They never cracked/hacked Honan's passwords.
It wasn't a case of passwords shared across multiple accounts.
The problem is that different service providers put varying value on
personal information. Amazon treated the last 4 digits of the credit
card as low importance, while Apple treated the same 4 digits as proof
of identity. Amazon allowed the attacker to add his own credit card to
Honan's account over the phone, using address as proof of ID. Even
though his address is in the WHOIS public database.
The attacker didn't crack Honan's passwords, he used the weak
authentication policies of Amazon and Apple to get those passwords reset.
It's good to use strong passwords. This will help defeat brute forcing
and rainbow tables. But consider this. If you lose your LastPass
password, can it be reset? If so, what does LastPass accept as proof
that the caller is you?
--buck
On 8/13/2012 9:50 AM, Mike Wills wrote:
All social engineering. When I read that... I immediately changed a few key
passwords that still used my old method of passwords.
I now use LastPass and generate longer random string passwords for every
site.
--
Mike Wills
http://mikewills.me
On Mon, Aug 13, 2012 at 8:46 AM, sjl <sjl_abc@xxxxxxxxxxx> wrote:
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.