American Express Mobile Security Review

by on Dec 17, 2012

american_express_logoThis is an excerpt taken from our latest Mobile Monitor report titled Authentication & Security: Putting Mobile Security First.

Login to American Express’ mobile apps uses the same credentials and one-step entry as online. When the Save User ID feature is activated, the app displays it partially redacted in subsequent sessions. There is no first-time authentication when logging in from an unrecognized device. Automatic logout occurs after 10 minutes of inactivity.

login_and_inactivity_message_1
Login Screen & Inactivity Message (Left to Right)

The login screen also offers a link to recover a forgotten username or password through a quick, mobile-optimized process. Clients must simply enter the number and ID from their card to view their username or request a temporary password sent to the email address on file.

forgot_user_id_and_password_2
Forgot User ID and Password

The app greets logged-in card holders by name, and offers filters by all card holders. Only the last five digits of card numbers are shown, but the app does display full Membership Rewards program numbers.

my_cards_home
My Cards Homepage

The app imposes security checks around rewards redemptions for ShopAmex merchandise and mobile gift cards. To complete these purchases, the app asks for card identification number and security code – two separate numbers on the card front and back.

card_identification
Card Identification

American Express briefly discusses mobile security in help content within its apps and online. FAQs in the apps include “How secure is my information?” The response is brief but helpful, mentioning “end-to-end encryption” while also pointing out that wireless networks are outside of the firm’s control and noting that users can set a passcode for their device as additional security. The firm also reassures clients on mobile security when outlining mobile capabilities online, for example on the American Express iPhone App page.