[ale] Now this is just bloody frightening as all hell!

Tue Aug 7 12:12:31 EDT 2012

On Tue, Aug 7, 2012 at 11:17 AM, Michael H. Warfield <mhw at wittsend.com> wrote:
> I'm sure a number of us are already aware of this incident.  It was even
> mentioned at last nights AUUG meeting about a reporter getting hacked
> and wiped back to the stone age.  Here's his report up on Wired from
> yesterday about what happened to him.  It contains a large number of
> lessons for us all, users and implementers of security systems alike!
> Yeah, this dude should NOT have done a whole LOT of things but...
> Amazon and Apple deserve fellowship positions in the halls of shame and
> stupidity for their systems.  As Shakespeare once wrote "he is the idol
> if idiot worshipers!"  Apple and Amazon BOTH here by qualify.
>
> http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

Yeah, I've been following this, too.  My favorite quote was actually:

"Had I used two-factor authentication for my Google account, it’s
possible that none of this would have happened."

Every time a friend gets compromised I tell them to turn on two-factor
authentication.

> --
> And it’s also worth noting that one wouldn’t have to call Amazon to pull
> this off. Your pizza guy could do the same thing, for example. If you
> have an AppleID, every time you call Pizza Hut, you’ve giving the
> 16-year-old on the other end of the line all he needs to take over your
> entire digital life.
> --
>
> Basically...  If you know the last 4 digits of the credit card number on
> the account (printed on every credit card receipt you throw out) and the
> billing address, you can own a person's Apple account...  Sigh...

FAIL.

How much damage they could do depends heavily on how tied in you are
to the Apple ecosystem.  Can they buy a lot of music? buy themselves a
new Macbook?  buy twelve new Macbooks for resale?  Since this guy had
iCloud, Find My iPhone, Find My Mac, etc., they could wipe all his
devices remotely, too.

> As FOR Amazon...  This is just incredibly lame!
>
> --
> First you call Amazon and tell them you are the account holder, and want
> to add a credit card number to the account. All you need is the name on
> the account, an associated e-mail address, and the billing address.
> Amazon then allows you to input a new credit card. (Wired used a bogus
> credit card number from a website that generates fake card numbers that
> conform with the industry’s published self-check algorithm.) Then you
> hang up.
>
> Next you call back, and tell Amazon that you’ve lost access to your
> account. Upon providing a name, billing address, and the new credit card
> number you gave the company on the prior call, Amazon will allow you to
> add a new e-mail address to the account. From here, you go to the Amazon
> website, and send a password reset to the new e-mail account. This
> allows you to see all the credit cards on file for the account — not the
> complete numbers, just the last four digits. But, as we know, Apple only
> needs those last four digits. We asked Amazon to comment on its security
> policy, but didn’t have anything to share by press time.
> --

FAIL.

Amazon lets you use the stored credit cards on file without a lot of
hassle (which, admittedly, is the point of having a credit card on
file).  I think the only thing that keeps this from being worse is
that they ask you to verify your credit card information if you're
sending merchandise to a new address.

That doesn't help people with Apple accounts, though.

> Really???  Yes the author was stupid in what he did.  But this just
> blows my mind on the part of those two companies!

Yeah.

Katherine