American Express has an insecure login. When you enter the URL http://www.americanexpress.com (a natural enough place to go take care of your accounts, and the address that comes on the bill), you're redirected to this page. Note that it's an "http" site, not an "https."

You can get a secure login by adding an "s" to the URL and reloading the page, but most people wouldn't know to do that, and you shouldn't have to. There's no link to a secure option, and they shouldn't even allow a non-secured login. This is kind of amazing for a company with the reputation of AmEx.

Another reason to drop my AmEx card when it comes up for renewal.

If you take apart the HTML source you see that this is a javascript appliction that handles your name/passwd. This is then sent to a HTTPS server.
https://qwww48.americanexpress.com/en/intl?request_type=intl_CardsListHandler&Face=en_gb" name=ssosystem

The average user is supposed to "know" to check the certificates on any secure web site he/she accesses. In reality, I doubt anyone "knows" this, or knows how to do it in their browser. Your point is well taken because the user can't check certificate until a secure connection is made.

The typical system of "informing" the user that she/he is communicating securely with "who they think they are communicating with" is not terribly effective. And, yes, I do do this for a living.