is that after all that inconvenience, our security would most likely be worse.

At the end of the Politico article is this gem that reveals how the best-laid security plans fail because of one person’s clumsy fingers:

A worker in the American embassy in Nigeria misspelled Umar Farouk Abdulmutallab’s name when he searched a database to determine whether the young man had a valid U.S. visa, a senior State department official told the Senate Judiciary Committee Wednesday. That was Nov. 20, the day after Abdulmutallab’s father visited the embassy to warn U.S. officials that his son might be involved with radical extremists. The same worker sent a cable to intelligence officials with the correct spelling of the name, but it was incomplete because he hadn’t properly done the searches to realize that Abdulmutallab could get into the U.S.

A simple typo nearly doomed an entire passenger flight. How did this typo happen? Was it the end of the day and the worker was losing his boost from that last cup of coffee? What if it wasn’t a typo? What if the supervisor who gave the worker a name to look up had misspelled it?

The simple breakdown could’ve happened at any point in the information-sharing process.

And simple breakdowns happen more frequently as more tasks are in the pipeline. Think of Peter Provonost’s medical checklist: Doctors, the most rigorously educated members of our society, were killing patients because they failed to do something as simple as washing their hands with soap; a step easy to forget, perhaps, after treating dozens of patients in a day.

How much more likely is it that your average TSA/Homeland Security worker is going to bumble up a comparatively more complicated task, such as a thorough pat-down or a database record retrieval?

And how much does the chance of a screwup increase when the number of people to be patted-down/searched for increases significantly?

Recklessly expanding the no-fly list, or even having the belief that reducing the no-fly list is tantamount to reducing security, is not one that makes us safer.