Apple and Amazon Know About a Massive Hack Exploit—And Have Done Nothing (Updated)
- Thread starter Poke
- Start date
- Latest activity Latest activity:
- Replies 9
- Views 2K
"....just lock down your entire online life until further notice."
Exaggerated to some extent, but certainly a problem. How to fix it? Critical comments are often far easier than constructive suggestions.
Exaggerated to some extent, but certainly a problem. How to fix it? Critical comments are often far easier than constructive suggestions.
Well the Amazon was an exploit. You add a CC to an account which apparently you do not have to log in to do it. Then once it is added you can use that CC account number to reset the password. The CC number is fake.
So, if you have both an Amazon account and an Apple account you can take them both over with a fake credit card number if you know the billing address and email address.
I can't believe how lax Amazon is. My dept is buying me a hard drive, and my secretary told me to just order it online, and put it on the dept card. I went into my Amazon account, added a new card, with her name, and her billing address, and poof! It was automatically accepted. No verification, nothing. Easy for me for sure, but always struck me as strange.
Amazon has done this sort of thing for YEARS. My parents have asked me to buy items on Amazon on occasion and instead of them having to re-pay me, my Mom just gave me her CC info. I plugged it in and purchased the item. In this case, the billing address matched the ship-to address, which helps, but you'd still think Amazon would question why *I* am putting in someone else's CC info and address.
Exactly. I mean sure, it was convenient, and if it was a stolen card it would be hard to hide the evidence of it, but it always surprises me.
I agree with the assertion that passwords have to go. What reliably replaces them, however, isn't easy to say. Any scheme will be based on one or more of the the three basic foundations of security:
• Something you know
• Something you have
• Something you are
Passwords are something you know. The problem with passwords are numerous: they have to be shared; they can be forgotten; they can be used in multiple locations, increasing the chance that a security breach can compromise multiple services; they can be easily guessed if there aren't complexity requirements.
A key is something you have. The problem with keys for Internet services is how you prove that you actually possess your key; the key can be lost (or stolen); the key is "static" and by its physical nature can be duplicated.
Biometrics is something you are. Fingerprints; voice patterns; facial recognition; retina scans; DNA. Very hard to fake and duplicate (various Hollywood movies not withstanding) but somewhat expensive to implement. Are you ready to replace "One-Click" with "One-Prick"?
I wonder if we can ever reach the point where we can make practical use of Quantum Entanglement for verification of our identities? When you press the "Verify Identify" button the existing quantum states of the entangled particles are read at both locations a million or so times and the results compared. If they match, you're who you say you are. Since the very act of reading the particle changes the state to some new random state, it's like flipping two coins a million times, only they both come up with the same Heads-Tails sequence.
• Something you know
• Something you have
• Something you are
Passwords are something you know. The problem with passwords are numerous: they have to be shared; they can be forgotten; they can be used in multiple locations, increasing the chance that a security breach can compromise multiple services; they can be easily guessed if there aren't complexity requirements.
A key is something you have. The problem with keys for Internet services is how you prove that you actually possess your key; the key can be lost (or stolen); the key is "static" and by its physical nature can be duplicated.
Biometrics is something you are. Fingerprints; voice patterns; facial recognition; retina scans; DNA. Very hard to fake and duplicate (various Hollywood movies not withstanding) but somewhat expensive to implement. Are you ready to replace "One-Click" with "One-Prick"?
I wonder if we can ever reach the point where we can make practical use of Quantum Entanglement for verification of our identities? When you press the "Verify Identify" button the existing quantum states of the entangled particles are read at both locations a million or so times and the results compared. If they match, you're who you say you are. Since the very act of reading the particle changes the state to some new random state, it's like flipping two coins a million times, only they both come up with the same Heads-Tails sequence.
I must point out that I read an article where they came up with a method to fool retina scans 80% of the time.
