Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Gizmodo)   If you use the same credit card on Apple and either Paypal or Amazon, anyone can get into your accounts with a phone call, which can then be used to access a gmail account. Sleep tight   (gizmodo.com ) divider line 22
    More: Sick, Paypal, Amazon, icloud, gmail account, external drives, security protocol, inaction, phone calls  
•       •       •

6433 clicks; posted to Geek » on 07 Aug 2012 at 5:02 AM (3 years ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



Voting Results (Smartest)
View Voting Results: Smartest and Funniest


Archived thread
2012-08-07 12:39:40 AM  
3 votes:
faildesk.net
2012-08-07 11:00:39 AM  
2 votes:
2012-08-07 09:55:24 AM  
1 vote:

midigod: FTA:Don't use the same credit card on any two accounts. Don't use the same email address for multiple other services.

How many farking credit cards are we supposed to have? Twenty? And won't that make us LESS secure overall?

And I only have two email addresses. Do you Farkers have dozens, one for every site you've ever bought anything from?


I set up an extra address solely as a recovery email address. It's a secret, hard-to-guess email I specifically set up years ago to avoid a situation just like this guy had. It's not connected to any personally identifiable information or credit cards and I delete everything from it as soon as I use it. I read his story on Wired an haven't had to change anything that I do.
2012-08-07 09:35:48 AM  
1 vote:

midigod:
And I only have two email addresses. Do you Farkers have dozens, one for every site you've ever bought anything from?


four, not counting work.

1 is my main,
one is my alt (moving countries made it a biatch to deal with services where you need a different account for a different country, but can't use the same email address),
one is my junk,
one is facebook (which I don't use)
2012-08-07 09:32:16 AM  
1 vote:
FTA:Don't use the same credit card on any two accounts. Don't use the same email address for multiple other services.

How many farking credit cards are we supposed to have? Twenty? And won't that make us LESS secure overall?

And I only have two email addresses. Do you Farkers have dozens, one for every site you've ever bought anything from?
2012-08-07 09:14:06 AM  
1 vote:
BWAHAHAHAHAAAAAA this is why storing everything in a cloud is DUMB. This is also why being interconnected to every blinking machine on the planet every second is dumb. Can't wait for the CDN spoofing to put the nail in the coffin on this whole buzzword shiat. Why on earth you would store personal info on a device that can be lost is beyond me. Fools and their money....
2012-08-07 08:10:13 AM  
1 vote:
Virtual CC account numbers FTW. Every new entity I order from online gets a different CC#. They all get billed to the same account, but there's just a 1 in 10,000 chance that the last four digits of any two given accounts will match.
2012-08-07 07:13:46 AM  
1 vote:

adenosine: Generation_D: And google's 2-factor has its own issues, not least of which is giving google access to your phone number.

For most people, that's not an issue. In fact, having the number on your account as a recovery method might be a good idea for a lot of people. I talk to people every day who have lost access to their google account because they don't know or never set up a recovery method for the account.

On a related note, it's sick that of all my accounts, my WoW account is probably the most secure because you can buy a hardware security token generator and attach it to the account. Why doesn't my bank offer this? I would pay for it!


poke them about it, though it may also be helpful in the states (assuming here) upgraded to using the chip and pin system. It's not infallible by any means, just one bit harder.

Barclays, and others (I know Barclays specifically) provide authentication devices to their customers. You must have the device and your card in order to access online banking
2012-08-07 06:23:49 AM  
1 vote:
The reason Honan's security system broke down was because he had too many lapses in his system, and he made himself too public a target. Had he, at any point, employed stronger security settings for his email or his services, he wouldn't have been so vulnerable.

And, being Gizmodo, they've got to analyze the thing to death and be butthurt about anything Apple did wrong. When they're not fellating Apple at Giz, they're whining about them.

The problem is that Honan's not so different from the rest of us in that he was using poor security measures. He never believed anything would happen to him, and he ignored the advice of using a password manager, a secret email account, different passwords, and so forth. Hackers know how to exploit systems, and if you have enough points in common between accounts, they can nail you if you're not careful. Especially if you're a writer for a tech blog who puts the information out there to get them started.
2012-08-07 06:09:51 AM  
1 vote:

Generation_D: digistil: Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?

Sssh... You're supposed to be outraged.

/The hacker also needs to know the answers to your secret questions for the account.
//Article is FUD made to get the sheep screaming bloody murder

So tell us your @me / itunes account email, nothing to lose right?

Did you even read the article, or are you just reverse-FUD out of habit?

You sound like a Developer.


I use Google, thanks for playing though.

Also, I'm not saying Apple/Amazon/Google aren't to blame, but this is a case of "If someone wants to get you badly enough, they will find a way."

/read a dozen articles on this since Mat's first tweet on the subject.
//Mat's a moron.
2012-08-07 06:06:07 AM  
1 vote:

digistil: ShawnDoc: Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?

The Wired story explains it.

First - Get the email address of the person.
Next - Hope they have an Amazon account
Then - Call Amazon, and add a new fake credit card to the account over the phone (No security questions to add a card)
Then - Call Amazon again, use credit card from above to verify you are the account holder, and add an email address to the Amazon account
Then - Reset the password, and have the reset link sent to the new email address you had them add to the account
Then log into the account, where you can view the last 4 digits of any cards on file.

I read yesterday (can't find the link) that Honan (the victim in this case) neglected to ever use a security question on any of his accounts. And that's why they were never asked. It's the first time I've heard of someone being too lazy to include even one security question, when offered.


We analyzed "secret questions" at work. 1/5 of them were "favorite color/blue" Next up was "favorite food/pizza" .. Secret questions are hokey, either you make them so generic as to be easily guessable, or you make them so obscure that the user forgets, then uses the alt means to reset the account which typically involves an email.

The real way out of these daisy-chained exposures is not to daisy-chain accounts, but that also takes some planning, as they do tend to creep from "throwaway" to "vital in every day life" over time.
2012-08-07 05:21:02 AM  
1 vote:

Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?


Sssh... You're supposed to be outraged.

/The hacker also needs to know the answers to your secret questions for the account.
//Article is FUD made to get the sheep screaming bloody murder
2012-08-07 05:18:53 AM  
1 vote:

Slaxl: How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?


they were able to get access to the Amazon account through knowledge of how Amazon handles both adding new credit cards and then dealing with lost accounts.
2012-08-07 05:16:53 AM  
1 vote:
the last four digit thing seems to be the problem.

From what I remember (from when receipts actually printed out your whole number), the change to the four digit thing was a legal requirement.

I don't think Amazon is at fault for showing the last four digits (but the hacker shouldn't have been able to get that far). However I don't think anyone should be using address and last four to verify an account. It's like verifying by using an SSN in the states, just asking for trouble.

Don't know what the answers are, but as the writer said, not daisy chaining important accounts is a big start.

after the PSN hack, I had three attempts on my google account. Thankfully I protected that with a different password. Got two factor up now on it. I'm no one special, but losing that account would be bad.
2012-08-07 05:15:28 AM  
1 vote:
How can someone see the last 4 digits of a credit card of someone else's account on Amazon? I get that it's printed almost everywhere, even on receipts from any standard shop the number is asterisked except for the last 4 digits, but the only place on Amazon I can see to see the last 4 digits is once logged in, which should be secure enough?
2012-08-07 04:37:54 AM  
1 vote:
wow, that's farked up. Are there actual standards in place regarding security best practise in the tech industry?
2012-08-07 02:34:50 AM  
1 vote:
Reading this (well, the full article at Wired anyway) makes me happy I've been using unique email addresses (across multiple domains) for every service I use for the last 9 years or so. Pretty much prevents this trick right there.

I don't use Gmail, and while I do use iCloud to a degree, I don't have Find My Mac or iPhone turned on for privacy/security reasons, don't use the Me.com email address at all, and so the worst thing they could do is read my address book and my notes and lock me out of my account temporarily.

I also back up my computer almost every day and rotate the backups between multiple drives.

/and they call me paranoid
//That's MISTER Paranoid
2012-08-07 12:03:45 AM  
1 vote:
2012-08-06 09:52:40 PM  
1 vote:
eh, they can only get in your Apple account (how's that iCloud looking now?). They can only recover your gmail account if the Apple .me account is the recovery email. There are lots of little things that are missing from this article. The way the headline is written it looks like the "hacker" could get your Apple, Amazon and Paypal accounts but that isn't true.

A lot of it is FUD, but there is a kernel (heh) of truth and you /should/ be worried. Remember Apple is trying to get in the payments game, and they are not only clueless but willfully clueless about risk mitigation. Is this the company that you are going to entrust your financial data to?
2012-08-06 09:46:12 PM  
1 vote:
And to top it all off, you can't delete the credit card info from your account. I know. I just tried.
2012-08-06 09:34:36 PM  
1 vote:
Perhaps more disturbing is how aware Apple's tech support is of this:

Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.


This seems to be gross negligence at best, and farking lawsuit-worthy at the worst. I'm assuming Apple doesn't think anything can go wrong because you have to pony up a new credit card number for the account, but they don't seem to check the billing address of the new card against the old billing address. Craptacular fail.
2012-08-06 09:17:25 PM  
1 vote:
Well darn, I just miss out on all the fun by not having an iTunes account.
 
Displayed 22 of 22 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report