Amazon shuts social engineering hole

Powered by SC Magazine
 

Phone call no longer enough.

Amazon will no longer allow people to change credit card and email addresses for customers' accounts over the telephone, after a devastating hack on a journalist last week.

Wired reported that Amazon had quietly changed its policy on Monday.

Before the change, people could change account details as long as they were able to identify themselves by name, email address and mailing address.

Those pieces of information are easily found online, and were used by two hackers to gain access and take control of reporter Mat Honan's Amazon account through a simple phone call.

Once the Amazon account had been compromised and hackers knew the last four digits of his credit card number, they were able to trick Apple's customer service into believing they were dealing with Honan himself.

In the ensuing hack, the attackers remotely wiped Honan's laptop, iPad and iPhone, losing irreplacable data. His Twitter account was also compromised, along with a number of email accounts.

"In the space of an hour, my entire digital life was destroyed," Honan said in the aftermath of the attack.

According to Honan's account of the hack, those involved in the attack had purely used social engineering techniques — convincing people to hand over key information — rather than any technical hacks.

Honan and Wired were able to replicate the steps leading to the hack up until Tuesday, when Amazon closed the security hole without announcement.

Copyright © iTnews.com.au . All rights reserved.


Amazon shuts social engineering hole
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1795

Vote
Do you support the abolition of the Office of the Information Commissioner?