Secret Shopping for the Holidays? Think Twice About Using American Express

We all know American Express (AMEX). One of the most prominent card brands used by businesses and individuals. AMEX is known to be the less preferred card brand for merchants for their payment delays and generally higher fees. On the flip side, they also offer protections for the consumer.

Most individuals likely opt in for paperless statements. Reviewing charges and paying your statement balance is a click away using an app on your phone or through the website. Many companies, including AMEX, are trying to limit interactions with a live agent by utilizing automated phone systems. These systems can also be used to listen to your recent charges and make payments. One of the most notable security flaws with AMEX is that you don’t even need the full card number to listen to your recent charges and you will never know if someone has accessed your recent charges unless you obtain a subpoena.

That’s right. No matter how much protection you place on your account, a representative does not have the ability to tell you if your account was accessed through the automated phone system. Now before I get into the details of how this is achievable, lets discuss some of the protections AMEX does offer, and one of them is baffling but somewhat understandable.

Besides your typical demographic questions used to validate your identity, AMEX offers a Personal Security Key, or PIN, that you can add to your account. In the event the incorrect key is provided to the representative, your account will be flagged that triggers a notification to the email address on file.

AMEX can also recognize the phone number you are calling from and can identify the associated account(s). One of the unusual security protections is that while you are on the phone with a representative, the same individual will initiate a call to the phone number on the account. So, while you are talking to the representative, let’s say from your cell phone that is registered on the account, you then switch to the other line when they call and speak to the same representative to confirm your identity.

I understand that you can spoof a phone number but keep in mind that the phone call is after you have gone through an interrogation of questions, assuming you have previously requested the highest level of security on your account

Now let’s discuss the automated phone system. As previously stated, AMEX can identify the incoming phone number and associate it with any known accounts. However, you can still access your account by calling from a non-registered number, such as a business phone. I welcome you to try what I am about to explain on your OWN account.

1. Call AMEX Customer Service using a phone number not registered on your account.

2. When prompted say “recent charges” into the automated phone system.

3. You will then be prompted for the full credit card number OR your social security

number. Enter your social security number.

4. You will then be asked to enter the last 5 digits of your card number.

That’s all that is required. No PIN, no questions to answer, no phone call to validate your identity. Someone that is close to you may likely know your social security number and certainly can gain access to the last 5 digits of your card (or the entire card number). AMEX offers no protections on accessing your account through the automated phone system.

Now I am not saying other card brands/banks do not have potential vulnerabilities, I am just demonstrating in this article how easy it is to access your AMEX account information without speaking to a representative.

In the end, the impact to an account holder is negligible. There is no real financial gain or loss. However, if you are trying to “surprise” that special someone who has a high curiosity, then buyer beware as they can track where you made purchases without you knowing.

*Disclaimer – This article is for informational purposes only and is not intended to be used for any illegal behavior.