American Express and Security

This originally started as an email to some coworkers, but I think people here might find it more interesting.

If you have an amex online account they limit your password to 8 characters and you can only use numbers and letters. That’s not very secure (I could write a program to guess every password in those restraints in a matter of minutes.). So someone complained. (Note: I’ve complained by phone myself and got no response.)

I wish that I could use a stronger password for this site. 8 characters are NOT enough.
Response (Gaurav Sharma) 02/06/2010 05:53 AM

And the response.

Thank you for your email regarding your online password.

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressed”.

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Moreover, American Express is committed to protecting the privacy and security of all of our Cardmembers, both on-line and off-line. We believe that our current security measures, which include our sophisticated monitoring systems to detect unusual or fraudulent card activity, provide strong, ongoing protections for our Cardmembers.

Rest assured, I have forwarded your comments to our webmaster for review. During this review, we may contact you if additional information is required.

We value your membership and wish goodness and health to you and your family.
Gaurav Sharma
Email Servicing Team
American Express Interactive Services

American Express Company
Image via Wikipedia

Eight characters makes a pretty weak password. The rationalization is twofold. First, when looking though a keylogger’s output the password will be hard to identify, and if it was really long and random it would be easy to pick out. (Think the output of virus that is reporting back thousands of people’s keystrokes.)

Secondly when a password is stolen or guessed that they can detect the fraud with their “special sauce” monitoring and take care of things after the fact.

I’ll assume that the credit card companies want to protect themselves from losses of which fraudulent charges are a large part. I can attest to credit card companies alerting me my number was stolen way before I noticed it. (It’s happened a couple times, I even had my card copied by a cashier once.) So I figure they must have run tests and figured out this was the best way to protect their money.

The problem is I think they’re wrong and the limitation is part of a hold over from old computer systems. They wouldn’t lie would they?

Brooklyn Technical High School Alumni Today!

Brooklyn Technical High School
Image via Wikipedia

I hate the feeling of being sold.

I’ve been getting a lot of emails and letters in the mail from my Alumni Association asking for me to update my info. Let me correct that.

I’ve been getting a lot of emails and letters from a book company that my Alumni Association has sold my information to. If you’re a Brooklyn Technical High School alumni you’ve probably been getting them too. So I called them up, give them my info they so desperately needed.

They said I’d probably be surprised to know how many other Alumni might be in the area of Brooklyn that I live in. I told them, “No I wont, everyone is on facebook.” Going downhill from there, I was hard sold on the $100 book (two easy payments..) and then the $80 softcover book , and then the $40 CD-ROM.

I can’t honestly figure out why they’re selling a CD-ROM.

I guess I can, most of their customers are going to be older alumni. (Like my dad, who didn’t buy the book either. Hi dad!) I can actually think of a few good reasons to own the book, like getting in touch with older alumni mostly. But I can’t justify spending that much for a list of names with pictures and stories.

I figure if they’re going to use my info for their business I’ll use my info for my business.

My education at Brooklyn Tech gave me an extra edge when I entered college and the workforce. I have applied the lessons I learned there, in both classes and  clubs, to my work and my life. Notably, founding taught me what it takes to lead a team of people, and the CCNA classes taught me how to take care of complex networking issues with ease, allowing me to concentrate on higher level problems when I started Wizard Computing, LLC, my computer consultancy.

Seeing the directions the people I met in school, and continue to meet though, are going makes me proud to be an alum.

H2K2 – Email Hacking

I found my original post from two years ago on this subject. I didn’t tell the story then, so consider this an update. ;-)

H2K2 – Email Hacking from reconbot on Vimeo.

This is an old one, we used ettercap to sniff the wifi at h2k2.

A lot of fun was had in those few days.

A few years later, I found this video and checked the user/pass reading from the video. They worked! I contacted him to change his password. He was shocked about the event, and I was shocked nobody has seen the video and messed with him. Instead of being angry he felt it was stupid of him to check his email at a hacker’s conference.

I should also add it was outlook web access 2000(?) without ssl. But if it was SSL I could have MITMed it. ;-) I even think back then it would have been SSLv3.0 which you could just break.

Aww, Those were the days.