If you have an Apple account and an Amazon account, read this

[delphipsmith]

A hacker has discovered -- and, happily, disclosed -- a "blind spot" between Apple and Amazon's identity and account verification procedures:

Details are here and here.

I have to say this had never occurred to me as a way to game the system, but it's scary easy because so much information is available online (names, addresses, phone numbers, email addresses) and I'll bet can be done with other paired accounts as well. I know how many places use the last 4 digits of your credit card as verification.

Amazon claims this has since been fixed, but I have my doubts. My wallet was stolen last year and within four hours I had closed all my credit and debit cards, but the thief got my debit card turned back on via the simple route of calling my bank, pretending to be me, and telling them the card had only been lost and was now found. Wow.

It's almost enough to make you leave ze interwebz entirely. Almost, because otherwise where would I go for beta readers??

Comments

[droxy.livejournal.com]

With an unlimited spokeo account anyone can find you and all your identities. I will not do financial transactions over my iphone.

Thanks for sharing!

Adding now that Apple is just as vulernable, if not more so, than windows.

Sooo glad I dont use iCloud.

[delphipsmith]

now that Apple is just as vulernable, if not more so, than windows. Yeah, we all knew that day would come, didn't we?

[ennyousai.livejournal.com]

And your bank did not try to verify your identity in any way? I mean, damn. o.0

[delphipsmith]

I know, isn't that awful? I called to find out what personal info the customer service person had asked for, since if they'd asked for and gotten my SSN my problems were way bigger than just a debit card. The person I talked to said that according to their logs, they had asked for home address. Well, I pointed out, if they took my WALLET they also have my DRIVER'S LICENSE which of course has my HOME ADDRESS on it. Duh. So I complained up one side and down the other and they promised to investigate, saying that it shouldn't have happened and that once a card is reported stolen it's never supposed to be turned back on. Somehow I'm not soothed...

[shiv5468.livejournal.com]

Boggles.

Fortunately I don't have an apple account, and I'd hope they've learned from this lesson!

[delphipsmith]

One hopes. One is not sanguine, however, given one's past experience with customer service. If only irishredlass had been on the line, I bet this would never have happened LOL!

[madeleone]

Well that's a scary thing!

[delphipsmith]

Indeed it is. Makes me happy that I minimize my online activity and wouldn't touch Apple with a ten foot pole. Not that Amazon is any better, really, they should never have let this get through, but what can you do when your business model says you never see a person face to face, just through email and phone calls? There's not much to go on other than data, which is so much more easily falsified and stolen than your actual face...

[anna-bird.livejournal.com]

Unreal. One thing that strikes me about the Matt Honan event AND your own is that the ultimate basis for getting the access was a person-to-person event rather than a brute force password cracking or a further theft of info online or physical. Instead these thieves played on better nature/empathy of company folks to get what they needed. It's such a simple con from that perspective! All persuasion.

Sorry about your wallet, though! This is probably a silly question, but did the thief ever get caught?

[delphipsmith]

HAHAHAHAHAAHAAAA!!!!! No, they did not. I did file a police report, which means I wasn't liable for the $700 in charges, but no, the cops never caught them. A**holes (the thieves, not the cops).