undefined | Better HN

0 pointsjedimastert5y ago0 comments

> even today I see no reason why renewal should have to be gated behind login walls.

This actually reminds me on a somewhat interesting social engineering "vulnerability" a little while back[0].

1. The hacker would call into Amazon and say that the website was acting up and they needed to add a card to the victim's account. It wouldn't take much effort because why would it?

2. The hacker'd call right back and say that "their" email had been compromised and they needed to change it/add a new one and reset the password. You supply the card you just gave (and name/billing address, but those aren't too hard to find)

3. Use that to hop on to the account and grab the last 4 digits of the victim's real card.

You now have the victim's billing address and last 4 of a credit card. A surprising amount of authentication power.

I think the lesson here is if it can be privileged information, it is. Even if it's privileged for someone else.

[0]: https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

0 comments

namibj5y ago

Ok, yeah, I see. Though, in that case, it's both a failure on his side, as well as an utter failure on apple's side.

Also, arguably, a plus for Google's stance on this: no answers to questions, no access. Sue us.

wolco5y ago

That's a useless hack at the time. You could generate your own credit card numbers back then using a formula. The name/expiry date or address were not used for verification.

So ordering from a fake credit card was easy. Finding the drop shipping location was the hard part.

jedimastertOP5y ago

In context, the exfiltrated info (last for of real card, billing address, email) was used as verification to get the victim's me.com account under the hacker's control, which was the back up for the victim's primary gmail used for everything else.

dannyw5y ago

Your fake credit card isn't going to have a balance.

wolco5y ago

It didn't matter because in order to check someone had to call and wait an hour so no one did in mail order purchases/shopping networks because you had an address to send the police to.

TedDoesntTalk5y ago

It was and still is trivial to get stolen credit card info that do have balances or credit available.

j / k navigate · click thread line to collapse

0 pointsjedimastert5y ago0 comments

> even today I see no reason why renewal should have to be gated behind login walls.

This actually reminds me on a somewhat interesting social engineering "vulnerability" a little while back[0].

1. The hacker would call into Amazon and say that the website was acting up and they needed to add a card to the victim's account. It wouldn't take much effort because why would it?

3. Use that to hop on to the account and grab the last 4 digits of the victim's real card.

You now have the victim's billing address and last 4 of a credit card. A surprising amount of authentication power.

I think the lesson here is if it can be privileged information, it is. Even if it's privileged for someone else.

[0]: https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

0 comments

namibj5y ago

Ok, yeah, I see. Though, in that case, it's both a failure on his side, as well as an utter failure on apple's side.

Also, arguably, a plus for Google's stance on this: no answers to questions, no access. Sue us.

wolco5y ago

That's a useless hack at the time. You could generate your own credit card numbers back then using a formula. The name/expiry date or address were not used for verification.

So ordering from a fake credit card was easy. Finding the drop shipping location was the hard part.

jedimastertOP5y ago

dannyw5y ago

Your fake credit card isn't going to have a balance.

wolco5y ago

It didn't matter because in order to check someone had to call and wait an hour so no one did in mail order purchases/shopping networks because you had an address to send the police to.

TedDoesntTalk5y ago

It was and still is trivial to get stolen credit card info that do have balances or credit available.

j / k navigate · click thread line to collapse