Hacker News new | past | comments | ask | show | jobs | submit login
Amazon's customer service backdoor (medium.com/espringe)
1447 points by grapehut on Jan 24, 2016 | hide | past | favorite | 356 comments

Whois is great for social engineering attackers. You get a name, email, address, and the first service to attack.

Meanwhile, the ICANN is working around the clock to make it illegal for us to protect our personal information, and whois protection is becoming an increasingly niche service for registrars.

For example, gandi.net (and thus Amazon) doesn't hide your name when you have it turned on. By the time you find this out, it might occur to you to just type in a different name, but now you're violating ICANN policy. And it's already been scraped by any of those whois history websites.

In the UK this and a lot more is public information. As an example of what is available about me online (without paying a penny) just by searching for my name:

- The year I was born

- The district I was born (not the exact town, although that wouldn't be hard to guess)

- My mother's maiden name (which is what most banks et al ask as a security question...)

- The areas I've lived (based upon the electoral register, which you can opt out of but supposedly this impacts your credit rating)

- That I am a director of a company

This is just what is available for free - you can get the full records this is extracted from by paying a small fee.

If you know the name of my company (which isn't hard to find out), you can also find for free:

- My full name

- My address

- My date of birth

- Roughly how much I make a year

TL;DR; If you rely on this to 'identify' someone, you are doing it wrong.

>TL;DR; If you rely on this to 'identify' someone, you are doing it wrong.

Which is why the system is set up so that if I go to the bank with this information and take money as you, I have stolen your identity and thus you are the victim and are responsible for the losses unless you fight back. Identity theft was created so financial institutions could be lax with their verification process thanks to the blame being shifted.

In reality, identify theft doesn't exist. In my example I stole from the bank, no you, and you shouldn't at all be involved in the process.

...that's not what identify theft is. It doesn't have to involve stealing from banks, it just happens to be a popular use of it.

It definitely wasn't just "created" either. Pretending to be someone else to gain the benefits of their identity/reputation/privilege has always been around.

>In reality, identify theft doesn't exist. In my example I stole from the bank

you wish https://www.youtube.com/watch?v=CS9ptA3Ya9E

Your remark about opting out of the electoral register is not quite correct.

It is a requirement to register if requested, the fine for failing to do so is £80. However, it is always an option to not appear on the open register. The open register is publicly accessible, and being absent from it will not be detrimental to your credit rating.

>being absent from it will not be detrimental to your credit rating.

But it will make identity checks with banks a little more complicated, normally they use the electoral register to confirm your address

I have always opted out of the open or edited register, and have never had a problem with this.

Seems like your details can still be used for credit checks and fraud prevention (which I imagine covers confirming identities and addresses) even when you opt out[1].

[1] http://www.electoralcommission.org.uk/faq/voting-and-registr...

At least Nominet allows you to opt out of public WHOIS information.

Although they planned to change this if you ran ads on your site:


A related word of warning: Namecheap updated their registration page last year.

Now, when you register a domain it tells you free Whoisguard is included, but it doesn't make it clear that it's disabled by default."

Previously it just worked. Now you have to check another box to turn it on.

This change makes no sense to me. (If you want free Whoisguard, why would you not want it turned on?)

I was white-hot furious* when I discovered that a handful of new domain regs had leaked my contact details, and I began getting the inevitable spam calls and texts.

Worse, they'll happily sell you Whoisguard for domains that don't support it. When you discover it's not usable, they'll give you a refund, then include it again in the next billing cycle.

I switched to Namecheap based on recommendations here, and their previous stance on certain privacy issues, but I'm running out of alternatives.

A happy NameCheap user for years, I have started switching away. Their horrid "modern" 40px padding everywhere bubbly redesign makes GoDaddy look good in comparison. A major pain to manage more than a couple of domains, and numerous user feedback seems to fall on deaf ears, e.g. [1][2][3][4]

Example weird feature: all domains are shown, even ones that you've let expire/sold years ago, and there is no way to hide them.

[1] https://community.namecheap.com/forums/viewtopic.php?f=10&t=...

[2] https://community.namecheap.com/forums/viewtopic.php?f=10&t=...

[3] https://community.namecheap.com/forums/viewtopic.php?f=10&t=...

[4] https://community.namecheap.com/forums/viewtopic.php?f=10&t=...

Another ex-happy Namecheap customer here. Was going through credit card fraud issues back in July. In September out of nowhere get an email from Namecheap support that my July payment for one of the domains did not go through and I owe them $240 for the chargeback. No amount of reasoning got through to them - this is after several years of owning multiple domains with them. Dropped the penalty by $100, but that didn't exactly make it right. As I was considering my options, they locked all of my domains and redirected to parking pages. Had to pay up to get them back. Avoid at all costs.

TL;DR: Credit card was stolen, Namecheap penalized me for that and then blackmailed by locking all domains.

Hey romanhn - did you contact support and try to make it right by reversing the chargeback?

This isn't about blackmail as jewsin writes in the comments, it's about the reputation a business suffers with a chargeback. All you would need to do is reverse the chargeback and the full charge would go away.

Disclosure: I work for Namecheap.

Hi tamar - thanks for reaching out! I was in contact with multiple members of the support team throughout this ordeal. Supposedly they consulted with senior management as well. Business reputation was never mentioned - it was always about paying a fee to the payment processor. At no point was chargeback reversal brought up. To be perfectly honest, I know nothing about chargebacks (this wasn't something I initiated, it was fraud-related) and the idea of a reversal never popped into my head. I may try to bring this up with them again, but I'm not sure how much I can do half a year after the fraud occurrence.

Still, I think my original points stand. I find Namecheap locking out unrelated domains and redirecting traffic unethical and in bad faith of the service provider / customer relationship. Not to mention that the domains continued to point to parking pages even after I paid up.

Hey romanhn - so sorry for this. Can you share your ticket number? I think there was a definite mistake in the process here as that should have been broached and if it requires some updated training for the billing team, I'll put in my recommendation for that.

I'm sorry as well for the parking page situation - my guess is it didn't immediately propagate, but I'd have to investigate further as to why that happened. Usually, it's not about redirecting traffic but just not letting you get into your account. This does not sound like it should have happened at all. I sincerely apologize that this is what you encountered.

p.s. I love how trying to genuinely be helpful has resulted in an onslaught of downvotes. I'm going to assume you helped balance that out with an upvote. So thanks :)

p.s. I love how trying to genuinely be helpful has resulted in an onslaught of downvotes.

I wish people wouldn't do that. It does appear that Namecheap has behaved very poorly in this case, intentionally or otherwise. Sadly, downvoting a person who works for an organisation has become a proxy for downvoting the organisation itself on HN recently, which doesn't seem constructive, particularly if that person is trying to share relevant information and/or improve the situation.

I did upvote, don't think the downvotes are deserved.

Sent my ticket number via the contact form on the website from your profile. I see that you spearheaded the SOPA membership surge - it's what got me to join in the first place.

Looks like things are working out right now - feel free to keep me posted. You know where to find me now ;)

Wow, I was just about to switch to Namecheap. More people need to hear this. How can a registrar make DNS changes without permission and blackmail?

Please write a blog post about this.

"If you don't pay us, we'll turn it off" isn't blackmail.

But locking all of romanh's domains, so he can't take his business elsewhere, and transferring all of the traffic intended for his systems to somewhere else, does sound a lot like blackmail, not to mention blatant violation of how domain registration is supposed to work.

Also, $240 because of one chargeback, and doing the above while the customer is trying to sort out a fraud issue? Neither of those sounds like normal practice for a responsible domain registrar either.

Obviously there are two sides to every story and we're only seeing one here, but that one does look pretty bad for Namecheap.

Please see my comments above - there are ways around this but it appears that that path was never pursued.

Another Namecheap "gotcha" is they auto-renew any domains you have setup for auto-renewal a full month before you're due for expiration. So if you're thinking of moving away, and trying to decide as the expiration date approaches, make sure to disable auto-renew on those domains while you decide.

It was my understanding that the registration time you have with one registrar carries over with the next registrar. In other words, if your domain is automatically renewed for a year and you move to a different registrar and pay for one year, your domain will be registered for two years.

I must say that I have never verified this myself, mostly because I've never needed it that bad. At least something worth looking into if that problem arises.

Yep, that's exactly what happens: https://duckduckgo.com/?q="domain+transfer"+"remaining+time"

(Can actually confirm that from this month's experience, so it's even freshly verified :)

Not really a gotcha. Some TLDs require that early renewal and one month is how we handle to avoid any disconnection in service. But yes, if you move away after a domain is renewed (e.g. your domain expires in 2017, most registrars -- but not all -- will add a year to renew in 2018).

(Full disclosure: I work at Namecheap)

But everyone's using a 10" Surface tablet now! We all need that 40px padding for our sausage fingers while tapping our screen at work.

Do you mind sharing where you switched to?

I recommend Gandi. They support almost all the TLDs, their web UI is very decent, their support is excellent and they live up to their "No bullshit" motto. They are also overall good guys, donate to the EFF, took public stances against sopa and such...

They're a bit more expensive when it comes to domains but we're talking single dollars a year here.

Name.com has been legit for me for about 10 years. Use code PRIVACYPLEASE for free whois privacy (this code has worked for the past ~5 years). I've also used IWantMyName for some TLDs that name.com didn't have and I liked that they had 2FA, but overall it was much less polished.

I've used joker.com for years. The website isn't pretty, but you can actually do many functions via pgp email.

Ah, just Amazon (which uses Gandi under the hood.)

Many pluses: predictable, can be administered using the AWS CLI, consolidated billing with other AWS services. Heck, can even register domains from the CLI.

Only downside as others have pointed out is that Gandi doesn't make it at all easy to hide your name or company contact information.

>Ah, just Amazon

So you are recommending someone switch over privacy concerns from namecheap to Amazon in story about how Amazon is leaking private Customer data.....


I've been using Moniker for ages. I'm always surprised I don't see it recommended more often. They seem very steady and reliable.

What about Google domains?

lpsz - Tamar from Namecheap here. We're working on the padding. It's not that it's falling on deaf ears; it's just that it's taking time for us to implement and QA.

Also, the issue with all domains being shown is a bug. If you have a ticket number regarding this, please let me know and I'll investigate this further because it should be resolved.

Same here - a satisfied Namecheap customer for years, but forced to move my domains away recently. Ironically, what originally brought me there was exactly the huge level of support for Namecheap in HN ranks (well, and few instances elsewhere.)

But their "redesign" and presumably the backend changes tied to it (or lack of them, whatever the real case is) resulted in the worst experience I've ever had with this kind of service in years, culminating in what was the last straw - one of my domains getting shut down five times in a single month due to bogus "domain contacts verification" procedures, which their support wasn't able to solve from early December to when I finally decided to move away in mid-January (from a short exchange after I moved away I assume it's still broken today as they were apparently "investigating it" even after I was gone. That after having it in some or some other way "fixed" for about three times during the previous support exchanges.) Honestly though during that time my tickets mostly kept bouncing back and forth through customer reps that insisted on politely suggesting things like "to check my spam folder", even though I specifically explained every time that I was in full control of my mail servers and that it is them who don't deliver any kind of verification emails to those servers, so there was really nothing that could even end up in "a spam folder" and that yes, I actually thoroughly checked that, several times over. Yet my requests for them to check their own mail logs because I'm here actually losing access to my domains without being able to do anything about it were each time politely swept under the rug with generic assurances like "they're working on it and will keep me informed"... Then quickly closed the ticket as fixed. Every time after the one particular domain went dark (and with another domain randomly flipping into bogus unverified states in the frontend interface, clearly lingering on the edge of the same fate), the domain was reactivated either by me or the customer support, was either set to have its contacts covered by WhoisGuard (which doesn't even use the contacts verification process at all), or at a later point even manually set back to fully verified by their techs (and one time completely having all my zone data wiped without explanation or apparently without whoever caused it having a backup at hand to restore it from) - only to again and again end up suspended as "unverified" several days later, losing me access to its emails, websites, everything...

Now I could still go on and on about how clunky the entire new interface compared to the old one is (yes, the original was lackluster, but not even remotely this level bad and in fact I've never had a single technical issue with it, other than being somewhat hard to navigate) and that ever since the redesign the new frontend frequently displays outdated or plain wrong information, crashes with cryptic errors, sometimes just decides to log you out five times in five minutes for no reason, but I think this is getting too long as it is anyway, so enough.

When I finally grew tired of running through their customer support in a neverending circle (to their credit, they were always very polite and nice, but it felt like that's all that Namecheap support was really trained for. And that clearly doesn't make my domains magically work there), I moved to Gandi just basing on their overall popularity and good reputation with a few people. Already in a week time I had two great support experiences with them and got my issues resolved each time in literally a single step of exchange. In the first case I've received about a page-length of actual technical reply from their support rep that not only bothered to carefully read through several issues that I ran into when trying to run a Python app on their web hosting platform that I ordered for the domains moved there, they even included a how-to custom tailored to my specific use case that was way beyond what I originally asked for and that ended up saving me quite some time discovering it on my own, and also acknowledged that they had a major issue in their documentation system and that they had it quickly fixed in meantime. Now second time was less technical, as I accidentally burned a discount code while customizing and re-customizing some orders in what was probably an unexpected way for their interface, that ended in the code never being applied to any order but still ended up as used and lost... I wrote down the problem in a few sentences, customer support quickly verified it and issued me a new replacement code right with the initial reply in what had to be less than an hour. Can't really say I'll be missing Namecheap any time soon.

css stylebot or a smiliar extension that allows you to create persistent stylesheets could help you! i think your grievance is legitamate

That sounds like an awesome extension. I will have to look it up.

I've always wondered why I never see pairNIC mentioned on the "everybody knows godaddy is garbage but who should I use to register domains?" threads on HN.

I have used them since they opened (2002) and never used anybody else after that, because I have never been dissatisfied. (I don't remember if the box is checked by default, but they definitely offer whois privacy, along with services like custom/dynamic DNS and some other stuff, at no extra charge).

Their site is kinda barebones and old-school, but there are real humans in the rare case you actually need one, and they've never done me wrong.

So for whatever that's worth: another recommendation on HN.

[1]: https://www.pairnic.com/about.html

I used Pair right after they were accredited as a registrar in the 90's up till the mid 2000's but found they were expensive both for domain registration and for hosting. Great customer service but for a commodity like a domain name it's just not worth it for me.

Last I checked pairNIC was > $15/year for .com etc. That adds up when you have many domains. Therefore I use pairNIC for the domains I really care about, and Namecheap for the rest.

it seems they are down to $9.99/year: https://www.pairnic.com/prices.html

Wow! No excuses now. With pairNIC you can call up and talk to a technical person during business hours in Pittsburgh, PA.

I'm happy with hover.com. They're part of Tucows, who I've been a fan of since the good ol' days.

OpenSRS is also Tucows but only for resellers. Their reseller system works alright. Used to use it when I worked for a hosting co.

Namesilo works well for me, and they have free whois privacy.

I've been a happy user of Google Domains since closed beta. I'll never go anywhere else for domains again.

Still waiting for them to open to the rest of the world, beta is only for USA. Frankly , no idea what is taking them so long.

What's wrong with name.com?

Depends on who you're asking and from what timeframe you're asking about. They used to be absolutely horrid in the age of alternate and meta-TLDs when the real rush to nab a domain was on. I can't speak about present times, however.

Plus Whoisguard is only free for the first year. There's Google Domains for $12/yr but the dollar and some savings isn't worth the hassle of switching away from Namecheap.

I'd recommend gandi.net; among many other reasons, they don't charge for whois privacy, though you still have to turn it on.

I have been happy with NameSilo.

They have a very strong privacy stance and take security seriously

Maybe check out gandi.net? Very happy with them so far.

Hiding your contact information is like security through obscurity. I'm not saying it's not a good extra step to decrease the frequency of attacks (much like changing an SSH port to 3857 or something), but it doesn't add any real security. This is the crux of the problem; our addressees and birthdays are treated like passwords by these companies.

Passwords are also security by obscurity.

Not really -- security by obscurity is a re-statement of the idea that the security mechanism shouldn't need to be secret for the security to have meaning. You're allowed to have secret data, just not secret mechanism.

And relying on what looks like secret data (changing the SSH port) where the number of bits of entropy is low enough that it's plausible to try them all (16) probably still counts as security by obscurity -- it might hide you from many attackers, but it's not enough to make you secure.

Relying on data that's not actually secret, just hard to find, is just insecure.

> but it's not enough to make you secure.

That's not why you change the ssh port at all.

You change the ssh port to filter out false positives, if someone is attacking you on your weirdo ssh port, it's likely an actual attack that you need to pay attention to. You still need to do the rest of the security stuff.

Ssh ports are brute forceable, passwords have a much much larger search space.

Changed SSH port is not security measure. It's needed to keep your log files clear from random network scanning.

When your SSH port is something like 53148 and you see password brute-force activity in logs it's almost always mean that somebody intentionally scanning your server.

Just a note: if you do change it, keep it below 1024. Otherwise if ssh dies anyone on the server can create a client listening on that port and steal credentials.

That's a somewhat obsolete belief – people have been scanning arbitrary ports for many, many years and SSH daemons helpfully announce themselves to search engines:


This is a long-running problem and one with various popular solutions: restrict the source networks which you accept traffic for, disable password authentication entirely, and add some sort of rate limiting (e.g. 2004's fail2ban) for failures. Trying to reduce log volume by obscurity is futile - you really need to address the root problem and use tools which allow you to filter and aggregate effectively.

At this point, 16 bits of entropy is more than the entropy of a lot of the passwords that I've seen.

You have 10 bits of entropy at best, unless you put it above 1024, at which point if it dies, any none privileged user on the box can sniff passwords.

Why are you using passwords for SSH?

Do you actually have untrusted users on the box?

Why would you not secure the custom port to root-only?

If you are serious, you should limit SSH access to a bastion host with no unprivileged users.

Passwords are explicitly keys and not used for any other purpose.

I found last week that Namecheap enabled auto-renew of both the domain and whoisguard by default:


If you click-through the checkout with the 'Confirm Order' button at the top right away you can miss that detail - as I have twice.

One of the reasons I switched to Namecheap in the first place is because they were a registrar that didn't rely on bundling tricks. I'm considering moving all of my domains away.

I'm not sure how true this is.

I registered a new domain with Namecheap just last Thursday and it had whoisguard automatically turned on.

I think it is enabled automatically for free for the first year, but does not automatically renew, because it is not free after the first year.

Same here. I've registered a bunch of domain names with Namecheap over the last year and they all had whoisguard turned on.

Please can you tell me how I can verify whether my details have been leaked?

I've recently purchased a domain from namecheap, with whoisguard, and if I recall correctly I didn't have to turn it on. I whois'd myself and found that it didn't leak anything. It didn't occur to me that scrapers can get at the info before you protect it.

Perhaps this has changed since your experience? Please could anybody else verify one way or another?


I think the bigger problem is that public information like your name and address is sufficient for proving your identity. If we make whois information private, what about phone books, property records, direct mail databases, etc. etc.

If someone has your public name and address you're already at significant risk if you ever say anything controversial that gets attention. You're liable to being swatted, getting fake pizza orders, having people show up at your house, harassing you and much more. See Zoe Quinn, Brian Krebs, lots of less well known individuals, etc.

Which only proves your comment's parent's point even more.

{SWAT, pizza orders, etc} assume that the phone number that shows up on caller ID is authentication of the identity of the phone line on the other end. They could call back the number on caller ID to verify the original caller matched the person who picked up, but they don't.

Having knowledge of a Social Security number was assumed to be authentication, but it's increasingly obvious that such an authentication scheme is antiquated and was destined to fail from the beginning. When an identity thief can get a mortgage under my name with little more than credit bureau data on me, it costs only a little more than $15 to destroy my credit, my time, and my future because transactions don't have sufficient authentication.

These awfully designed authentication schemes will only magnify the problems as more companies (especially credit bureaus and data marketers) pass around data on me and make it easier for someone to buy it on demand.

>Having knowledge of a Social Security number was assumed to be authentication

No the people that designed and implemented Social Security knew it was not secure for identification purposes, the first few decades of the program even had "Not to be used for Identification" on the card.

Then the government, and financial industry got lazy and said "well since the majority of people already have these numbers assigned to them lets just use them for Identification as well" and made it a defacto National ID. Something it was never designed for, nor secure enough to be,

Keep in mind too that Caller ID is trivially blockable (and blocked caller id isn't remarkable enough to be super suspicious), and it's also easily within the capability of many of the 4chan/gg griefers to spoof "correct" Caller ID numbers as well.

Caller ID shouldn't be blockable, these days. It's a big ridiculous problem that we've defaulted to "you can intrude with communications anonymously" - and phone calls are definitely intrusive.

I'm pretty much a hair away from blocking all calls without caller ID at my house so I can reliably lock out the remaining spam callers.

By "gg" you mean what? Gamer gate?

I assume so. The "gamergate are women-hating harassers" misconception is still alive and well.

Not that I order pizza more than once a few months, but I would probably switch the pizza place that would call back to confirm order each time.

As a counterpoint, see billions of people every day.

This is getting to the point of paranoia at this point. You're already at significant risk if you ever say anything that gets attention by virtue of living in a society. But it comes with benefits, too...

Agree. Your contact info in whois adds little to any number of other public records that will contain your name, address, phone number.

It does make good sense to not use your primary "personal" email address in whois, nor your home address. PO Box rentals are fairly cheap and that's what I use for whois registrations.

Sadly, you can't even use PO boxes for all domains, some registries require a "full" address.

USPS now supports a feature called "street addressing". Basically, instead of writing "PO Box #" as the address, you may write the actual street address of the same facility followed by your box number, something like "123 Main St #456". Private mailbox providers also often accept addresses like "123 Main St Apt 456", where 456 is the number of your mailbox as well.

USPS now supports a feature called "street addressing".

Keep in mind that street addressing doesn't work at all USPS locations, although it does work at most of them. You have to fill out a form with USPS or any mail addressed to that location will be returned as undeliverable.

I've found private mailbox providers to be preferable in most every way to post-office PO boxes. Private providers are "street addressed" to begin with, virtually always accept from all couriers, usually have longer hours, often can call or email you when you receive a package, etc. In most cities, there are also more of them than post offices, I suspect because it's such an easy business to start. Look around your neighborhood: copy/print shops, shipping stores, and small business supply stores probably also rent mail boxes.

I wish this was an industry with a bit more visibility. When you think about renting a "PO Box", there's a good chance that you'd be better off with a box rental from a private mail service.

"The street finds its own uses for things."

Where I am (Australia) theres a whole bunch of places that'll provide "non Post Office PO boxes" who're perfectly happy for you to address things to "Suite 306" or "Apartment 306" as well as "PO Box 306" at whatever address the box is located. Fools _most_ of the "must be a real address, not a PO Box" restrictions.

(Interestingly StartSSL failed me on that once when I gave one of those as a personal address - they mailed me saying "that looks like a business address, we need a personal home address for personal identity validation") - I dunno of they Google Street-viewed it or of they've got some automated system that flagged it...)

USA is a little different. To get mail using the street address of the PO, boxholders have to sign an additional agreement, BUT:

1) it's free, and

2) they will also accept UPS/FedEx/DHL/etc shipments on your behalf for no charge! (they will sign for packages, but if "Direct" signature (the named recipient) is required, they can't accept those.)

If you just try using "UNIT #" or "APT #" or whatever, or you don't have this additional agreement signed, they can and will return to sender.

"Mailboxes etc." in the UK is a fairly widespread commercial PO box provider. I didn't realise that was their business until I found out about a local spammer using their Cambridge branch for their address :-)

Most likely more than x accounts used the same address.

Yes, but the new piece of information is that you are the one who owns that domain

It's not just about proving who is who, it can also be about wanting to distance yourself from random people and their nonsense problems.


His daughter was also attacked...

> For example, gandi.net (and thus Amazon) doesn't hide your name when you have it turned on.

Well, yeah, I've been with Gandi for years, that's their published policy: https://www.gandi.net/domain/whois/

> By the time you find this out

You realize you should have done your homework and read your registrar's policies beforehand? I understand your overall point, but don't make it sound like Gandi did anything wrong here, just because you don't like it.

I would have left this very comment if you hadn't beaten me to it. :)

Gandi is very up-front about every aspect of their services. I found out that Gandi's whois privacy doesn't hide the name you provide as the registrant long before I entered my credit card details to provide payment information.

Their whois privacy is structured in this way because for many (all?) TLDs ICANN requires that the entity listed as the registrant be the actual owner of the registered domain.

I love Gandi because they live by their motto: No Bullshit.

In Germany you have to publish a full address on your website, so even if you don't own the domain, anybody can get you IRL.


Ditto for TLDs controlled by the Indian Government.

Only if you have a commercial site.

According to the Wikipedia the word "geschäftsmäßig" includes private use website if it is even theoretically possible to get income from them, for example via ads. It quotes the ministry:

„Die Anbieterkennzeichnungspflicht muss praktisch von jedem, der ein Online-Angebot bereithält, erfüllt werden. Etwas anderes gilt nur bei Angeboten, die ausschließlich privaten oder familiären Zwecken dienen und die keine Auswirkung auf den Markt haben. Im Zweifel sollten Sie davon ausgehen, dass die Anbieterkennzeichnungspflicht besteht.“

Which roughly translates to: everyone has to do it, unless its a purely private service. So I guess you don't need it for you web-enabled password protected security cam, but you definitely need it for your blog.


At one point in the past it was argued that hosting your site with a provider that injects ads was sufficient to consider the page "commercial". I don't know what came of it, or what is now required for a page to be commercial.

They don't hide the name because you cannot hide the name while legally owning the domain yourself.

Services that hide the name actually result in a company (e.g. "Domains by Proxy LLC") purchasing and holding domain ownership for you, which is a very different legal arrangement with different risks.

Treat a domain like money: if you want it held pseudonymously, you put it in the ownership of a shell corporation you control (through power of attorney to the board of directors), but don't own any equity in.

While I would love to do that it just isn't feasible for me and probably most others. ICANN really needs to provide better controls to avoid resorting to such workarounds.

> ICANN really needs to provide better controls to avoid resorting to such workarounds.

Not only ICANN but the whole financial world. Shell corporations provide no real use other than hiding money and ownership.

That's not true at all. Corporations have tons of legitimate uses, including reducing liability.

>Shell corporations provide no real use

They also sell gasoline.

I've thought of checking that... Instead of Domains By Proxy LLC or whatever legally holding your account, setup an offshore shell corporation and use that to register my domains, becoming my own whoisguard in the process. It's going to be more expensive than these services, but the domains stay under your full control and you can keep your personal info private.

Sounds expensive, though.

I actually like Gandi for this reason. Registrars have gone down in the past, and I don't want to have any difficulty proving that I'm the owner if that happens.

Besides, my primary domain is my full name dot com, so anyone who has any interest in the domain already knows my name.

If WHOIS is destroyed, your contact information will still be known by everybody you're in contact with, many you've only met, possibly many you haven't met but want to meet, and millions of employees of companies you've interacted with. There is no meaningful difference between that and public information.

It is Amazon's absurd assumption that your contact information is private that is at fault here. Trying to ameliorate this by contacting fewer people is self-destructive, and cannot achieve complete security unless you're willing to eliminate contact with everybody but those you trust with your accounts. Without a doubt it is Amazon's policy that needs to change.

There is definitely a meaningful difference between contact info being public and informal disclosure through normal contact. There's a reason doxxing is a thing.

For me the solution has been to stick with my national ccTLD registry. If your country has strong private protection laws then your national registry will shield your information for your ccTLD domains from public whois. It's not exactly bulletproof, they still make that information available from their whois database but it's just another step someone has to make to get to your information. That much said, on a ccTLD you should be able to get away with only just a name, surname and a valid email address.

What are the alternatives? Those fishy private protection companies? Technically once you sign up there, they own your domain, simple as that.

OpenNIC? I wish that was the case.

In Denmark (.dk), any citizen can get their address information removed from publicly available records. That means that any private individual or company cannot get access to your address information unless you manually give it to them. (Note: Government agencies still have access to this information.)

.dk-domains are owned by persons, not the registrars, and therefore the whois-information for .dk-domains follow the same procedure as addresses. So if you have 'address protection' as it is called, your personal information is immediately removed from your whois information.

> By the time you find this out, it might occur to you to just type in a different name, but now you're violating ICANN policy.

Why not just "sell"/transfer ownership of your domain to another entity (one that you own)?

What you need is the following (and no more):

a) A valid email address. (A gmail that forwards to your real email will do).

b) A valid postal address. By valid I mean "in the proper form".

As such the following would get flagged:

1 Main St. Anytown USA 10016

(because it doesn't exist..)

545 Jones St. New York NY 10016

(let's say that's a post office..)

is fine.

Yes, it's awful. Fortunately, at least one registrar (Google Domains) has free whois privacy for all registrations and I think they prompt you about it by default, too (to agree to some legal terms).

Hover also has free whois privacy by default.

> For example, gandi.net (and thus Amazon)

Why do you say here and thus Amazon?

I assume it's because AWS uses Gandi as their registrar.[1]

[1]: https://news.ycombinator.com/item?id=8116506

while Amazon itself uses Mark Monitor from CSC.

You can register for domains through AWS Route 53 and it'll automagically register on Gandi with WHOIS protection and link it up inside Route 53. You then don't need to leave the AWS UI, it just seems like it works magically.

(I think this is true...I can't remember now actually).

I use https://ititch.com/ for over a year now. You can pay with bitcoin, they don't make much validation around whois input values. I use it for my domain registration and whois protection, they support IPv4 and IPv6 which in my country are not supported by biggest companies like 1and1. Customer support answers in less than 30hours.

It's not just whois. Our personal info is out there everywhere. Say, you're a developer who signs his OSS software tool with a certificate that comes with your home address...

OVH did this to me, I registered a .pw domain and I though it was WHOIS secure, but after registering... I found my full name, address and email were all public, forever. (Domaintools keeps a record of it)

I will never again register a domain with my real info. Sorry ICANN, I don't give a about you or your policy.

Fighting online thieves by putting more innocent people at risk doesn't sound like a way to fight online thieves.

How does one go about having their details removed from whois?

When we start using block chain to replace DNS and usernames to replace domains, and services to replace hosted servers, a lot of things will change. One is that there will be nobody to force us to verify who we are. These kinds of things serve no purpose other than to hand leverage up the chain.

Did I miss an RFC?

Worth checking out: someone reproduces using a fake address to get a real address.


(contains pretty great screencaptures)

Wow, that second rep was really struggling to find the line in his script that fit the situation (without much success).

Well, that's just... Really bad.

How to stop this:

1. Get a friend's permission to "hack" into his Amazon account (or "hack your own account").

2. Contact Amazon's customer service, try the same social engineering techniques that the OP documented.

3. Once you obtain some sensitive information from the account, scare the CS rep by saying: "Haha! I am actually not the customer. I am a journalist/hacker/whatever and wanted to see how easy it was to social engineer information out of your customer service department, and you failed. I would like to talk to your manager please."

Hopefully if enough people do this, it will get some internal attention at Amazon.

I think there is already enough here to shame Amazon into action if it gets on a major newspaper. Something like "Hackers break into Amazon account and Amazon will not do anything" Perhaps the Washington Post would be a good newspaper with credibility.

This already happened to Matt Honan back in 2012, where the hacker used social engineering on both Amazon and Apple to take over his twitter handle (oh and also wiping all his devices via iCloud). http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

It looks like both Amazon and Apple have fixed _some_ issues since then - Amazon is no longer leaking last 4 digits, but instead they're still leaking other info. Apple now requires more information to reset accounts and to wipe devices.

Apple set up 2FA for certain actions (changing passwords, adding or removing devices from an account, etc); Amazon has yet to do anything related to 2FA for normal customer accounts.

2FA is now available for Amazon customer accounts: http://betanews.com/2015/11/18/how-to-enable-two-factor-auth...

The option is only (at the moment) available for Amazon.com accounts, but if you enable it there is will also be turned on for other domains Amazon.co.uk etc.

Not sure if you were being sarcastic or not, but Jeff Bezos bought Washington Post...

oh, whoops...

Please don't do this. You're much more likely to get your friend in trouble with Amazon and have the police called on you.

You think Amazon wants to arrest it's customers because they shared account information?

How do they know who did it though?

Have the police called on you for what, exactly?

Stealing free shipping. You monster.

If any journalist is interested in trying contact me (email in profile) and I will give you permission to use my account.

So, commit criminal fraud to prove a point?

Bad idea.

If there is written, explicit permission to perform this attack, how is it different from a corporate penetration test?

Amazon hasn't given permission. I suspect they'd be quite unhappy. Having said that, I personally think they ought to expect it, and be responsible for whatever failings it discovers.

How is it fraud if you have permission from the account owner to try and access it?

Fraud against Amazon, not the account owner.

Fraud requires personal or financial gain. This doesn't seem to apply.

Well, you may gain increased security on your Amazon account..

> Hopefully if enough people do this, it will get some internal attention at Amazon.

This is very smart, why has no one thought of this before? When people post it on Medium and share it on HN/Reddit it will not get enough internal attention at Amazon for sure. So let's do something totally stupid which could easily get us in trouble with the law enforcement to make a shitty point to Amazon so that they can notice something is wrong on their end.

There is no point in getting a friend involved. Just see how much sensitive data Amazon will give you without giving them any of your login credentials.

4. Get arrested

Given Amazon's history to NEVER involve law enforcement in outrageous cases like https://news.ycombinator.com/item?id=10966164 or even the OP, I doubt you would get arrested.

Amazon does not care. A fraudster used our startup bank account to pay at Amazon. We told them, they did not blacklist the user to use our account or take any actions beside removing the bank account (ours) from his Amazon account.

The fraudster did this at least 3 times with increasing amounts of money. Amazon did not care. Only when we went to the police did this stop.

Amazon sold me a phone, the box arrived empty (I wonder why they do not check the weight when it leaves their warehouse, DHL printed a weight on the box that was less than the phone alone). It took Amazon support months to solve this, especially they could or would not cancel the attached mobile phone contract for months.

I had a situation where Amazon couldn't bill my bank account, so they blocked logging in.

I verified with just name and address to a customer service rep and asked for the steps I'd have to do to unlock it again, and they told me that (a) the transaction failed, (b) they told me my IBAN. In plaintext. The full IBAN. (c) and then they told me the steps to fix it (wire them the money that I was owing them, plus 6 EUR. Standard procedure in Germany).

In the end, everything worked again, but, the fact that they gave out by IBAN — enough info for anyone to go and pull money from my account — is making me so angry.

Could you tell how knowing IBAN enables someone to take money from your account? As far as I understand, the only think that can happen with IBAN is to receive money.

Maybe you're thinking of credit card number? The CC's I had had different CC number and IBAN account.

SEPA direct debit allows you to pull money via IBAN (+ BIC, depending on the countries involved in the transaction).

Specifics vary from country to country. Some require active approval from the customer (IIRC France, probably more), others "just work".

Fraud is not as common, since bank accounts that are allowed to debit money this way are generally only available to companies who have to sign paperwork ensuring that they have written permission from each debitor. Additionally, although this might be country-specific as well, chargebacks can be initiated without providing any reason for at least 8 weeks, and in case of a fraudulent transaction, up to 13 months.

Thanks, didn't know about that. Sounds like it's very specific version of account and most default accounts with IBAN doesn't have this possibility.

No, anyone’s account can be debited from, but only specific accounts can be debited to.

I can’t pull money from your account, even if you tell me your IBAN.

But I can use your IBAN to order from amazon, and then amazon can just pull however much they want from your account.

Luckily chargeback with direct debit works just as fast as with credit cards.

Thanks! That's something new that I didn't hear before. For interested parties seems [0] has some information. I need to check with my bank then to see how it works in my country.

[0] https://gocardless.com/guides/sepa/introduction/

Germany just works.

If you call a bank or another entity, that has your bank information on record, and claim to be someone specific, can answer basic questions and knows the full IBAN - perhaps they believe you are who you claim to be. This is social engineering, and it works.

I think parent specifically mentioned that just IBAN is enough which sounded very unprobable for me. Another comment explained that it's possible but in very specific accounts.

How would you pull money from an account by knowing just the IBAN? That's just the public address of your bank account and can be used to give you money, but you need all kinds of authentication to actually get money out of that account.

SEPA Direct Debit, or "Elektronisches Lastschriftverfahren".

You can go to amazon, give them your IBAN, and buy things, and they’ll use direct debit to get the money from the account specified by the IBAN, no further authentication necessary.

Obviously, you can do chargebacks, but this is still something they shouldn’t publish.

I had a similar experience buying a somewhat expensive watch through them - my wife was surprised to receive a very fancy, and empty, box. However to their credit they sent another one immediately, no questions asked. I really hope for Amazon to fix the issues OP pointed at, as an amazon.de customer I'm extremely happy with them.

> services should allow me to easily create lots of aliases. Right now the best defense against social engineering seems to be my fastmail account which allows me to create 1 email address alias per service

What you may want is a catch-all email - which lets you do @domain.com -> nmjohn@domain.com (where is everything besides already defined addresses) - that way you can make up emails on the fly without having to setup the alias beforehand.

I've had that setup for 5 or 6 years now, and it works extremely well. A handy side-effect of this is it makes it easy to see which companies sell your email address to spammers when you included the name of the original company in the email you register with

I've done this and once had a phone rep from Geico who was convinced I worked for them because my email was something like geico@example.com. This was probably in the late 90s when email was still new to many people. She was really confused that I wasn't getting the employee discount. "Are you sure? Does a family member work for Geico? No? Are you sure?..." I don't think she ever did really understand what was going on.

Perhaps I could have saved even more than 15% if I'd just gone with it. :D

Fastmail and Gmail support a local suffix of the form yourname+amazon@gmail.com. That's a plus character between the local name and local suffix. If you use a password manager, you can replace a predictable suffix like "amazon" with random hex value.

Unfortunately, many sites borked their e-mail address validation and do not accept the plus character. (Amazon permits it.) Also, you'll ocassionally find a customer service ticketing system that expects replies to come "From" your account's e-mail address. (Many mail clients can alter that header, but it's a pain.)

Panix.com supports this, plus an alternate that works almost everywhere. You can use "whatever@yourname.users.panix.com", and it ends up in your inbox, filterable by the "To:" address. I create a new email address for every company I sign up with.

(Satisfied Panix customer.)

Fastmail also supports something similar, with whatever@yourname.fastmail.com mapping to yourname+whatever@fastmail.com

Gmail also supports you.r.nam.e@gmail.com (add random dots to the local-part). (Almost?) every system considers '.' a valid character. However, you need to keep track of which tagged address goes to what service, much like the case of a tag with random hex digits.

I fear that customer support might still accept emails without the suffix from the "customer". These are people, not robots, so if the address is close or in the vicinity of being correct, they might accept it. Same goes for the dot characters allowed in gmail addresses.

I strongly second this concern. I generate random strings as answers to my recovery questions. When I recently got asked one of the questions the support rep let out a sigh when asking (presumably because he saw the "crazy" answer) and then said "yeah yeah, alright" when I was about half way through the answer. That any company even suggests these insane security questions that anyone can trivially research is completely beyond me.

An idea I just had which is buried in a deep thread lower down...

Not that I trust the "security questions", but if Amazon lets you use freeform questions as well as answers, it might help to make your first security question "Have you noticed this account has two factor authentication turned on?" with an answer like "Yes, so Amazon Customer Service will take additional care when being asked to reveal account information, right?"

Even if you can't do freeform questions, perhaps the answer to "What's your mother's maiden name?" could be something like "Have you noticed this account has two factor authentication turned on? Please take extra care before disclosing account details to anyone, Thanks."

I would recommend strongly against that. You'd be far better off picking something plausible, so if someone does impersonate you it's obvious.

Remember it's a human verifying this. The attacker just needs to answer: "oh, yeah i just spammed the keyboard with some jibberish" and he's in.

The other thing I noticed by the attacker going after me, sometimes he'd call/contact the service multiple times in a row. All he needs to do is find out from 1 support rep that the reset password is randomly generated. Then tell another support rep that its "some jibberish" and he's in.

For those sort of "mother's maiden name" type questions, I generally use a fake but plausible name. Probably not as secure as a random string (especially as the name is reused across a few services), but makes it near impossible to research, and avoids a random string not being accepted/treated as an error/truncated like your example etc.

> I generate random strings as answers to my recovery questions.

What's your favourite football team? -> Genghis Khan 2nd XI What was your first school called? -> Little Horrors School for Hackers

etc. Easier to say, you won't lose the customer service rep's attention either :)

Also a lot of systems strip anything after the + now, especially spam systems.

Fastmail supports a@fastmail.com -> anything@a.fastmail.com, which is even better

I've even started seeing registration systems that tell me that I've entered an invalid address if I do the [email]+[something]@gmail.com trick.

Twice now I was only able to register after removing the +[something] part of the email.

Is + actually an invalid email character (according to RFCs etc?). I couldn't find any reference to that when I looked.

I'll try to avoid ranting here, but anything is a legal email address per the RFC (even an @ sign in a username, or an email address without any @ sign).

RFC 821 is the original and 2821 summarizes it plus the few that came after to add and clarify.

The only true "RFC email validity check" is to send an email to whatever address they provide.

Gmail also allows yourname.amazon@gmail.com

No they don't, since I could register that. Maybe your confusing the period with a plus?

EDIT: I am stupid, disregard thread

That's radically different to what you presented in your previous example.

oh, yes it is isn't it. I was not SMRT

It ceartainly does not allow yourname.amazon@gmail.com if you don't own yournameamazon@gmail.com. You can do suffix with + and random . but not suffix with .

Note, though, that catch-all emails will also catch a ridiculous amount of spam. Creating each account name individually avoids that problem, at the cost of some extra trouble when registering a new service.

An intermediate step that may work if you don't expect people to target you individually: have one or more required substrings for the email local part, and catch all mail to addresses containing that substring.

I created my catch-all on a subdomain. While it gives a problem with certain websites (don't consider it a valid e-mail address), I barely receive spam on it.

> While it gives a problem with certain websites (don't consider it a valid e-mail address)

Are you saying that there are sites out there which don't accept mailbox@subdomain.example.com a valid email address? If so, that's beyond broken...

My school's student addresses ended in @u.northwestern.edu. You can imagine this was annoying sometimes when email addresses ending in .edu were used to verify student status.

>My school's student addresses ended in @u.northwestern.edu. You can imagine this was annoying sometimes when email addresses ending in .edu were used to verify student status.

Sorry, could you repeat that? yourname@u.northwestern.edu certainly matches \.edu$.

Unless you're worried about the false-positive for a non-student with a different subdomain?

It doesnt match \w\.edu$

And you can imagine how maddening it is when 90% of students worldwide don't have a .edu, but some do.

Only one university in Germany has a .edu, and their students obviously manage to get far more benefits than those of us with an @informatik.uni-kiel.de email.

99% of times we need to send proof that we are students, what is interesting is that many companies accept that even if it's not in English. Probably on good faith.

In Brazil, universities can use .edu.br, but we have few universities providing email addresses to students and also, the majority of grad schools in Brazil are not universities but a small college called 'University Center'

One method that I've seen used (heard it described by a guest one of Leo Laporte's podcasts a looooong time ago) is to iterate account names by year. For example, this year the email address would be pyre2016@example.com, and next year it will be pyre2017@example.com. Not sure how well it works, but the idea is that by that every year you start over with a fresh address (that takes a while to get onto spam lists).

I'll note that I don't use this method as it seems too high maintenance and the effectiveness is unclear.

I believe the real issue here is its not uncommon for spam services to try to locate valid email addresses. Generally, an email server won't accept email to an invalid users and will probably start flagging the incoming server/domain as those attempts start to cross a threshold of some sort. OP is talking about *@example.com as a catchall which means a spammers script will sit there and email a dictionary of usernames against your domain until it crosses it's own threshold. It's not too hard to add an alias for each name as you go along but it really depends whose list your domain gets on.

I was talking about making those actual accounts vs. aliases to the catchall address. That method makes no sense if each pyre<year>@example.com email address was just an alias to the catchall because pyre<previous_year>@example.com would still be caught by the catch-all, even if you disabled the alias.

Not a big deal if using a password manager and email acts as username.

Using it as your mail email for personal/business purposes could run you into trouble though. Most people aren't used to a rotating email address.

> Note, though, that catch-all emails will also catch a ridiculous amount of spam

Hasn't been a problem for me.

> Note, though, that catch-all emails will also catch a ridiculous amount of spam.

I haven't found this to be true, or at least Google's spam filters have gotten sufficiently good to prevent it.

I have a catch-all address @morgante.net and rarely ever see spam—maybe once a week.

I receive all mails @ my domain and I get about 1 spam a day. Fastmail's spam filters are pretty good.

Do you have a good idea of the rate of false positives?

No, I don't check my spam folder. Never had any reason to do so in the last couple of years.

Make sure you keep a list somewhere of which site got which email address.

I used to do this too and it was great, but then when I started trying to recover accounts that were a few years old, I had a heck of a time remembering what email address I had actually given them in the first place!

I just do compapyname@mydomain.com. That's how I knew Broderbund sold my email address.

I was doing that but some companies think you are "hacking" if you put the company name in. Like I don't think you can do facebook@mydomain.com on Facebook.

They must have changed that at some point, since I do exactly this and have no issues. I set up my FB account 6 or 7 years ago though.

I would tell you that my FB email address has that format, but maybe I'd be leaking too much information by doing so....

fb@mydomain.com is perfectly usable though.

So I think that was grand-OPs point to a degree. If you can't always do companyname@mydomain.com there is a change you will forget what you used: Example:

aws vs amazon-web-services vs amazon.web.services

facebook vs fb vs fbook

Or for example I've used Rally the project management tool but my health insurance uses a (terrible) "rewards" program called "werally" but it's ALWAYS referred to "rally". It can get unmanageable.

Now I use 1Password to track all of this stuff which works well so I think there are solution but I do understand the grand-OPs point.

You can approximate this with gmail using the plus sign. Like myaccount+label@gmail.com.

It's ignored for delivery, but gmail's filters can match on it in the to: address.

Every time I've tried to use that feature, the email field in the registration form I'm trying to fill out rejects it because they don't like + in an email address. There are a lot of not-quite-correct email form validation routines out there. Or maybe this is selection bias: the forms where I'm most likely to want to use the + are with the companies that are most likely to want to resell my email address, and they may be intentionally rejecting the +.

Lots of programmers try to write regular expressions to validate e-mail addresses, but it's extremely difficult for them to get it right, because valid e-mail addresses as defined by RFCs 822 and 5322 fall outside the set of formal languages describable by most regular expression libraries. See this fun stackoverflow answer [0].

[0] http://stackoverflow.com/a/201378

but then the spammers use BCC and you don't know what email they used?

There's Envelope-to, which is the only thing you should at. To, From etc. could be forged.

This is exactly the same thing that let someone delete Mat Honan's (Wired author) accounts back in 2012:

Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information.


No, customer service did not disclose the cc number in this instance -- they did disclose his address though, which stinks.

"The problem is, 9999 times out of 10000 support requests are legitimate, agents get trained to assume they’re legitimate. But in the 1 case they’re not, you can completely fuck someone over."

That's why nothing will change if these estimates are even in the right universe. Nobody wants to inconvenience the vast majority of customers to prevent a minuscule number of issues.

Came here to say just that. I did general customer support for a telco for a few months a while back, and most of the general public can't really deal with high security for personal information. If you were as strict with security as you should be, you'd be locking half of your subscribers out of their accounts eventually. This would create a phenomenal amount of follow-up paperwork for your company, meaning higher costs on your end and greater resentment on the customer's end - costs go up for you and customers head elsewhere.

It's why banks still use laughably short and simple PIN codes.

While that's true, and perhaps even needs to be "the default", there really needs to be a way to say "Hey, I'm concerned, and am prepared to take responsibility for my own access credentials. I demand you categorically _do not_ disclose any of my personal information to anyone without a warrant or court order." And for that sort of demand to have appropriate legal teeth to ensure people collecting that data are sufficiently motivated to act properly on it.

Startup idea: Whitehat Social Engineering (as a service). You authorise a whitehat team to attempt to social engineer all your discoverable internet presence/accounts to see what personal information their systems and/or customer service will disclose based on existing publicly available data. (I suspect legally that'd at least be on the white-ish side of grey rather than blackhat...)

I wonder how long it'll be before (or how long ago it became) sensible to register a shell company as the holder of any public record you're legally required to make public? It's probably much easier to roll your shell companies "registered address" if you discover it's been compromised than it is to move house every time Amazon's customer service goes "above and beyond" on your behalf to your attackers...

> Startup idea: Whitehat Social Engineering (as a service). You authorise a whitehat team to attempt to social engineer all your discoverable internet presence/accounts to see what personal information their systems and/or customer service will disclose based on existing publicly available data. (I suspect legally that'd at least be on the white-ish side of grey rather than blackhat...)

You'd need to take care to avoid getting people locked out of their accounts, but otherwise that sounds like a useful service for the small fraction of people who have a high enough profile that others may actively target them. I don't know if that represents a large enough target market for a sustainable business, but it might.

> I wonder how long it'll be before (or how long ago it became) sensible to register a shell company as the holder of any public record you're legally required to make public? It's probably much easier to roll your shell companies "registered address" if you discover it's been compromised than it is to move house every time Amazon's customer service goes "above and beyond" on your behalf to your attackers...

Depends on how easily you can register a shell company that doesn't itself have easily traceable public records of ownership. Little point in the indirection if you can then look up the shell company and its official owners and legal contacts.

Whitehat Social Engineering won't be "a unicorn", so don't expect Sandhill Rd to invest, but it's not like whitehat pentesting is a unicorn type idea either, and there's lots of people running successful and profitable <sneer type="SV Startup DoucheBro">lifestyle businesses</sneer> doing that.

There are companies already doing this.

Unfortunately, far more people think they want that than can take full personal responsibility for it.

See also: people who don't understand that full-disk encryption means they lose their data if they forget their passphrase. That doesn't make full-disk encryption in any way bad, but if you train people to think that all accounts have a "forgotten password" option, they might get a nasty surprise.

Sure - it needs to be somewhat difficult to turn on, and turning it on needs to very clearly include an "I accept all responsibility for this" declaration.

Most of "us" already deal with these things though - there's no "forgot password" for my ssh keys or my ssl keys or my topt seeds - there's no "forgot password: for my 1Password and Keypass safes. We occasionally get to laugh at out less diligent colleagues and peers who belatedly reveal the time they "lost" the ssl private key or the production webserver ssh key, but it's not like we see critical infrastructure falling apart regularly because of forgotten-but-unretrievable passphrases.

But I suspect you're right, there'd probably be a whole lot of "Hold my beer and watch me turn on full personal responsibility here! Oh, hang on - shit. Oooops..." if Ama-Face-Goo-Yah-stagram allowed this...

very clearly include an "I accept all responsibility for this"

It can't be a simple checkbox, or an Agree button. Make someone type, exactly:

   I accept all responsibility for this
Even then, the majority of the general public (as opposed to computer nerds) would be awfully upset at being locked out.

You're exactly right: there'd probably be a whole lot of "Hold my beer and watch me turn on full personal responsibility here! Oh, hang on - shit. Oooops..."

While ago I setup FDE on a new drive, put the passphrase in my encrypted password file, put the new copy of the password file on the encrypted drive, and then proceeded to wipe machine that had the only other copy of that password file (well at least the up-to-date version with that passphrase). A nasty surprise indeed. Thankfully I only lost a month's worth of files (mostly photos).

Heh. In the spirit of it being my turn to ' … belatedly reveal the time … " I mentioned upthread…

One time I had my carefully encrypted secrets thoughtfully spread across my laptop drive, my iPod as backup #1, and an external hard drive as backup #2. All of which I had in my backpack one night - which I proceeded to leave at a restaurant where I'd been sitting outside on the sidewalk tables, and I didn't notice until _way_ after they'd closed for the night. (I used up a _great_ deal of luck that night - we went to that restaurant enough to be "regulars", and the waitstaff found it and knew it was one of ours, and it was waiting for me when they opened the next day...)

Then again, in this case it might be salvageable by having an option of turning up with an ID in person. Could still be faked, but it would be a lot more work at least.

Until/unless we can find and implement a workable way to make this a problem Amazon is financially on-the-hook for, instead of Amazon (et al) customers.

I wonder what the PCI implications are if it's true that Amazon gave away his last four cc digits over the phone?

I wonder if there are applicable PII laws in his jurisdiction that'd have Amazon able to be held liable for disclosing his address? (I think there are here in Australia(1), but that doesn't mean regular Amazon customers have any chance of prevailing in court against Amazon's in-house legal team...)

(1) 6.67 of this says your address is "individually identifying data": http://www.alrc.gov.au/publications/6.%20The%20Privacy%20Act...

In the US, the relation Legal Name ~ Home Phone Number ~ Address is emphatically not private. It's in the phone book, it's in directories published by local school districts, it's on public property ownership records, in some cases voter registrations are subject to FOIA, it's on corporate registrations, amateur radio licenses, FAA pilot licensing (including small drones), all kinds of professional certifications and business licensing which is published on the internet, etc.

So no, very unlikely.

> I wonder what the PCI implications are if it's true that Amazon gave away his last four cc digits over the phone?

Absolutely none, unfortunately. Merchants are specifically allowed to store the first six and last four digits of a credit card number in any form they like.

At least until we hear something like "Donald Trump's personal Amazon account was hacked, and it was because Amazon's weak security."

Then Trump will even use this incident to say "I will force Amazon to become great again, after I'm president."

So a "small issue" could help Donald Trump get that much closer to becoming the most powerful man in the world. So, thanks Amazon?!

Obviously, it's all tongue-in-cheek, but I think you see my point. If it can be done, eventually we'll hear about a celebrity being hacked like this.

Minuscule number of issues that can lead to identity theft. I'm fairly sure that most countries have laws stating companies must prevent this to a reasonable extend, even if it means being inconvient to 99.99% users calling. This is after all a simple way to teorists to get a new identity. At the very least they should be able to flag accounts are high risk, and special procedures and senior staff handling such cases.

That said, the author have a very good point. If you cannot log into your account, they should not assist you. MS Support/Store does something similar. They send an email with a code to the address they have on record. If you cannot tell them the code they send, they will not help you. So if you cannot log into your account, they can assist you in password recovery, and take it from there.

I'm probably going against the flow here, but I value convenience over security.

I had my identity stolen once, and it sure was annoying... if also a little fun. A credit was opened in my name, that I had to fight to close, and I was even interrogated by police because false me was associated with shady characters (surprise!) but in the end it wasn't the end of the world.

Security "features" however, are usually so annoying they destroy the will to live. They would be tolerable once, but they're constant, and constantly remind you that you are, in fact, a suspect. They pretend to "protect" you but actually dehumanize you and every interaction you have with other humans (not to mention security theater, where the features don't increase security in any way but are simply there to make you "feel" safe).

Being alive is to be at risk, and at the mercy of bad guys. We should accept it and enjoy life before we all die in the end anyway.

As hesitant or ashamed as I am to admit it it, I must agree... convenience is king.

PGP/GPG comes to mind. Yes, technically superior but good god is it arduous.


Except if they became reliable for the damage caused by the infromation they released of course. They would then have a financial incencitive to have better security checks.

I worked for Amazon for four years. For nearly the entire time I worked there, I, as an engineer, had access to every customer's purchase history, contact information, email addresses, etc. The reason? On occasion, I'd need to get a user's email address to reach out to them if they reported bugs. The one service that offers employees this access is all or nothing. Either you get to see a customer's email, credit card number, and purchase history - or you get to see nothing at all.

Everyone knew that I had this access, and everyone knew that it was against Amazon's own policy to give me access. But to them, that was easier than fixing the service so that it was more useful.

Perhaps I'm just clueless, but something tells me that any relevant competitor to Amazon - say, I don't know, Google - would choose to fix the service instead.

>Perhaps I'm just clueless, but something tells me that any relevant competitor to Amazon - say, I don't know, Google - would choose to fix the service instead.

Why? The attitude you describe (do what's easy, not what's right) is endemic to any organization over a certain size in my experience.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact