Apple and Amazon Know About a Massive Hack Exploit—And Have Done Nothing (Updated)

[Poke]

Apple and Amazon Know About a Massive Hack Exploit—And Have Done Nothing (Updated)

 

[navychop]

"....just lock down your entire online life until further notice."

Exaggerated to some extent, but certainly a problem. How to fix it? Critical comments are often far easier than constructive suggestions.

 

[meStevo]

Nothing was hacked. Social engineering at it's finest.

 

[mike123abc]

Nothing was hacked. Social engineering at it's finest.

Well the Amazon was an exploit. You add a CC to an account which apparently you do not have to log in to do it. Then once it is added you can use that CC account number to reset the password. The CC number is fake.

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

So, if you have both an Amazon account and an Apple account you can take them both over with a fake credit card number if you know the billing address and email address.

 

[rockymtnhigh]

I can't believe how lax Amazon is. My dept is buying me a hard drive, and my secretary told me to just order it online, and put it on the dept card. I went into my Amazon account, added a new card, with her name, and her billing address, and poof! It was automatically accepted. No verification, nothing. Easy for me for sure, but always struck me as strange.

 

[Hall]

Amazon has done this sort of thing for YEARS. My parents have asked me to buy items on Amazon on occasion and instead of them having to re-pay me, my Mom just gave me her CC info. I plugged it in and purchased the item. In this case, the billing address matched the ship-to address, which helps, but you'd still think Amazon would question why *I* am putting in someone else's CC info and address.

 

[rockymtnhigh]

Amazon has done this sort of thing for YEARS. My parents have asked me to buy items on Amazon on occasion and instead of them having to re-pay me, my Mom just gave me her CC info. I plugged it in and purchased the item. In this case, the billing address matched the ship-to address, which helps, but you'd still think Amazon would question why *I* am putting in someone else's CC info and address.

Exactly. I mean sure, it was convenient, and if it was a stolen card it would be hard to hide the evidence of it, but it always surprises me.

 

[Foxbat]

I agree with the assertion that passwords have to go. What reliably replaces them, however, isn't easy to say. Any scheme will be based on one or more of the the three basic foundations of security:
• Something you know
• Something you have
• Something you are

Passwords are something you know. The problem with passwords are numerous: they have to be shared; they can be forgotten; they can be used in multiple locations, increasing the chance that a security breach can compromise multiple services; they can be easily guessed if there aren't complexity requirements.

A key is something you have. The problem with keys for Internet services is how you prove that you actually possess your key; the key can be lost (or stolen); the key is "static" and by its physical nature can be duplicated.

Biometrics is something you are. Fingerprints; voice patterns; facial recognition; retina scans; DNA. Very hard to fake and duplicate (various Hollywood movies not withstanding) but somewhat expensive to implement. Are you ready to replace "One-Click" with "One-Prick"?

I wonder if we can ever reach the point where we can make practical use of Quantum Entanglement for verification of our identities? When you press the "Verify Identify" button the existing quantum states of the entangled particles are read at both locations a million or so times and the results compared. If they match, you're who you say you are. Since the very act of reading the particle changes the state to some new random state, it's like flipping two coins a million times, only they both come up with the same Heads-Tails sequence.

 

[mike123abc]

Today reports that both Apple and Amazon have moved to fix the problem.

 

[navychop]

I must point out that I read an article where they came up with a method to fool retina scans 80% of the time.