They never cracked/hacked Honan's passwords.
It wasn't a case of passwords shared across multiple accounts.

The problem is that different service providers put varying value on personal information. Amazon treated the last 4 digits of the credit card as low importance, while Apple treated the same 4 digits as proof of identity. Amazon allowed the attacker to add his own credit card to Honan's account over the phone, using address as proof of ID. Even though his address is in the WHOIS public database.

The attacker didn't crack Honan's passwords, he used the weak authentication policies of Amazon and Apple to get those passwords reset.

It's good to use strong passwords. This will help defeat brute forcing and rainbow tables. But consider this. If you lose your LastPass password, can it be reset? If so, what does LastPass accept as proof that the caller is you?
--buck

On 8/13/2012 9:50 AM, Mike Wills wrote:
All social engineering. When I read that... I immediately changed a few key
passwords that still used my old method of passwords.

I now use LastPass and generate longer random string passwords for every
site.

--
Mike Wills
http://mikewills.me


On Mon, Aug 13, 2012 at 8:46 AM, sjl <sjl_abc@xxxxxxxxxxx> wrote:

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.