How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft

An anonymous reader writes "The story behind the hacking of Mat Honan's multiple accounts has been revealed and points to massive failures in how Amazon and Apple handle password recovery. Accounts for both sites can be easily accessed with simple to find publicly available information. If you ask me, both companies should be liable for violating privacy laws."

the 4 last digit of CC are unsecure

[aepervius]

"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.

Re:the 4 last digit of CC are unsecure

[mcvos]

I don't give credit card numbers to pizza boys. I give them cash. Or I pay with iDeal, a Dutch internet payment system that's actually secure, unlike all that credit card crap.

Really, rest of the world, you guys need to implement iDeal so I can use it for international payments. The only reason I have a credit card at all is because it's the only way to buy stuff online from non-Dutch sites. Steam uses iDeal. Once everybody else does too, we can finally get rid of those stupid credit cards.

Benefits of free services

[akamad]

I would argue that the biggest benefit of using free services (like GMail) is they offer no or crap phone support! Thus making it very difficult for a hacker to social engineer their way into your account.

A very good article. Read it!

[Qbertino]

This is a very good article, every /. nerd worth his honors should read it. It's pushed my paranoia levels almost up to normal again. That alone was worth the time. I've been dragging out that backup HDD for my MB Air far to long and will now change that.

  I'm also going to solidly review my online presence and accounts, and how they could be linked. And fix any problems that pop up.

Bottom line: Read the article, it's a healthy wake-up call and if you're like me, you need that once in a while.

My 2 cents.

That is not the problem with Amazon

[Ecuador]

At first I was aghast at how they could implicate Amazon for revealing the last 4 digits of your card, when they appear in every transaction receipt printed etc.
However, after reading TFA it is obvious that Amazon has a serious security flaw as well that they need to address as well. It seems that you can call Amazon support knowing only the name, email and billing address of a person and you can add a bogus credit card number to their file. Then you call back and tell them you can't access your account and they will let you add a new email address to reset your password and you use the credit card number you had just added as verification of your identity!
True, Amazon showing the last 4 digits of your CCs on your account is not a problem, but giving access to your account to a person armed only with knowledge of your name, address and email is a serious flaw.
The summary and even the article don't make it that clear what the problem is with Amazon, you have to read through TFA.

Re:You missed the part about Amazons password rese

[StealthyRoid]

Naw, I didn't miss that part, I just don't think it makes an argument for this being a failure of Amazon security policy. Given that you need to know someone's account email address (how hard is it to do foo+amazon@dingleberry.com, or some other not-easily-guessed email address?), billing address, etc, to even get an Amazon rep to talk to you, the protections on that front seem sufficient (maybe not best, but sufficient) to me. Running an auth/void doesn't really work either. Sure, Amazon has their own payment gateway, but that doesn't make it free, it just makes it cheaper for them. Given the volume of cards that they accept into their system every day, running two transactions on each would pretty quickly jack up costs considerably. For subscription services like Norton, that might make sense, because the overall transaction volume is fairly low, but for Amazon, that bill would get pretty big.
Now, compare Amazon's relatively reasonable, if not super awesome, procedures to Apple's, where all you need is the last four in order to get access to all data and devices, and tell me this is still an Amazon problem.

Re:Well, that didn't cause me any problems...

[viperidaenz]

The law doesn't really need to say anything. The company wouldn't appreciate the loss of business because they can no longer accept credit cards because they violated the contracts with their providers. Those contracts probably make the company liable for any losses too.

Re:Multifactor Authentication

[thmsdrew]

I won't take my security advice from him, but there's no need to discredit his entire body of work because of this. Surely he deals in other topics.

Sallie Mae

[AF_Cheddar_Head]

Even better, Sallie Mae calls me about my daughter's loan, and before the call is connected I have to give Sallie Mae my last four of my SSN to authenticate who I am, no way to authenticate that it's Sallie Mae calling me but I have to authenticate that Sallie called the right number. Even better no way to talk to a real person if I don't authenticate.

Remember I said Sallie Mae initiated the call. I could call any number of random numbers claim to be Sallie Mae and get individuals last four, ridiculous.