Is it phish, or is it Amex?

["Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>]

I am a bit freaked.

Last month I received an email message from American Express.  I very nearly
deleted it unread: it was obviously phish, right?  (I was teaching in Toronto that
week, so I had even more reason to turf it unread rather than look at it.)

However, since I do have an Amex card, I decided to at least have a look at it,
and possibly try and find some way to send it to them.  So I looked at it.

And promptly freaked out.

The phishers had my card number.  (Or, at least, the last five digits of it.) 
They knew the due date of my statement.  The knew the balance amount of my 
last statement.

(The fact that this was all happening while I am aware from home wasn't making 
me feel any more comfortable with it ...)

So I had a look at the headers.  And couldn't find a single thing indicating
that this wasn't from American Express.

(I had paid my bill before I left.  Or, at least, I *thought* I had.  So I
checked my bank.  Sure enough, that balance had been paid a couple of days
before.  However, I guess banks never actually transfer money on the weekend or
something ...)

A couple of days later I got another message: Amex was telling me that my 
payment has been received.  That's nice of them.  They were once again sending, 
in an unencrypted email message, the last five digits of my card number, and the 
last balance paid on my account.

Well, I figured that it might have been an experiment, and that they'd probably 
realize the error of their ways, and I didn't necessarily need to point this out.  
Apparently I was wrong on all counts, since I got another reminder message today.

Have we got any Amex contacts in here?

Are these people completely unaware of the existence and risk of phishing?  Are 
they so totally ignorant of online security that they are encouraging their 
customers to be looking for legitimate email from a financial institution, thus 
increasing the risk of deception and fraud?

Going to their Website, I notice that there is now an "Account Alerts" function.  
It may have been there for a while: I don't know, since I've never used it.  Since 
I've never used it, I assume it was populated by default when they created it.  It 
seems to, by default, send you a payment due notice a week before the deadline, a 
payment received notice when payment is received, and a notice when you 
approach your credit limit.  (Fortunately, someone had the good sense not to 
automatically populate the option that sends you your statement balance every 
week.)  These options may be useful to some people.  But they should be options: 
they shouldn't be sending a bunch of information about everybody's account, in 
the clear, by default.

(There are, of course, "Terms and Conditions" applicable to this service, which 
basically say, as usual, that Amex isn't responsible for much of anything, have 
warned you, and that you take all the risks arising from this function.  I find this 
heavily ironic, since I knew nothing of the service, don't want it, and got it 
automatically.  I never even knew the "Terms and Conditions" existed, but in 
order to turn the service off I'll have to read them.)

(In trying to send a copy of this to Amex, I note that their Website only lists 
phone and snailmail as contact options, you aren't supposed to be able to send 
them email.)

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
Patriotism, is when love of your own people comes first;
nationalism, when hate for people other than your own comes first
                                                 - Charles de Gaulle
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.