

Amazon Quietly Closes Security Hole After Journalist’s Devastating Hack - sciwiz
http://www.wired.com/gadgetlab/2012/08/amazon-changes-policy-wont-add-new-credit-cards-to-accounts-over-the-phone/

======
brudgers
This is the only possible response after the "exploit" was published. Amazon's
process was appropriate for their business, and the problems the journalist
experienced were due solely to the level is security Apple chose to implement
and their decision to allow remote wiping of people's Macbooks.

This is only a story because of Apple's of operational decisions. The
information required to game their system could have come from a myriad of
sources other than Amazon.

~~~
Osiris
I disagree that Amazon's processes were 'appropriate'. Being able to gain
access to someone's Amazon account with such basic information can be a big
problem.

I know a guy that's a huge amazon seller and he says there are Amazon sellers
often with upwards of $100,000 in their accounts on Amazon before pulling the
cash out. If someone were able to gain access to a seller account (I'm not
sure if this 'exploit' would have worked for a seller account or not), that
could have been quite financially painful for some people.

~~~
Wingman4l7
Why are they leaving so much in their accounts? Amazon is not a bank, and as
such they're probably not subject to the same regulations. We've already seen
this issue with people leaving too much money in winnings in online poker
accounts, or PayPal accounts.

------
jakeludington
While they have closed the loophole for adding credit cards, you can
apparently still change your email or password via phone:
[http://www.forbes.com/sites/kellyclay/2012/08/07/amazon-
tigh...](http://www.forbes.com/sites/kellyclay/2012/08/07/amazon-tightens-
security-after-high-profile-hacking-sort-of/)

~~~
nohat
If you can change the email or password by phone, then nothing is solved.
Adding the credit card was, as I understand, simply because amazon required a
credit card number on the account (possibly last four digits).

------
stephengillie
I would like to see a customer service/tech support org where customers have
to enter their 2-factor PIN at a phone menu before reaching a _human_ support
agent. You could possibly combine that with caller ID for better verification
- basically use phone # like a username and the PIN as password.

Or you could just use them alongside other verification steps.

~~~
LoganCale
What if they've had their mobile phone stolen and can't do 2-factor auth and
that's why they're calling?

~~~
Wingman4l7
Isn't this scenario why Gmail's 2-factor authorization gives you a set of one-
time passwords?

~~~
ianferrel
What if you lose them?

At some point, there has to be a way to get back into your account. Probably,
going through slow and hard to hack methods like the postal system.

~~~
Wingman4l7
Well, continuing to use Gmail as an example, there is an account recovery
system, which IIRC asks for a bunch of details to try and determine if you are
the account owner (account creation date, names of labels used, etc.) If
Google or a third party would provide a list of these details, then you could
collate that info as additional insurance against your posited scenario.

------
davros
Is it possible to prevent a remote wipe by Apple? Or at least so it is only
possible with knowledge of my password? If I lose _both_ my MBA _and_ my
password, I am ok with not being able to remote wipe.

EDIT: OK, I can disable remote wipe entirely by disabling 'find my mac'.

~~~
X-Istence
It is only possible if you know your iCloud username and password.

Now the reason why the attacker was able to remote wipe is because he had the
iCloud username and the newly generated password.

------
larrys
For those not aware whenever a journalist uses the term "quietly" it equates
to "didn't issue a press release" or post publicly in an announcement.

~~~
arrrg
Yeah, and? What else would it equate to?

Press releases and public announcements are how a company communicates. If a
company changes something without communicating, they changed something
quietly.

I’m not really understanding what point you are trying to make. What is there
to misunderstand about that “quietly”?

