From Article: One of his friends is a 15 year old hacker who goes by the name of Cosmo; he's the one who discovered the Amazon credit card technique described above. And what are teenage hackers up to these days?
Adapted from the Evil Overlord list[1]: 12. One of my advisors will be a 15-year-old hacker. Any flaws in my computer security that he is able to spot will be corrected before implementation.
These kids should be paid to find and report these security holes, not arrested. They're producing very valuable information in their boredom.
When you think about it, a supermarket authenticates your identity to a higher standard when you purchase beer more than many of the companies that you do non-trivial business with. Kind of pathetic.
For a random hacker to compromise your personal security, they need to find the last four digits of a credit card number that is relatively easy to derive. That's scary. Much scarier is that a not-so-random hacker with even a casual personal acquaintance can utterly destroy you.
You know what is really scary....when I lost my Wells Fargo debit card and requested a replacement only the last four numbers changed. The same exact four numbers that are shown on virtually every webpage and purchase order in the world!
Wouldn't take long to guess those last four if you were the reason I was getting the new card (i.e. you were in possession of my old card).
How about a credit card anonymization service, such that the bank allows you to generate a virtual 'card number' useful for payments to only one merchant?
To me the real story is how powerful the last four digits of your credit card are and how easily they're attained. Even more shocking is your privacy basically depends on the least secure online account you own.
Think of how easy it is to write a program like this:
INPUT: list of someone's online accounts,
desired account access
OUTPUT: step-by-step instructions of numbers to call and forms to fill out
to obtain desired account access
All you would really need is a small database of the information required to reset your password and login for a bunch of popular accounts. Your script just has to connect the dots.
I agree w/ Mr. Atwood's assessment that people are, have always been, and will continue to be the weak point.
I strongly disagree w/ his statement that no attackers still attempt frontal assaults. Thinking that way promotes a dangerous complacency, not unlike the complacency that I see created after a company spends a large sum to install some security product. "Now that we have <firewall / security scanner / NIDS / SEIM / log aggregator / patch management> product we are 'secure'!"
In my work I continue to see Internet-facing machines with shockingly poor security posture in companies large enough to "know better". Those vulnerabilities are, of course, still "people problems" at their heart (sysadmins who end-run good security process, developers who won't allow patches to be installed, etc) and they're still out there en masse.
I find this reassuring for my personal projects; I'm not a security expert. I've been afraid that my VPS was going to be exploited as soon as I started opening up services to the internet, but so far this has not been the case. All I've done is install fail2ban and spent a short while reading up on best practices/config settings before installing services, and everything has worked out so far ...
Adapted from the Evil Overlord list[1]: 12. One of my advisors will be a 15-year-old hacker. Any flaws in my computer security that he is able to spot will be corrected before implementation.
These kids should be paid to find and report these security holes, not arrested. They're producing very valuable information in their boredom.
[1]http://www.eviloverlord.com/lists/overlord.html