"The hackers called Amazon's support staff and "socially engineered" the employee or employees to give out the last four digits of Honan's credit card using what appears to be standard protocols.
As explained by Honan:
First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry?s published self-check algorithm.) Then you hang up.
Next you call back, and tell Amazon that you?ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.
O.K, this is the part of the whole thing that is really scary. Yes, Apple will let you reset the password if you provide them with the information they are requesting. Yes, it could be better, but at least the information they are requesting isn't generally available to the public. The Amazon loophole of simply allowing you to call in and add a credit card on to an account using ONLY publicly available information, and then being able to use THAT credit card to gain access to the account? Consider my amazon account immediately closed. Wow.
If you know someone's email address, you probably know their name. It's pretty common that the two go together. Now, with someone's name, it's pretty easy to figure out their address, as that's pretty public information. If that's all you need to be able to hack an Amazon account, what kind of security is that?