Sunday, October 5, 2008

Trivial Account Reset on American Express Accounts (Updated)

2008-10-06 Update: I did eventually get an e-mail notice sent to the e-mail associated with the account about 6 hours after I reset my password.amexIt still looks to me like the account can be hijacked, and the password restrictions and suggested examples are pathetic.

Account claiming is an interesting problem. The tradeoffs necessary to balance ease of use, security and help desk call volume are non-trivial.

2008-10-05 9:59 PM:

I'm a bit disappointed how easy it was to recover online access to my American Express account.

  1. Enter the card number
  2. Enter the four digit card ID number on the front of the card
  3. Enter my mothers maiden name
That's all you need. The first two numbers are obtainable by possession of the card, the third is readily available from on line searches. Enter those three bits of info and you get a screen with your user name and the option to set a new password. Set up a new password and you have full access, including the ability to request new cards, change e-mail and billing addresses, etc. Go ahead and reset your password, but whatever you do, don't let the password be more than 8 characters or contain
"spaces or special characters (e.g., &, >, *, $, @)"

That makes choosing a password tough. My normal &mex$uck$ password will not work. But fortunately for me, the help screens on picking a new password contain useful examples:

Examples of a valid password are: snowman4, 810main, and year2k."

Never mind that whole dictionary thing. Nobody will ever guess a password like 'year2k'.

The Amex account is set up to send me an SMS alert for any 'Irregular Account Activity'. I did not get an SMS, even though on line recovery of both userid and password would certainly be worth an SMS in my book.

There are better ways of doing this. They could have asked me for some secret number that only exists on my last statement, or information on recent card activity, or perhaps like my health care provider, the account reset could generate a letter with a token, sent to my home address via good old fashioned postal mail.


  1. ...have asked me for some secret number that only exists on my last statement,...

    Lots of companies like AmEx are trying to move their customers to e-statements. If they convince you to move that way, your last statement will be behind the authentication wall which doesn't help recover a password.

    You aren't wrong but I can appreciate how hard it is to balance real security and ease of use...

  2. @kcmarshall -

    That's true, except for the paranoid types like me who print all their online statements every month. ;)

    I don't disagree either with the difficulty of balancing ease of use, 'real' security and help desk call volume. We are in the middle of a project that requires account claiming and re-claiming of a large user population, and are hashing through the same issues.

    Thanks for the comment.

  3. I've got a Chase credit card that uses your home phone as part of the verification process. When setting up the account/changing passwords/etc, it will call you and read a token to you to enter in the online form.

    I suppose someone _really_ trying to get in could just plug a phone into your demarc to defeat that...but it ups the risk of them getting caught.

  4. @Dave -

    That sounds like a decent way to verify a claim.

    I like it.