Amex clueless about security–so what else is new?
American Express is, as far as I know, alone among major financial institutions (for large values of “major”) in sending out phish-like messages. Pretty much every other bank has gotten the message: don’t send email to your customers, and alert them that if they receive email, it’s not from you.
(I’m still getting those messages, by the way. Ironically, it’s because I don’t want them. If I want to tell Amex to turn them off, the only way I can do that is to register to receive them. Explain to me the logic underlying that process …)
Amex is also alone in not providing an email account to which you can send phishing messages. I guess Amex doesn’t want to do any more takedowns than they absolutely have to.
As a security pro, I’ve got contacts; personal contacts; in many major banks and financial institutions. These are people who work in phishing and malware takedowns, and I’ve encountered them in the course of my research into same over the years. I’ve never come across anyone from Amex. I’ve never had anyone from Amex in any of my seminars.
So, it is no great surprise that when a researcher recently found a gaping hole in Amex security, he had a very hard time letting Amex know about it.