Amazon, Apple security measures factors in journalist's hacked iCloud account

13»

Comments

  • Reply 41 of 47


    I just deleted my credit card information from Amazon. This is scary. These guys could have made a bunch of charges on Amazon to his credit card.

  • Reply 42 of 47
    majjomajjo Posts: 574member
    I realize the actual problem here, and corrections do need to be made, but why is it that only Amazon and Apple are held to blame for this incident? Google was a key part of this identity theft and somehow they managed to escape the headline. With the Gizmodo connection with this person...well, it just seems suspect. Am I the only one seeing this? Or am I just paranoid?

    Google did play a part in this, but they're not taking a lot of heat because their authentication method was not compromised. They deserve as much blame as the domain registrar.

    Amazon and Apple are getting the blunt of the blame (and rightfully so) because they actually gave the hacker full access to the accounts.

    This is not to say the reporter is free of blame for his lax security practices either (especially for a tech journalist).
  • Reply 43 of 47


    "The hackers called Amazon's support staff and "socially engineered" the employee or employees to give out the last four digits of Honan's credit card using what appears to be standard protocols.



    As explained by Honan:


    First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry?s published self-check algorithm.) Then you hang up.



    Next you call back, and tell Amazon that you?ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.


     


    O.K, this is the part of the whole thing that is really scary.  Yes, Apple will let you reset the password if you provide them with the information they are requesting.  Yes, it could be better, but at least the information they are requesting isn't generally available to the public.  The Amazon loophole of simply allowing you to call in and add a credit card on to an account using ONLY publicly available information, and then being able to use THAT credit card to gain access to the account?  Consider my amazon account immediately closed.  Wow.


     


    If you know someone's email address, you probably know their name.  It's pretty common that the two go together.  Now, with someone's name, it's pretty easy to figure out their address, as that's pretty public information.  If that's all you need to be able to hack an Amazon account, what kind of security is that?
  • Reply 44 of 47
    tribalogicaltribalogical Posts: 1,182member


    Again the holes are clear enough: The weak link happens when you can ALTER an account in ANY way without requiring a secured password and/or security word/key to do so...


     


    Having the "right information as shown on the account" (address, email, credit card numbers) does not mean you are the account holder. That information can be common across different accounts and can be stolen!  However, knowing the *secret password* and *answers to one or more of 3 security questions* almost assures that it is the account holder.


     


    When I call my bank, I have to give one PIN-like code (and the correct "last four SS #" and sometimes my phone number and home address) just to get information on my account, like balances, etc… if I want to arrange a payments or a transfer, there is a secondary security layer. I have to key in a PIN (which the person on the phone can't hear). Once confirmed, I can transact all I like.  FInally, if I want to CHANGE any of my account information, then a THIRD layer; answers to at least one "security question", is required.


     


    I almost guarantee this "hack" wouldn't have happened if even just ONE true security layer existed (password requirement or security question).


     


    As it is, it isn't remotely "secure"...

  • Reply 45 of 47
    maestro64maestro64 Posts: 5,043member


    Really you think that is secure, I know people who answer those security questions no matter what the question they exact same way. Why again people are lazy and like Honan, it was his fault he got hacked. People have to stop putting too much trust in these systems and need to no put their information out on the web.


     


    Yeah Amazon may everyone think their one click purchasing was helping consumer since they stored all your information on their servers. Well it was to allow people to make purchase faster and do the impulse buy verse walking away and thinking about buying and maybe no making the purchase. 


     


    People stop being lazy and just enter the information as need and get your life of the web, stop giving up your rights and privacy to get something free.


     


     


    Quote:

    Originally Posted by tribalogical View Post


    Again the holes are clear enough: The weak link happens when you can ALTER an account in ANY way without requiring a secured password and/or security word/key to do so...


     


    Having the "right information as shown on the account" (address, email, credit card numbers) does not mean you are the account holder. That information can be common across different accounts and can be stolen!  However, knowing the *secret password* and *answers to one or more of 3 security questions* almost assures that it is the account holder.


     


    When I call my bank, I have to give one PIN-like code (and the correct "last four SS #" and sometimes my phone number and home address) just to get information on my account, like balances, etc… if I want to arrange a payments or a transfer, there is a secondary security layer. I have to key in a PIN (which the person on the phone can't hear). Once confirmed, I can transact all I like.  FInally, if I want to CHANGE any of my account information, then a THIRD layer; answers to at least one "security question", is required.


     


    I almost guarantee this "hack" wouldn't have happened if even just ONE true security layer existed (password requirement or security question).


     


    As it is, it isn't remotely "secure"...


  • Reply 46 of 47

    Quote:

    Originally Posted by BuffyzDead View Post


    I have always liked, and believe in the "SEND A CODE TO MY iPHONE" to make changes, like many banks do.


     


    Apple should adopt immediately



    Best article on the problem...


    http://gizmodo.com/5932742/apple-really-doesnt-know-how-to-fix-its-massive-security-exploit?utm_campaign=socialflow_gizmodo_twitter&utm_source=gizmodo_twitter&utm_medium=socialflow


     


    macs user based=computer illiterate

  • Reply 47 of 47
    tallest skiltallest skil Posts: 43,388member


    Originally Posted by daylove22 View Post

    Best article on the problem...


     


    macs user based=computer illiterate



     


    Gizmodo article = instant ignore.

Sign In or Register to comment.