Amazon.com confirmed this morning that it has taken steps to address the security problem in its customer service procedures that helped hackers gain access to and wreak havoc on a Wired writer’s online accounts and Apple devices.
“We have investigated the reported exploit, and can confirm that the exploit has been closed as of Monday afternoon,” an Amazon spokesman said via email this morning in response to our inquiry about the situation.
If you’re just catching up to this story, Honan explains what happened in this Wired.com piece. Unidentified hackers were able to gain access to his Google, Twitter and Apple ID accounts by starting with bits of his personal information and mixing in some old-fashioned social engineering.
Honan, who has been in contact with one of the hackers, explains how Amazon’s practices helped open the door to his accounts
First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.
That strategy should no longer work, now that Amazon says it has closed the loophole.
The situation provides a series of lessons for the rest of us, including the importance of using two-factor authentication and backing up important content on computers and devices.