If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Gizmodo)   If you use the same credit card on Apple and either Paypal or Amazon, anyone can get into your accounts with a phone call, which can then be used to access a gmail account. Sleep tight   (gizmodo.com) divider line 78
    More: Sick, Paypal, Amazon, icloud, gmail account, external drives, security protocol, inaction, phone calls  
•       •       •

6426 clicks; posted to Geek » on 07 Aug 2012 at 5:02 AM (2 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



78 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | » | Last | Show all
 
2012-08-06 09:17:25 PM  
Well darn, I just miss out on all the fun by not having an iTunes account.
 
2012-08-06 09:34:36 PM  
Perhaps more disturbing is how aware Apple's tech support is of this:

Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.


This seems to be gross negligence at best, and farking lawsuit-worthy at the worst. I'm assuming Apple doesn't think anything can go wrong because you have to pony up a new credit card number for the account, but they don't seem to check the billing address of the new card against the old billing address. Craptacular fail.
 
2012-08-06 09:46:12 PM  
And to top it all off, you can't delete the credit card info from your account. I know. I just tried.
 
2012-08-06 09:52:40 PM  
eh, they can only get in your Apple account (how's that iCloud looking now?). They can only recover your gmail account if the Apple .me account is the recovery email. There are lots of little things that are missing from this article. The way the headline is written it looks like the "hacker" could get your Apple, Amazon and Paypal accounts but that isn't true.

A lot of it is FUD, but there is a kernel (heh) of truth and you /should/ be worried. Remember Apple is trying to get in the payments game, and they are not only clueless but willfully clueless about risk mitigation. Is this the company that you are going to entrust your financial data to?
 
2012-08-07 12:03:45 AM  
 
2012-08-07 12:39:40 AM  
faildesk.net
 
2012-08-07 02:00:10 AM  
credit card on Apple

I'm good, thanks.
 
2012-08-07 02:34:50 AM  
Reading this (well, the full article at Wired anyway) makes me happy I've been using unique email addresses (across multiple domains) for every service I use for the last 9 years or so. Pretty much prevents this trick right there.

I don't use Gmail, and while I do use iCloud to a degree, I don't have Find My Mac or iPhone turned on for privacy/security reasons, don't use the Me.com email address at all, and so the worst thing they could do is read my address book and my notes and lock me out of my account temporarily.

I also back up my computer almost every day and rotate the backups between multiple drives.

/and they call me paranoid
//That's MISTER Paranoid
 
2012-08-07 03:11:51 AM  
fark MY LIFE
time to get a completely new email address, just for the morons at apple
and amazon
and sigh

kill me now
 
2012-08-07 04:37:54 AM  
wow, that's farked up. Are there actual standards in place regarding security best practise in the tech industry?
 
2012-08-07 05:15:28 AM  
How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?
 
2012-08-07 05:15:29 AM  

Big Merl: Well darn, I just miss out on all the fun by not having an iTunes account.


thieves don't want your iTunes account either. what with all the michael jackson you buy
 
2012-08-07 05:16:53 AM  
the last four digit thing seems to be the problem.

From what I remember (from when receipts actually printed out your whole number), the change to the four digit thing was a legal requirement.

I don't think Amazon is at fault for showing the last four digits (but the hacker shouldn't have been able to get that far). However I don't think anyone should be using address and last four to verify an account. It's like verifying by using an SSN in the states, just asking for trouble.

Don't know what the answers are, but as the writer said, not daisy chaining important accounts is a big start.

after the PSN hack, I had three attempts on my google account. Thankfully I protected that with a different password. Got two factor up now on it. I'm no one special, but losing that account would be bad.
 
2012-08-07 05:18:53 AM  

Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?


they were able to get access to the Amazon account through knowledge of how Amazon handles both adding new credit cards and then dealing with lost accounts.
 
2012-08-07 05:20:02 AM  
I find the best security is to use a credit card with a low limit online. Even if the fraud detectors don't kick in and make me verify a purchase worst they can do is a few thousand dollars worth of damage before I go to the company and point out the problem.
 
2012-08-07 05:21:02 AM  

Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?


Sssh... You're supposed to be outraged.

/The hacker also needs to know the answers to your secret questions for the account.
//Article is FUD made to get the sheep screaming bloody murder
 
2012-08-07 05:27:42 AM  

digistil: Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?

Sssh... You're supposed to be outraged.

/The hacker also needs to know the answers to your secret questions for the account.
//Article is FUD made to get the sheep screaming bloody murder


---From an associated link---

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account - not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.


I would be outraged, but it's actually remarkably ingenious. Big companies just need to get together and agree a standard. That standard should be not using the last 4 digits as a security thing since everyone gives them out.
 
2012-08-07 05:35:11 AM  
"max out every single active card, financially devastating the user"

No they can't, you idiot. The card companies will place holds on the accounts and will not make the legitimate account holder liable for fraudulent charges.
 
2012-08-07 05:35:57 AM  
All companies have stupid security policies, yet people hate it when you enforce any sort of security on them.

Example:

In order to gain access to an ATT wireless account, normally you have to verify the account holders name and the last four of the account holder's SSN. But on a multi-line account, you can also get access by having the agent call the account holder on their phone and asking them for access. The agent will not ask the account holder for their SSN when they call them, only if they are the account holder. So if you steal two phones from people on the same account, you can have you and an accomplice call in and gain access to the account as long as you know the account holders name. The only way to stop this is to add a passcode to the account, which few people do.
 
2012-08-07 05:47:26 AM  

Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?


The Wired story explains it.

First - Get the email address of the person.
Next - Hope they have an Amazon account
Then - Call Amazon, and add a new fake credit card to the account over the phone (No security questions to add a card)
Then - Call Amazon again, use credit card from above to verify you are the account holder, and add an email address to the Amazon account
Then - Reset the password, and have the reset link sent to the new email address you had them add to the account
Then log into the account, where you can view the last 4 digits of any cards on file.
 
2012-08-07 05:57:14 AM  

ShawnDoc: Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?

The Wired story explains it.

First - Get the email address of the person.
Next - Hope they have an Amazon account
Then - Call Amazon, and add a new fake credit card to the account over the phone (No security questions to add a card)
Then - Call Amazon again, use credit card from above to verify you are the account holder, and add an email address to the Amazon account
Then - Reset the password, and have the reset link sent to the new email address you had them add to the account
Then log into the account, where you can view the last 4 digits of any cards on file.


I read yesterday (can't find the link) that Honan (the victim in this case) neglected to ever use a security question on any of his accounts. And that's why they were never asked. It's the first time I've heard of someone being too lazy to include even one security question, when offered.
 
2012-08-07 06:03:00 AM  

digistil: Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?

Sssh... You're supposed to be outraged.

/The hacker also needs to know the answers to your secret questions for the account.
//Article is FUD made to get the sheep screaming bloody murder


So tell us your @me / itunes account email, nothing to lose right?

Did you even read the article, or are you just reverse-FUD out of habit?

You sound like a Developer.
 
2012-08-07 06:06:07 AM  

digistil: ShawnDoc: Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?

The Wired story explains it.

First - Get the email address of the person.
Next - Hope they have an Amazon account
Then - Call Amazon, and add a new fake credit card to the account over the phone (No security questions to add a card)
Then - Call Amazon again, use credit card from above to verify you are the account holder, and add an email address to the Amazon account
Then - Reset the password, and have the reset link sent to the new email address you had them add to the account
Then log into the account, where you can view the last 4 digits of any cards on file.

I read yesterday (can't find the link) that Honan (the victim in this case) neglected to ever use a security question on any of his accounts. And that's why they were never asked. It's the first time I've heard of someone being too lazy to include even one security question, when offered.


We analyzed "secret questions" at work. 1/5 of them were "favorite color/blue" Next up was "favorite food/pizza" .. Secret questions are hokey, either you make them so generic as to be easily guessable, or you make them so obscure that the user forgets, then uses the alt means to reset the account which typically involves an email.

The real way out of these daisy-chained exposures is not to daisy-chain accounts, but that also takes some planning, as they do tend to creep from "throwaway" to "vital in every day life" over time.
 
2012-08-07 06:09:51 AM  

Generation_D: digistil: Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?

Sssh... You're supposed to be outraged.

/The hacker also needs to know the answers to your secret questions for the account.
//Article is FUD made to get the sheep screaming bloody murder

So tell us your @me / itunes account email, nothing to lose right?

Did you even read the article, or are you just reverse-FUD out of habit?

You sound like a Developer.


I use Google, thanks for playing though.

Also, I'm not saying Apple/Amazon/Google aren't to blame, but this is a case of "If someone wants to get you badly enough, they will find a way."

/read a dozen articles on this since Mat's first tweet on the subject.
//Mat's a moron.
 
2012-08-07 06:23:49 AM  
The reason Honan's security system broke down was because he had too many lapses in his system, and he made himself too public a target. Had he, at any point, employed stronger security settings for his email or his services, he wouldn't have been so vulnerable.

And, being Gizmodo, they've got to analyze the thing to death and be butthurt about anything Apple did wrong. When they're not fellating Apple at Giz, they're whining about them.

The problem is that Honan's not so different from the rest of us in that he was using poor security measures. He never believed anything would happen to him, and he ignored the advice of using a password manager, a secret email account, different passwords, and so forth. Hackers know how to exploit systems, and if you have enough points in common between accounts, they can nail you if you're not careful. Especially if you're a writer for a tech blog who puts the information out there to get them started.
 
2012-08-07 06:27:15 AM  

digistil: Generation_D: digistil: Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?

Sssh... You're supposed to be outraged.

/The hacker also needs to know the answers to your secret questions for the account.
//Article is FUD made to get the sheep screaming bloody murder

So tell us your @me / itunes account email, nothing to lose right?

Did you even read the article, or are you just reverse-FUD out of habit?

You sound like a Developer.

I use Google, thanks for playing though.

Also, I'm not saying Apple/Amazon/Google aren't to blame, but this is a case of "If someone wants to get you badly enough, they will find a way."

/read a dozen articles on this since Mat's first tweet on the subject.
//Mat's a moron.


No doubt, but 90% of the public is a moron right there with him.

I wish all companies were required by law to support a "delete me completely" feature. So if you ever thought you were in need of a reset, due to years worth of cruft/creep/reuse of common tokens like email accounts, companies like facebook, apple, gmail, amazon would be actually required to, you know, delete the account.

Not hoard data forever then act like its all there in the privacy policy.

Last four digits is considered public info, so's email address. If you trust google enough to give them 2-factor, thats another story, but it seems like none of the choices here -- except always using throwaway accounts *per merchant* and unique reset-token-password-question items *per merchant* is the way to go. And that requires a big brain, a very limited on-line life, or a password store/wallet.

Which then just moved the problem around.
 
2012-08-07 06:30:00 AM  
also, your secret question is guessable, or its too obscure for you to remember. Fact. And google's 2-factor has its own issues, not least of which is giving google access to your phone number.
 
2012-08-07 06:33:49 AM  

ShawnDoc:
Then - Call Amazon, and add a new fake credit card to the account over the phone (No security questions to add a card)
Then - Call Amazon again, use credit card from above to verify you are the account holder, and add an email address to the Amazon account


It's pathetic that this bit here works at all. Modifying an account without credentials (especially when the newly added bit IS apparently considered a credential), not trying the credit card to see if it's valid, and allowing an unused/unverified and likely hours (minutes?) old piece of data to rewrite the email address for the account is just a wonderful perfect storm of farking dumb.

Oh and Apple sucks too on their end apparently. But Jesus Christ Amazon, what the heck are you guys thinking?
 
2012-08-07 06:39:20 AM  

thisone: after the PSN hack, I had three attempts on my google account. Thankfully I protected that with a different password. Got two factor up now on it. I'm no one special, but losing that account would be bad.


I set up two-factor on my Gmail last week after I suddenly got a "password recovery" e-mail sent to an alternate address.

Generation_D: also, your secret question is guessable, or its too obscure for you to remember. Fact.


Not necessarily. One trick is to take a standard question ("What state were you born in?") and use an answer that doesn't match the question ("Japan"). The absurdity makes it both easier for you to remember, and harder for others to guess.
 
2012-08-07 06:40:25 AM  

Bedurndurn: ShawnDoc:
Then - Call Amazon, and add a new fake credit card to the account over the phone (No security questions to add a card)
Then - Call Amazon again, use credit card from above to verify you are the account holder, and add an email address to the Amazon account

It's pathetic that this bit here works at all. Modifying an account without credentials (especially when the newly added bit IS apparently considered a credential), not trying the credit card to see if it's valid, and allowing an unused/unverified and likely hours (minutes?) old piece of data to rewrite the email address for the account is just a wonderful perfect storm of farking dumb.

Oh and Apple sucks too on their end apparently. But Jesus Christ Amazon, what the heck are you guys thinking?


Gaping security flaw created by ease-of-use + "we're infallible." Unless it a legal mandate, the company will probably shine this off as dumb customer trick rather than anything wrong with them.

I want a "delete me completely" feature. Let me choose if I want that permanent relationship with you to continue forever, Large Online Retailer.
 
2012-08-07 06:43:14 AM  

Cybernetic: thisone: after the PSN hack, I had three attempts on my google account. Thankfully I protected that with a different password. Got two factor up now on it. I'm no one special, but losing that account would be bad.

I set up two-factor on my Gmail last week after I suddenly got a "password recovery" e-mail sent to an alternate address.

Generation_D: also, your secret question is guessable, or its too obscure for you to remember. Fact.

Not necessarily. One trick is to take a standard question ("What state were you born in?") and use an answer that doesn't match the question ("Japan"). The absurdity makes it both easier for you to remember, and harder for others to guess.


Which works as long as you remember the trick. It still puts your entire security identity wrapped up in a word that could be lying around anywhere, that you had better never have told anyone or never had thefted/key-logged/stolen from a lesser site/somehow left lying around cause there was no legal mandate to protect "Secret Question" as "sensitive data."

After years of "Favorite color/Japan" you just did the same thing as used the same password for years without changing, which is pretty much agreed is a bad idea.

If you reuse "favorite color/japan" numerous places, sooner or later some idiot site like Gizmodo lets it be stolen, bad guys associate it with your email, they build up a profile and off they go.
 
2012-08-07 07:00:09 AM  

Generation_D: And google's 2-factor has its own issues, not least of which is giving google access to your phone number.


For most people, that's not an issue. In fact, having the number on your account as a recovery method might be a good idea for a lot of people. I talk to people every day who have lost access to their google account because they don't know or never set up a recovery method for the account.

On a related note, it's sick that of all my accounts, my WoW account is probably the most secure because you can buy a hardware security token generator and attach it to the account. Why doesn't my bank offer this? I would pay for it!
 
2012-08-07 07:13:46 AM  

adenosine: Generation_D: And google's 2-factor has its own issues, not least of which is giving google access to your phone number.

For most people, that's not an issue. In fact, having the number on your account as a recovery method might be a good idea for a lot of people. I talk to people every day who have lost access to their google account because they don't know or never set up a recovery method for the account.

On a related note, it's sick that of all my accounts, my WoW account is probably the most secure because you can buy a hardware security token generator and attach it to the account. Why doesn't my bank offer this? I would pay for it!


poke them about it, though it may also be helpful in the states (assuming here) upgraded to using the chip and pin system. It's not infallible by any means, just one bit harder.

Barclays, and others (I know Barclays specifically) provide authentication devices to their customers. You must have the device and your card in order to access online banking
 
2012-08-07 07:24:17 AM  
Article: "Something bad happened to this guy. Here's what happened, and here are step-by-step instructions on how to do it."

Seems like responsible journalism to me. What could possibly go wrong?
 
2012-08-07 07:26:01 AM  

Farktologist: Article: "Something bad happened to this guy. Here's what happened, and here are step-by-step instructions on how to do it."

Seems like responsible journalism to me. What could possibly go wrong?


Apple might change their policy on requiring the easiest 4 digits to obtain and Amazon might make it less easy for strangers to get that level of access to someones account? Given that these companies have been aware for a while and done nothing I think the best thing to do is publicise it so they are forced to make amendments to their sheet.
 
2012-08-07 07:27:15 AM  
Is my ten digit alphanumeric and symbol password not secure anymore?

Also, I try not to store credit card data when possible.
 
2012-08-07 07:31:03 AM  
why would someone hack your iTunes account? so they can download iTunes format songs instead of MP4? told ya they were better quality.
 
2012-08-07 07:38:20 AM  

wallywam1: "max out every single active card, financially devastating the user"

No they can't, you idiot. The card companies will place holds on the accounts and will not make the legitimate account holder liable for fraudulent charges.


That statement jumped out at me as well. It would be a major inconvenience but certainly not "financially devastating".
 
ZAZ [TotalFark]
2012-08-07 07:43:27 AM  
What I hope happens with these customer service aided destructive acts -- Apple, Yahoo, Flickr, etc. -- is the legal system says the company can be sued in a real court even though their TOS says "we can steal from you and your only recourse is binding arbitration in a court located in the bottom of the Mariana Trench." For example, call the act a tort or fraud, anything to get around the arbitration clauses Congress loves so much.
 
2012-08-07 08:10:13 AM  
Virtual CC account numbers FTW. Every new entity I order from online gets a different CC#. They all get billed to the same account, but there's just a 1 in 10,000 chance that the last four digits of any two given accounts will match.
 
2012-08-07 08:19:39 AM  

SJKebab: wow, that's farked up. Are there actual standards in place regarding security best practise in the tech industry?


Standards? Sure. In place? LOL.
 
2012-08-07 08:27:59 AM  

digistil: read a dozen articles on this since Mat's first tweet on the subject.


Yet you can't link to even one of them?

If you're going to call people sheep and claim the whole thing is blown way out of proportion, do you think maybe you should try defending your claims at least a little bit so you don't just come off like a self-important jackass?

I see two articles in front of me that strongly suggest Apple and Amazon do stupid things that open up vulnerabilities in their customer accounts. I see nothing from you so far that refutes anything in those two articles even though you keep acting like they're all wrong and overblown.
 
2012-08-07 08:34:12 AM  
While there is a real issue here, there is also a lot of fearmongering:

To break that into a more digestible flow chart: Amazon or PayPal cough up the last four digits of your credit card. That gets you into an Apple account, and the .Me email account associated with it. That email account can be used to recover a Gmail account, and from there, you can probably access anything you want. It's really pretty terrifying.

So your Gmail can only be hacked with this flaw if you use a .Me e-mail account to recover your Gmail.

We did not originally correctly note the scope of Wired's confirmation on Amazon's end. It was able to, on multiple occasions, not only access the last four digits of an account's credit cards with very limited, widely available information, but the account as a whole. This means a troll could max out every single active card, financially devastating the user. You could not ship to a new address, since that requires the full card number to be re-entered, but that is still deeply chilling to think about.

So all the hacker could do is ship stuff to you.
 
2012-08-07 08:56:34 AM  

Lsherm: Perhaps more disturbing is how aware Apple's tech support is of this:

Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.

This seems to be gross negligence at best, and farking lawsuit-worthy at the worst. I'm assuming Apple doesn't think anything can go wrong because you have to pony up a new credit card number for the account, but they don't seem to check the billing address of the new card against the old billing address. Craptacular fail.


Its apple saying "we're apple and we're right, so everyone else has to change"

But nobody can defend this but it will be fun to read their moronic defenses.
 
2012-08-07 09:00:03 AM  

adenosine: All companies have stupid security policies, yet people hate it when you enforce any sort of security on them.

Example:

In order to gain access to an ATT wireless account, normally you have to verify the account holders name and the last four of the account holder's SSN. But on a multi-line account, you can also get access by having the agent call the account holder on their phone and asking them for access. The agent will not ask the account holder for their SSN when they call them, only if they are the account holder. So if you steal two phones from people on the same account, you can have you and an accomplice call in and gain access to the account as long as you know the account holders name. The only way to stop this is to add a passcode to the account, which few people do.


I work for ATT and it doesnt matter who calls in, even it is an agent, the pope, you still have to ask for the last for of the social, and note who you spoke to, their id, and how did they verify the account.

If you call the account holder and ask them for access, you will ask for the social or passcode. If you are suspicious you generate a random number, and send it to the account holders cell and have them repeat it back to you.
 
2012-08-07 09:00:26 AM  

Vegan Meat Popsicle: digistil: read a dozen articles on this since Mat's first tweet on the subject.

Yet you can't link to even one of them?

If you're going to call people sheep and claim the whole thing is blown way out of proportion, do you think maybe you should try defending your claims at least a little bit so you don't just come off like a self-important jackass?

I see two articles in front of me that strongly suggest Apple and Amazon do stupid things that open up vulnerabilities in their customer accounts. I see nothing from you so far that refutes anything in those two articles even though you keep acting like they're all wrong and overblown.


Actually its apple being stupid since almost every business that takes credit cards shows the last 4 digits on a receipt after transactions are ran through.

If Apple knows about this then they should have fixed it a long time ago by having people choose new 4 digit access codes. But then that would be admitting they farked up and they can't have that.
 
2012-08-07 09:03:52 AM  

thornhill: While there is a real issue here, there is also a lot of fearmongering:


Actually, there's two issues: The less serious one is that companies like Amazon shouldn't be giving out any part of a person's card number. I know they do it for convenience, but it's just an unnecessary risk. Make the lazy ass waddle to his wallet and type it in if he needs to know which number is on the account.

The more serious problem here is that Apple has an amazingly stupid way of identifying people. You don't really need to go through all that trouble. Think about how many people a typical credit card is handed to in the course of its life. It wouldn't take a genius to take the last four and the name down, send a few emails to some guessed addresses to figure out if the person has a .me account and then take it and use it to buy stuff off iTunes until it gets caught. Not to mention it could be used to wreak havoc on a specific target for revenge. If you already have some level of access to the person, you could steal their account and wipe all their shiat from it just to be destructive.

It's not exactly the biggest problem in the world of security and fraud, but considering how intensely brainless Apple's identification process is, it's one that should never have existed to begin with.
 
2012-08-07 09:12:28 AM  

adenosine: All companies have stupid security policies, yet people hate it when you enforce any sort of security on them.

Example:

In order to gain access to an ATT wireless account, normally you have to verify the account holders name and the last four of the account holder's SSN. But on a multi-line account, you can also get access by having the agent call the account holder on their phone and asking them for access. The agent will not ask the account holder for their SSN when they call them, only if they are the account holder. So if you steal two phones from people on the same account, you can have you and an accomplice call in and gain access to the account as long as you know the account holders name. The only way to stop this is to add a passcode to the account, which few people do.


Bullsh*t to change any Telecom feature you have to verify you are an authorized user on the account, calling up and saying you are Joe Brown does not give you access to his account.

Its a federal law after they deregulated the phone industry, if someone did this to you then they farked up and open to lawsuits.
 
2012-08-07 09:14:06 AM  
BWAHAHAHAHAAAAAA this is why storing everything in a cloud is DUMB. This is also why being interconnected to every blinking machine on the planet every second is dumb. Can't wait for the CDN spoofing to put the nail in the coffin on this whole buzzword shiat. Why on earth you would store personal info on a device that can be lost is beyond me. Fools and their money....
 
2012-08-07 09:17:43 AM  

Generation_D: Cybernetic: thisone: after the PSN hack, I had three attempts on my google account. Thankfully I protected that with a different password. Got two factor up now on it. I'm no one special, but losing that account would be bad.

I set up two-factor on my Gmail last week after I suddenly got a "password recovery" e-mail sent to an alternate address.

Generation_D: also, your secret question is guessable, or its too obscure for you to remember. Fact.

Not necessarily. One trick is to take a standard question ("What state were you born in?") and use an answer that doesn't match the question ("Japan"). The absurdity makes it both easier for you to remember, and harder for others to guess.

Which works as long as you remember the trick. It still puts your entire security identity wrapped up in a word that could be lying around anywhere, that you had better never have told anyone or never had thefted/key-logged/stolen from a lesser site/somehow left lying around cause there was no legal mandate to protect "Secret Question" as "sensitive data."

After years of "Favorite color/Japan" you just did the same thing as used the same password for years without changing, which is pretty much agreed is a bad idea.

If you reuse "favorite color/japan" numerous places, sooner or later some idiot site like Gizmodo lets it be stolen, bad guys associate it with your email, they build up a profile and off they go.


Nobody claims that secret questions are some kind of infallible security measure. You stated a false dichotomy: answers are either too easy to guess, or too hard to remember. I pointed out that it is, in fact, a false dichotomy.

If you're looking for perfect security, you will always be disappointed. Go ask an experienced locksmith (who can open any common lock--and many uncommon ones--in a matter of minutes) about the value of locks. It's about difficulty, not infallibility. Security needs to be strong enough to deter all but the most determined--because the most determined will not be deterred by ANY level of security. And as the number of people willing to spend the time and effort to break your security asymptotically approaches zero, the cost to deter those people goes way up.
 
Displayed 50 of 78 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report