Yesterday, American Express users around the world, including the US, UK and Europe, experienced widespread outages that lasted for hours.
And the payment services giant advises that some users may continue to experience problems online or over the phone.
The issues reported by users included being unable to log into their Amex accounts, make payments, or contact an Amex customer service representative by phone.
BleepingComputer was able to reproduce issues briefly just before Amex confirmed the partial recovery services.
Two-factor authentication broken
American Express customers around the world had no means of making payments, as hours of interruption prevented users from logging into their accounts.
The online systems of the payment card service provider fell out on Friday 1 April and remained defective for hours, BleepingComputer also notes.
Amex posted a banner on its homepage that it was “aware of technical issues” related to phone lines, online account services and the Amex mobile app.
Amex announced on its homepage that it was experiencing problems (BleepingComputer)
In multiple tests by BleepingComputer, we saw the login screen prompt for a “one-time verification code” multiple times; on each successful login attempt, even though we logged in from the same device previously used to access the account. The mobile app also exhibited this behavior:
Amex repeatedly asked for MFA code even when logging in from the same device
(Blooping Computer)
When the services started coming up again, after successful authentication, BleepingComputer was able to get past the two-factor screen to land on a “not found” page, where the dashboard should be.
Amex redirected users to ‘not found’ page instead of Dashboard (BleepingComputer)
Technologist Jacob Rothstein suspected whether the problems were related to the recently introduced Amex’one login for all accountsThe new feature integration would allow customers to access both savings accounts and credit cards from a single dashboard, Amex had previously announced.
But that still doesn’t explain the phone service interruptions.
Cyber Threat Analyst Anis Haboubic suspected that the recent hacks on Okta, Sitel and Globant by Lapsus$ could have played a role – both Sitel and Globant list Amex among their customers.
However, BleepingComputer has not yet seen any hard evidence linking these incidents.
‘Add a debit card’ brought you to the ATM locator card
The claims of users experiencing difficulties paying their balances into their Amex account were also taken over by BleepingComputer.
When navigating to the ‘Make a payment’ page, the payment history did not load. By clicking the ‘Add a debit card’ button, we were redirected to a map of nearby ATMs.
Add debit card screen when attempting to make card payments (BleepingComputer)
As of this morning, the Amex online account services will allow payments via bank account, a newly introduced feature especially for UK customers, in addition to accepting debit card payments.
This indicates that the payment giant most likely broke something while rolling out the new functionality, in terms of online service outages.
‘Don’t do business without it.®’
On April 1, after multiple reports of issues faced by customers, American Express confirmed that its online account services were back available on both web and mobile:
Amex solved these out-of-hours issues (Twitter)
However, in his last tweetAmerican Express has come back and explains that some customers may still experience problems:
“We are experiencing a system issue that prevents some card members from accessing products and services through the web and mobile app. Most systems have been restored, but some customers may experience longer than usual wait times. We apologize to our customers for the inconvenience.”
The reason behind these multi-day disruptions is not yet known. The impact on Amex phone lines, in addition to the web and mobile app outages, makes this case particularly interesting.
While this could just be another case of network outages or broken feature integration, it’s not uncommon for corporate call centers and corporate websites to go down at the same time after a cyberattack.
This post American Express users blocked for HOUR: no login, no payments
was original published at “https://www.bleepingcomputer.com/news/security/american-express-users-locked-out-for-hours-no-login-no-payments/”