* Edit: Ah, technically they did break into the email account. The first time I read this I thought that they just had access to the account info page (doing things, such as purchasing or accessing account settings, requires password-entry by Amazon)
No, they did not have to break into the Amazon account.
> First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
> Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
Wow. That's really bad. I mean, it's stupid that Amazon allows that sort of thing (and it sounds like they may be working to fix it). But Apple going off just the last four digits? That's straight up retarded. Why isn't anyone asking about Apple's security policies? Thank Sagan I'm not an Apple customer.
Why is it stupid for Amazon to show the last 4 digits? Let's say I have 3 cards on file. If I want to modify card #2 for some reason (billing address, expiry date) what do I do? Sure, I can look at the other details and take a guess, but we're on HN. On an average, the normal customer would get frustrated.
> Why is it stupid for Amazon to show the last 4 digits?
I think npsimons was saying that it is stupid for Amazon to let you add a fake cc number and than take over an account using that same fake number. Not that they show the last 4 digits.
Ah well, then I stand corrected. So, now the question becomes, should you be allowed to add credit cards over the phone? Or does it become, how long should Amazon wait until they accept the new credit card as a valid ID?
For the second question, I'd say Amazon should wait until the user "confirms" the credit card. That is to say, send the user an email stating "Hi! New credit card added to your account. Click here to verify".
Also, every recent credit card receipt printer puts at least the last 4 digits on paper receipts. A little dumpster diving could easily reveal that data.
Just because a hacker can get the last 4 digits by physically being near you so they can obtain your receipts, doesn't mean that it's therefore worthless to remove that capability from hackers who are not physically near you.
Besides, you should be shredding/burning your receipts anyway.
Either way, using the last 4 digits as 'security' is just stupid. You can get those from a receipt.