Yesterday, American Express users across the world including US, UK, and Europe, experienced widespread outages lasting hours.
And, the payment services giant advises that some users may continue to experience issues online or over the phone.
The issues reported by users included being unable to log in to their Amex accounts, make payments, or get to an Amex customer service representative over the phone.
BleepingComputer was able to briefly reproduce issues right before Amex confirmed partially restoring services.
Broken two-factor authentication
American Express customers around the world were left without the means to make payments, as hours-long outages prevented users from logging into their accounts.
The online systems of the payment card services provider went down on Friday, April 1st, and kept malfunctioning for hours, as also observed by BleepingComputer.
Amex put up a banner on its homepage that it was “aware that technical difficulties” were affecting phone lines, online account services, and the Amex mobile app.
In multiple tests by BleepingComputer, we observed the log-in screen prompted for a “one-time verification code” multiple times; upon every successful log-in attempt—even though we were signing-in from the same device previously used to access the account. The mobile app also exhibited this behavior:
As services started coming back up, BleepingComputer was able to get past the two-factor code screen after successful authentication only to land on a “not found” page, where the Dashboard should be.
Technologist Jacob Rothstein suspected whether the issues were connected to Amex’s recently introduced “one login for all accounts” feature. The new feature integration would enable customers to access both Savings accounts and credit cards from one dashboard, Amex had previously announced.
But, that still fails to explain the telephone service disruptions.
Cyber threat intel analyst Anis Haboubi surmised if the recent hacks on Okta, Sitel, and Globant by Lapsus$ could’ve played a role—both Sitel and Globant list Amex among their clients.
However, BleepingComputer hasn’t seen hard evidence just yet establishing a link between these incidents.
‘Add a Debit Card’ took you to ATM locator map
The claims of users facing difficulties making payments towards their Amex account balances were also reproduced by BleepingComputer.
When navigating to the ‘Make a payment’ page, payment history did not load. Clicking on ‘Add a Debit Card’ button redirected us to a map of nearby ATMs.
As of this morning, the Amex online account services do allow payments via bank account, a newly introduced feature especially for UK customers, in addition to accepting debit card payments.
This indicates the payments giant quite likely broke something while rolling out the new functionality, as far as the online services outage is concerned.
‘Don’t do business without it.®’
On April 1st, after multiple reports of problems faced by customers, American Express did confirm that the online account services were back up on both web and mobile:
However, in its latest tweet, American Express has backtracked and explains some customers may still face issues:
“We’re experiencing a systems issue resulting in some Card Members being unable to access products & services on web & mobile app. Most systems have been restored, but some customers may experience longer-than-usual hold times. We apologize to our customers for any inconvenience.”
The reason behind these multi-hour disruptions is yet to be known. The impact to Amex phone lines, in addition to the web and mobile app outages, makes this case especially interesting.
While this could just be another instance of network outages or a broken feature integration, it isn’t unusual for call centers and websites of companies to go down at the same time, following a cyberattack.