Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft

Posted by Unknown on from the quick-turnaround dept.

An anonymous reader writes "The story behind the hacking of Mat Honan's multiple accounts has been revealed and points to massive failures in how Amazon and Apple handle password recovery. Accounts for both sites can be easily accessed with simple to find publicly available information. If you ask me, both companies should be liable for violating privacy laws."

3 of 222 comments (clear)

  1. Re:the 4 last digit of CC are unsecure by pnot · · Score: 5, Informative

    "In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

      All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.

    Indeed, the article itself makes this point: And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life..

    Till receipts also commonly show this information.

  2. But he's and IT Expert! by retech · · Score: 5, Informative

    Yes, the same Mat who did not back anything up locally or (shutter to think) redundantly, is an expert. If this sorry excuse is what passes an expert, I think my grandma has a good chance at a new career.

    What an idiot.

  3. You missed the part about Amazons password reset by tlambert · · Score: 5, Informative

    Amazon allowed a bogus card to be added to the account because all they did was check the check-digit, rather than doing that as step one, and then doing an authorization hold/authorization release after requiring the security code from the back of the card as step 2. This would have correlated the billing address and card number in the credit card company database, which would have failed, flagging it as a bogus card.

    After this, a second call to Amazon using the bogus card information plus the (already known) billing information got them a password reset, again without them issuing an authorization hold/authorization release. And THAT is where they got the last 4 digits of the (actual) non-bogus credit card number to give to Apple. Admittedly, it's possible that this would cost a web site (other than Amazon, who owns their own payment provider) a transaction fee to do, but they could always require a transaction fee billed to the card being used as identification as part of the recovery process. For example, it looks like Norton Antivirus allows the same thing (just do a quick search for the phrase "the credit card number ending in", you'll see a bunch of people wondering about charges to cards they never registered with various services).

    Apple using the last 4 digits as an identity verification was screwed up, but it wasn't information the bad guys had without Amazon's help, in this case.