or Connect
AppleInsider › Forums › General › General Discussion › Amazon, Apple security measures factors in journalist's hacked iCloud account
New Posts  All Forums:Forum Nav:

Amazon, Apple security measures factors in journalist's hacked iCloud account - Page 2

post #41 of 47

Plain and simple and I said this before to all those who think there is nothing wrong with putting their life out on the web. This is what happens, it is not Apple or Amazon's fault. It was Honan fault, he made it easy for them to hack him. Hacker are smart people so if you put all your information out there and they can located it and piece together what they need.

 

This should be a lesson to anymore who thinks it okay to put all their personal information out on the web.

post #42 of 47

I just deleted my credit card information from Amazon. This is scary. These guys could have made a bunch of charges on Amazon to his credit card.

post #43 of 47

"The hackers called Amazon's support staff and "socially engineered" the employee or employees to give out the last four digits of Honan's credit card using what appears to be standard protocols.

As explained by Honan:


First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry?s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you?ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.

 
O.K, this is the part of the whole thing that is really scary.  Yes, Apple will let you reset the password if you provide them with the information they are requesting.  Yes, it could be better, but at least the information they are requesting isn't generally available to the public.  The Amazon loophole of simply allowing you to call in and add a credit card on to an account using ONLY publicly available information, and then being able to use THAT credit card to gain access to the account?  Consider my amazon account immediately closed.  Wow.
 
If you know someone's email address, you probably know their name.  It's pretty common that the two go together.  Now, with someone's name, it's pretty easy to figure out their address, as that's pretty public information.  If that's all you need to be able to hack an Amazon account, what kind of security is that?
post #44 of 47

Again the holes are clear enough: The weak link happens when you can ALTER an account in ANY way without requiring a secured password and/or security word/key to do so...

 

Having the "right information as shown on the account" (address, email, credit card numbers) does not mean you are the account holder. That information can be common across different accounts and can be stolen!  However, knowing the *secret password* and *answers to one or more of 3 security questions* almost assures that it is the account holder.

 

When I call my bank, I have to give one PIN-like code (and the correct "last four SS #" and sometimes my phone number and home address) just to get information on my account, like balances, etc… if I want to arrange a payments or a transfer, there is a secondary security layer. I have to key in a PIN (which the person on the phone can't hear). Once confirmed, I can transact all I like.  FInally, if I want to CHANGE any of my account information, then a THIRD layer; answers to at least one "security question", is required.

 

I almost guarantee this "hack" wouldn't have happened if even just ONE true security layer existed (password requirement or security question).

 

As it is, it isn't remotely "secure"...

post #45 of 47

Really you think that is secure, I know people who answer those security questions no matter what the question they exact same way. Why again people are lazy and like Honan, it was his fault he got hacked. People have to stop putting too much trust in these systems and need to no put their information out on the web.

 

Yeah Amazon may everyone think their one click purchasing was helping consumer since they stored all your information on their servers. Well it was to allow people to make purchase faster and do the impulse buy verse walking away and thinking about buying and maybe no making the purchase. 

 

People stop being lazy and just enter the information as need and get your life of the web, stop giving up your rights and privacy to get something free.

 

 

Quote:
Originally Posted by tribalogical View Post

Again the holes are clear enough: The weak link happens when you can ALTER an account in ANY way without requiring a secured password and/or security word/key to do so...

 

Having the "right information as shown on the account" (address, email, credit card numbers) does not mean you are the account holder. That information can be common across different accounts and can be stolen!  However, knowing the *secret password* and *answers to one or more of 3 security questions* almost assures that it is the account holder.

 

When I call my bank, I have to give one PIN-like code (and the correct "last four SS #" and sometimes my phone number and home address) just to get information on my account, like balances, etc… if I want to arrange a payments or a transfer, there is a secondary security layer. I have to key in a PIN (which the person on the phone can't hear). Once confirmed, I can transact all I like.  FInally, if I want to CHANGE any of my account information, then a THIRD layer; answers to at least one "security question", is required.

 

I almost guarantee this "hack" wouldn't have happened if even just ONE true security layer existed (password requirement or security question).

 

As it is, it isn't remotely "secure"...

post #46 of 47
Quote:
Originally Posted by BuffyzDead View Post

I have always liked, and believe in the "SEND A CODE TO MY iPHONE" to make changes, like many banks do.

 

Apple should adopt immediately

Best article on the problem...

http://gizmodo.com/5932742/apple-really-doesnt-know-how-to-fix-its-massive-security-exploit?utm_campaign=socialflow_gizmodo_twitter&utm_source=gizmodo_twitter&utm_medium=socialflow

 

macs user based=computer illiterate

"Apple people have no objectivity when it comes to criticism of Apple.." Lenovo X1 Carbon is out..bye bye MBAir

Reply

"Apple people have no objectivity when it comes to criticism of Apple.." Lenovo X1 Carbon is out..bye bye MBAir

Reply
post #47 of 47
Originally Posted by daylove22 View Post
Best article on the problem...

 

macs user based=computer illiterate

 

Gizmodo article = instant ignore.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Amazon, Apple security measures factors in journalist's hacked iCloud account