Saturday, June 30, 2007

American Express phishing

Yesterday I received a promotional flyer from American Express Mexico to speed up the collecting of membership rewards. Either I call by phone and ask for the promotion or sign up myself at Internet.

The problem is, when you access the URL you're asked for your credit card number, no problem. I would give my number after checked the SSL certificate and double-check I'm at the correct American Express site; but wait a moment... I opened the source code at Firefox browser to get myself assured about the destination of my credit card data:

form name="forma1" action="http://extranet.ogilvy.com.mx/amexoptin/default.asp"

Am I wrong or is there a missing "s" after the "http"?

It's not the first time I got promotionals from American Express asking for my account number without encryption layer over the Internet. Last time I was supposed to send my credit card number via e-mail (no encryption at all) and I would get 500 membership rewards.

Last time I wrote down "It seems that American Express is phishing... their clients", now I'm pretty sure they are.

No comments: