Hacker News new | past | comments | ask | show | jobs | submit login
Amazon Quietly Closes Security Hole After Journalist’s Devastating Hack (wired.com)
120 points by sciwiz on Aug 7, 2012 | hide | past | favorite | 38 comments



This is the only possible response after the "exploit" was published. Amazon's process was appropriate for their business, and the problems the journalist experienced were due solely to the level is security Apple chose to implement and their decision to allow remote wiping of people's Macbooks.

This is only a story because of Apple's of operational decisions. The information required to game their system could have come from a myriad of sources other than Amazon.


I disagree that Amazon's processes were 'appropriate'. Being able to gain access to someone's Amazon account with such basic information can be a big problem.

I know a guy that's a huge amazon seller and he says there are Amazon sellers often with upwards of $100,000 in their accounts on Amazon before pulling the cash out. If someone were able to gain access to a seller account (I'm not sure if this 'exploit' would have worked for a seller account or not), that could have been quite financially painful for some people.


I suspect that Amazon has behavioral metrics to back up their visible security measures. Not to mention that Amazon also relies on the scrutiny of each transaction by the financial institutions issuing credit cards. Had the person taking over the account changed shipping addresses and ordered expensive merchandise, I strongly suspect that Amazon and/or the credit card companies would have been alerted.

The absence of any sort of backup measures at Apple allowed a lost password access followed immediately by the wiping of three devices to go entirely unnoticed. It's not just the lack of rigor Apple implemented in the password recovery process, it's that that is all there was. Apple didn't defend in depth at all - there was just one call center employee between the black hat and mischief.


Why are they leaving so much in their accounts? Amazon is not a bank, and as such they're probably not subject to the same regulations. We've already seen this issue with people leaving too much money in winnings in online poker accounts, or PayPal accounts.


The question is what info you can change by calling. Can you change the destination account for payments?

The thing is that Amazon's previous risk assessment was probably about what sort of harm could be done directly with the info provided. Now they are worried about what can be done through other providers that will bring them bad press.


Leaving that amount of money anywhere other than in an FDIC insured bank is incredibly irresponsible. Arguably as irresponsible as Apple's decision to require the last 4-digits of a credit card to gain access to iCloud, where a malicious intruder could arguably do way more damage, on average.

I could walk up to an ATM behind someone and get the last 4 of their card all day long. It is printed on every single receipt you've ever gotten.


In addition to Amazon actually being an FDIC insured way to store your money, it should be realized that your bank is only going to have you covered up to $250k. Do you feel like storing more than that much money for a company is then "incredibly irresponsible"?


I could be wrong, but I feel like getting money back from my bank after fraud will be a bit easier than getting it back from Amazon.


Yeah, I do actually. Why would you need more than $250,000 liquid currency in the same bank? Nobody does that.

Anyway, you are wrong about Amazon being FDIC insured like normal banks. They can potentially insure you up to $100,000 via pooled accounts stored at FDIC banks. Amazon payment accounts themselves are not FDIC insured. So you can imagine how much fun it would be to get your money back as compared with a real bank.


You are not "potentially" insured up to $100,000: you "are" insured up to $100,000. This is critical to note, as the disdain you expressed was for people storing, specifically, "upwards of $100,000 in their accounts on Amazon".

As for storing $250,000 in the same bank, I am highly confused what a company otherwise does. I have a company, and while I don't actually own a lot of the money that I hold on to (it is almost entirely held liabilities for things like sales tax or vendors), at any given moment I am certainly holding more than $250,000.

Do you then contend that I should be having numerous bank accounts to hold this money? I can't invest it, as I need to have the money to pay the aforementioned liabilities at the end of pay periods that are too short to move money in and out of investments. (Note: I also do not believe my business is somehow crazy-weird.)


How is easily being able to gain access to an Amazon account in any way appropriate?

The concrete problem the journalist experienced was mostly due to the level of security Apple chose, sure, but that’s only because the hacker chose not to exploit being able to access the Amazon account.

The problem with Amazon is not that they give out the last four digits of the credit card. The problem is that you can access anyone’s account.


The problem with Amazon is not that they give out the last four digits of the credit card. The problem is that you can access anyone’s account.

Amazon: You can access the account. And like order Hello kitty plush toys in someone else's name.

Apple: You can access the account. Then possibly remote-wipe all data belonging to whoever owns that account, data which may or may not be recoverable.

There is a slight difference. Apple has a much bigger responsibility here. Amazon is just responding because this is bad press, and they are basically covering Apple's ass here.

Apple, as per usual, has a shitty security record. Unless Microsoft, they haven't learned that security is a something which has to be baked in at the root of your products and services. It needs to be there from the start and isn't something which can be tacked on later.

For a short time, Apple was ahead of Microsoft in security because its OS was based on Unix-roots. Now they've built so many systems on top of that, and we can clearly see that Apple itself has no concept about security. Apart, ofcourse, for DRMed media and its own walled iOS-gardens.

The only security Apple cares about is its own. I wonder when their Microsoft-moment will come and they realize they have a responsibility towards their customers security wise as well.


What the hell? Why is everyone so nonchalant with this gaping hole in Amazon’s security? I don’t get it.

I wasn’t comparing this hole to Apple’s security. I was merely pointing out that this is a big fucking deal. Because it is.

What’s wrong with you? Do you fear that Apple might not look so bad if you admit that Amazon also screwed up quite a bit? Are you so fanatical in your hate of Apple?

Apple’s security hole is the bigger deal here, certainly, but Amazon’s is also a big fucking deal.


Another way to look at this is that the exploit was solely an emergent property of two different systems having different views on what constituted secret information. The issue was not necessarily that either one did something wrong, but rather that when you put them together, one could play off both their weaknesses to create a bigger one.


And this is not something new. Back in the days of ICQ and hotmail, it was trivial to "hack" someone's email account by filling in the required information to "recover your password" by using information users stored in ICQ (which usually included their email).

I remember searching for people with an @hotmail.com account in ICQ just to see if I could enter to see their emails. This was like, 15 years ago IIRC.


While they have closed the loophole for adding credit cards, you can apparently still change your email or password via phone: http://www.forbes.com/sites/kellyclay/2012/08/07/amazon-tigh...


If you can change the email or password by phone, then nothing is solved. Adding the credit card was, as I understand, simply because amazon required a credit card number on the account (possibly last four digits).


I would like to see a customer service/tech support org where customers have to enter their 2-factor PIN at a phone menu before reaching a human support agent. You could possibly combine that with caller ID for better verification - basically use phone # like a username and the PIN as password.

Or you could just use them alongside other verification steps.


What if they've had their mobile phone stolen and can't do 2-factor auth and that's why they're calling?


Security traded for convenience, back to square one.


Isn't this scenario why Gmail's 2-factor authorization gives you a set of one-time passwords?


What if you lose them?

At some point, there has to be a way to get back into your account. Probably, going through slow and hard to hack methods like the postal system.


Well, continuing to use Gmail as an example, there is an account recovery system, which IIRC asks for a bunch of details to try and determine if you are the account owner (account creation date, names of labels used, etc.) If Google or a third party would provide a list of these details, then you could collate that info as additional insurance against your posited scenario.


There's inevitably going to be someone who loses them or never prints them out in the first place.


BofA does this for teller transactions. To talk to a teller, you have to swipe your debit card and type your PIN. While not foolproof, I think it's a pretty nice security measure.


If you don't have your card with you, however, you can provide photo ID and they'll look up your account number. I suppose it would be possible to provide a forged photo ID to gain access to someone's account.


You would also need to enter your username or email address, though, and that's hard to do over the phone... I guess voice-to-text is improving, so that might be an option.


You don't have to actually enter your email address, you just have to prove that you know it - and telephones have the full alphanumeric set of characters on the keypad. Use a * or # for special characters, and something like "pavel@lishin.org" could be entered as "72835#547446#674".

Edit: I guess that may not be sufficient to identify you, but it could verify that you are the account holder for other services.


My cell phone (Pantech 5000) has a qwerty keypad. It doesn't have the old rotary phone style letter-number association. I know many people whose phones don't have this.


Ok, but you can't do dtmf with querty, so its use in a call center is somewhat less important.

With standard numbers, you could use any touch tone phone.


What I mean is the map of 2 to a,b,c is fading fast. I can't figure out how to dial 1-800-CALL-ATT by looking at my phone, much less my email address.


Some people have 20+ character long email.

You really think they are going to be happy about sitting around typing that in on their phone hoping they don't make a mistake ?


Voice to text works fine for limited input. So if all you needed was the letters of the alphabet (rather than words) it works pretty well.


GoDaddy essentially does this - but you have to give the human the PIN. Also, most banks do this as pointed out (fwiw, I bank with USAA and I have to call from a registered phone number and enter a pin before reaching a human.)


For those not aware whenever a journalist uses the term "quietly" it equates to "didn't issue a press release" or post publicly in an announcement.


Yeah, and? What else would it equate to?

Press releases and public announcements are how a company communicates. If a company changes something without communicating, they changed something quietly.

I’m not really understanding what point you are trying to make. What is there to misunderstand about that “quietly”?


Is it possible to prevent a remote wipe by Apple? Or at least so it is only possible with knowledge of my password? If I lose both my MBA and my password, I am ok with not being able to remote wipe.

EDIT: OK, I can disable remote wipe entirely by disabling 'find my mac'.


It is only possible if you know your iCloud username and password.

Now the reason why the attacker was able to remote wipe is because he had the iCloud username and the newly generated password.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: