@Andyj75: credit card companies do not want retailers to display or store any other digits than the last 4, the last 4 digits are considered OK, they’re shown on most receipts etc. The PCI requirements have a lot of very strict rules about how all credit card data must be stored or the retailer risks having their merchant accounts closed. Many retailers like Amazon do store the full details but they do have to follow the strict rules which almost certainly would prohibit sharing them for this kind of verification.
The scary thing about the attach on Mat Honan’s accounts was the multiple front attack, they got Amazon, Google and Apple. All three had some set of almost reasonable practises but the slight variance between allowed the compromise of one account to lead to the next.
This isn’t a “people” problem or a “system” problem, it sounds like a process problem. I remember one company claiming that their practises weren’t followed but that is a process problem, not a people problem if it’s as frequent as it seems.
It’s good to finally have had another blog post after a month, I guess it was the jury duty or something from the look of Twitter? A series of posts about hacking would be interesting.
You don’t need to be “Talented” to be a criminal. Is the person who smashes my window with a brick any less of a crinimal than the person who uses a lockpick?
The other day I called some company. Phone company maybe. They asked for my secret 4 digit code. I have had the account for at least a decade and don’t recall any sort of 4 digit code ever being asked for. So I guessed the last four of my SSN and they said that wasn’t it. So they tried asking some more things and decided to help me. They came up with a new 4 digit code that I’m supposed to know somewhere in the last 10 years.
They decided recently to start asking for it if you call in. But all the old customers, like me, don’t know what they are talking about. The customer support folks want to help us so they go around the security rules to convince themselves that the person claiming to be me on the phone is really me.
The 4 digit code has accomplished nothing.
This way of doing things just makes it that much easier for the bad guy (or girl to be fair) to social engineer their way into my phone account. (I do hope they pay it if they hack in, though.)
My bank always does security authentication things through snail mail. I always wondered if that really helped the situation, or if it’s just that the crackers don’t have the patience to wait that long, so they get bored and move on.