American Express Security Hole Still Open After One Year

Salt Lake City, UT July 21, 2011. One year ago in August of 2010 MailCase investigators uncovered a scam that takes advantage of a security hole in the credit card activation system used by American Express. After one year MailCase investigators have found that American Express has still not closed this security hole. A locking mailbox can prevent consumers from falling victim to this scam.

Most credit card companies rely on multiple authentication steps before activating a credit card. This includes things like requiring the last 4 digits of the cardholder’s Social Security Number, or asking the cardholder for their mothers’ maiden name or a security PIN.

American Express uses caller ID to confirm the identity of the cardholder with no additional authentication steps. This makes American Express cardholders wide open for credit card fraud. MailCase investigators found that identity thieves are stealing new AmEx cards from the mailboxes of cardholders. The criminals then find a phone box near the home of the cardholder and using a simple lineman’s telephone they clip directly into the phone line of the cardholder and call American Express directly to activate the card.

“American Express thinks that it’s the cardholder calling, since their caller ID system shows that the call is coming from the phone number of the cardholder,” said Matthew Prestwich, President of MailCase Locking Mailboxes. “American Express does not know that it is an identity thief using a lineman’s phone and calling from outside their customers’ home. The criminal has the card in their hand and since AmEx uses nothing besides caller ID to verify the identity of the caller, the criminal is easily able to activate the card,” continued Prestwich.

MailCase alerted AmEx multiple times to try to get them to fix the hole. When AmEx took no action to close the security breach, MailCase issued a press release to alert consumers to the problem.

“We know that American Express cares deeply about their reputation,” said Prestwich. “We don’t understand why it is taking them so long to plug this security hole,” Prestwich exclaimed. “In the meantime, we are cautioning American Express cardholders to take extra precautions. Have your mail delivered to a po box, or use a locking mailbox to protect your mail. Pay attention to when your AmEx card renews and watch for it in the mail. If it doesn’t com when it is supposed to, call AmEx and cancel that card,” continued Prestwich.