The  New York Times has a great story about Allan Goldstein, 60, a man who accidentally gained access to another American Express holder’s online account and the hurdles he faced in trying to get a company representative to fix this glaring privacy problem:

In mid-December, to increase his frequent-flier miles, he opened a new online American Express business credit card account.

Then on Dec. 21 he logged in for the first time to check the new account. He put in his user name and password, and up popped someone else’s Amex account — a woman in Florida.

“I could see all her personal information,” said Mr. Goldstein, who was both transfixed and fearful that he had instantaneously become a criminal. “I could see her name, address, e-mail. I could see what banks she’s with. I saw her recent shopping activity, recent payments, where she’d rented a car. She had an affinity account with a hotel chain, Starwood. I could see how to order an additional card. I could add an authorized user: me. I could change her billing address.”

Mr. Goldstein immediately called American Express’s customer service. “I got a woman in India,” he said, “I explained I’ve hacked into someone’s private account by mistake. She said she needed to hear from my wife — my wife’s the first name on the card. I said, ‘Don’t you at least want the information?’ ”

She didn’t.

The Goldsteins tried various times to get help from someone at American Express. The fifth company representative they reached took them seriously, sending them to a supervisor who “said she could see that the technical people were all over it.” But:

The Goldsteins went on vacation to St. Croix, returned Jan. 8 and, on Jan. 9, Mr. Goldstein could still hack into the account. “I could see all the shopping she’d done while we were gone,” he said. “I also saw she didn’t pay her last balance and it was a lot — over $4,000.”

He wondered whether anyone had told this woman what had happened.

Only after the New York Times contacted American Express did the company fix the problem.

[AmEx spokeswoman Rosa Alfonso] confirmed Mr. Goldstein’s story for me. She called the problem “an unusual case of two customers coincidentally having nearly identical log-in information, which led one card member to inadvertently log in to another card member’s account.”

“Our site remains secure,” she said. [...]

The one point she disputed was that Mr. Goldstein could have tampered with the authorized user and billing information. He would have needed “additional levels of authentication — meaning information only the true card member would have — to make these types of changes,” she said.

Ms. Alfonso predicted Mr. Goldstein would have been caught by “our sophisticated fraud controls.”

This entry was posted on Monday, January 25th, 2010 and is filed under Identification, Security, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Possibly related posts:

• New York Times: What to Do If Hackers Steal Your Online Accounts
• New York Times: What Does Your Credit-Card Company Know About You?
• New York Times: American Express Kept a (Very) Watchful Eye on Charges