# Apple/Amazon Security Hole/Thieves Hack Amazon (MERGED)



## Cherise (May 13, 2012)

"The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification."

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

This is mostly a danger to people who use Apple products (iPhone, iPad, Macs...). Word to the wise.


----------



## 56139 (Jan 21, 2012)

WOW - scary stuff!  I hope I never piss off those guys or have something they want! Turning on Google’s two-factor authentication right now.


----------



## Cherise (May 13, 2012)

This may be a good argument in favor of publishing to Apple through Smashwords.


----------



## Cherise (May 13, 2012)

This part is even scarier. It is already out there for hackers to see, so the rest of us need to protect ourselves:

"First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card... Then you hang up.

"Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account."


----------



## Anne Frasier (Oct 22, 2009)

wow.


----------



## 56139 (Jan 21, 2012)

Cherise Kelley said:


> This may be a good argument in favor of publishing to Apple through Smashwords.


It's not really about publishing, but yeah. Maybe. If you have ever bought a song from iTunes, this affects you.


----------



## That one girl (Apr 12, 2011)

Cherise Kelley said:


> This may be a good argument in favor of publishing to Apple through Smashwords.


This has nothing to do with publishing. It does make me glad I don't use my .me email address for anything.


----------



## Jan Hurst-Nicholson (Aug 25, 2010)

Cherise Kelley said:


> This part is even scarier. It is already out there for hackers to see, so the rest of us need to protect ourselves:
> 
> "First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card... Then you hang up.
> 
> "Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account."


Hope there are no unscrupulous people visiting this board who will be off to try this


----------



## TexasGirl (Dec 21, 2011)

Those instructions were already published on Wired online Friday. KBers are the least of our worries.

I'm hoping Amazon is updating their employees on this right now.

And if you lose control of your Amazon account or your iTunes and they change your log ins--you can't get into your publishing consoles either.


----------



## Ann in Arlington (Oct 27, 2008)

moved this from the Cafe to NQK as it is likely of interest to general membership. . . . . .


----------



## Betsy the Quilter (Oct 27, 2008)

I know I'm reading it with interest.

Betsy


----------



## Daniel P Robertson (Jan 30, 2012)

Wow, just went and enabled 2 step verification on my Google account.


----------



## Zelah Meyer (Jun 15, 2011)

Thank you for sharing that.  I hope Amazon close that loophole as soon as possible. 

As for Apple...     

I hope that journalist gets his photos back.


----------



## Ann in Arlington (Oct 27, 2008)

I certainly shared it with my son. . . he has both Apple and Amazon accounts.  And a Google account.  Just turned on the 2 step process for my Google account and got the application specific password for my phone gmail/calendar account.


----------



## Ann in Arlington (Oct 27, 2008)

Zelah Meyer said:


> Thank you for sharing that. I hope Amazon close that loophole as soon as possible.
> 
> As for Apple...
> 
> I hope that journalist gets his photos back.


Quite a lot of places where I have my CC stored only show the last 4 digits. . . .that's pretty standard. . . . .so it seems to me that if that's what Apple asks for to verify the account, they're the ones that need to change the policy. But maybe that's also all their people can see! 

It's probably also smart to periodically change passwords on accounts like Amazon that you use all the time. . . . . .

Kinda boggling, too, though, that they didn't have his name right when he called to try to sort it out!


----------



## hsuthard (Jan 6, 2010)

I've been following this story avidly since Friday night, it's very eye opening. The hackers apparently were only interested in his rather unique twitter handle, @mat. And it couldn't have taken them more than a couple of minutes to get it, and with no technological skills at all. 

I updated my google security yesterday and also went to Amazon and made sure I was using a different cc on that account from my iTunes account. I also deleted all but my Amazon visa from my amazon account. So now they can't get the last four digits of my cc card via Amazon to gain access to my apple account. 

Nonetheless, I do hope both Apple and Amazon sit up and take notice. There's no reason not to increase the security from what I can see.


----------



## 25803 (Oct 24, 2010)

After reading the article, I was feeling somewhat protected because I use a different credit card at Amazon vs Apple, but then I reread your quote here, Cherise.

Yes, my iTunes/Mac/Apple should be safe.

But my Amazon account not-so-much.

This shows how easy it is to get into an Amazon account. I've created a brand new email address, nothing like anything I've ever used before and will ONLY use it for Amazon. That should make it a little more protected. I hate the idea someone could so easily get into my KDP account, and thus into my checking account info and my KDP payments.

I'd suggest everyone who publishes through KDP should create a new email just for use as your account ID on Amazon -- KC



Cherise Kelley said:


> This part is even scarier. It is already out there for hackers to see, so the rest of us need to protect ourselves:
> 
> "First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card... Then you hang up.
> 
> "Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account."


----------



## DYB (Aug 8, 2009)

Amazon closed the loop-hole on their end earlier today. Customer service reps have been instructed that they can no longer add credit cards or changing e-mail via phone.

http://www.pcmag.com/article2/0,2817,2408185,00.asp


----------



## Ann in Arlington (Oct 27, 2008)

Good for them!


----------



## jackz4000 (May 15, 2011)

Amazon tight-lipped. Protect your account and info:

http://money.cnn.com/2012/08/07/technology/mat-honan-hacked/index.htm?hpt=hp_t3


----------



## JRTomlin (Jan 18, 2011)

It isn't Amazon that is in the wrong here. Apple using the last four digits of credit card numbers, which are _routinely_ shown on receipts from everything from grocery stores to restaurants to the gas station is just plain idiotic. Are there ANY other retailers that consider that secure information? I don't know of any.

Makes me extremely glad I don't have any accounts with Apple and I definitely won't be getting one.


----------



## J. Tanner (Aug 22, 2011)

I would say that allowing someone to get into my account by knowing certain public(ish) information and making up a fake credit card number is a pretty severe security FAIL on Amazon's part even if they don't use that to further penetrate Apple's system. They're still in my Amazon account at that point. Glad to see it's been dealt with.


----------



## Guest (Aug 7, 2012)

"Amazon will allow you to add a new email address to the account."

A.k.a. shadow accounts. Welcome to my world. Something what I also said here a time ago and about I also warned Amazon back in January and February, when my account also had this nice glitch with numerous additional unknown email addresses, but they did nothing to solve it. Well, what can I say. I was right. Again. And this may sound so evil, but they deserve what they got. As for Apple... well, at least I don't have an account there. And seemingly as they have the "perfect" security, there won't be one in the future either.

Oh, wait. I forgot that all of this is an evil conspiracy theory, a fictive imagination of mine. Yep, I can see that.


----------



## David Adams (Jan 2, 2012)

Istvan Szabo said:


> Oh, wait. I forgot that all of this is an evil conspiracy theory, a fictive imagination of mine. Yep, I can see that.


But that's just what they want you to think.

You have no idea how deep the rabbit hole goes.


----------



## Betsy the Quilter (Oct 27, 2008)

Merging this with the existing thread in Not Quite Kindle as a matter of general interest to our membership.  Sorry for any confusion.

Betsy


----------



## David Adams (Jan 2, 2012)

On a more serious note this is quite a serious security flaw in the authentication with Amazon. :/


----------



## hsuthard (Jan 6, 2010)

Sounds like Apple is making a policy change, too!

Quote:
Apple on Tuesday ordered its support staff to immediately stop processing AppleID password changes requested over the phone, following the identity hacking of Wired reporter Mat Honan over the weekend, according to Apple employees.

An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.

The change follows similar security tightening at Amazon, which on Tuesday closed a hole in its customer service systems that gave people the ability to gain control of a customer's Amazon account as long as the hacker knew the name, e-mail address and mailing address of the victim.

http://www.wired.com/gadgetlab/2012/08/apple-icloud-password-freeze/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Top+Stories%29


----------



## Ann in Arlington (Oct 27, 2008)

David Adams said:


> On a more serious note this is quite a serious security flaw in the authentication with Amazon. :/


I don't think the problem is necessarily with Amazon. . . . . the last four of a cc is often the only part of it that's visible. . .this is true on MANY sites. Apple should not have used THAT as part of their verification of who you are.

For Amazon, the problem is that they allowed someone to change an email address on the phone. But if you look at this earlier post they have changed that based on this story.

And based on the immediately preceding post, Apple is making the change too. Good for both those companies!


----------



## Betsy the Quilter (Oct 27, 2008)

So explain the two step Google verification to me.  Does this mean that anytime I log into my gmail account I need to enter a code from my phone as well as a password?  

Betsy


----------



## hsuthard (Jan 6, 2010)

Betsy the Quilter said:


> So explain the two step Google verification to me. Does this mean that anytime I log into my gmail account I need to enter a code from my phone as well as a password?
> 
> Betsy


Its pretty neat, actually. Every 30 days you'll have to enter a verification code to get into your account. There's an iPhone app you use to generate verification codes. That's assuming your accessing your account from a "trusted" computer. You can designate and revoke "trusted" computer status at will. you set it up by inputting your mobile number and they either ext or call you with a code.


----------



## Betsy the Quilter (Oct 27, 2008)

hsuthard said:


> Its pretty neat, actually. Every 30 days you'll have to enter a verification code to get into your account. There's an iPhone app you use to generate verification codes. That's assuming your accessing your account from a "trusted" computer. You can designate and revoke "trusted" computer status at will. you set it up by inputting your mobile number and they either ext or call you with a code.


I'm still confused, sorry to be dense. The first time I set it up, they send to my phone? And then every thirty days they do it again? But I don't need to enter the code on a daily basis to check email? Does the iPhone app generate the code and tell Google what it is?

Betsy


----------



## hsuthard (Jan 6, 2010)

Right. Go to your gmail settings and find the part where you turn on 2-step verification. When you do that, it will ask how you'd like to verify, via SMS or voice call. Select SMS and they'll send you a text with a Six digit code. Enter that code in the field on your gmail screen and submit. Then you're set on that computer for 30 days, unless you check the box that requires you do the text/code entry every visit.


----------



## Betsy the Quilter (Oct 27, 2008)

OK, great.  Thanks!

Betsy


----------



## hsuthard (Jan 6, 2010)

Sorry, it's not in Settings, it's under Account-->Security.

You can also set up verification for iPad and iPhone email there as well. It explains itself well as you step through it, I found.


----------



## Betsy the Quilter (Oct 27, 2008)

I found it okay, but now it's saying I have to create a special application specific password for every app I use that was using my Google account info?  This is a pain...  It sounds like I have to have a separate one for my Gmail on my iPad, for the Calendar, for the iPhone.  If Amazon has straightened this out, it sounds to me like the two step is more trouble than its worth for me...

Betsy


----------



## Cherise (May 13, 2012)

DYB said:


> Amazon closed the loop-hole on their end earlier today. Customer service reps have been instructed that they can no longer add credit cards or changing e-mail via phone.
> 
> http://www.pcmag.com/article2/0,2817,2408185,00.asp


YAY!


----------



## The Hooded Claw (Oct 12, 2009)

It's been awhile, but I remember starting to set up the two-step verification for Google once, and giving it up as more trouble than it is worth.


----------



## hsuthard (Jan 6, 2010)

Betsy the Quilter said:


> I found it okay, but now it's saying I have to create a special application specific password for every app I use that was using my Google account info? This is a pain... It sounds like I have to have a separate one for my Gmail on my iPad, for the Calendar, for the iPhone. If Amazon has straightened this out, it sounds to me like the two step is more trouble than its worth for me...
> 
> Betsy


I kinda thought so too at that point, but the app things were much simpler to do, you just enter a different password for your gmail (and google calendar if you use it) on the iPhone and iPad apps. Once you've done it once, it's done forever.


----------



## Zelah Meyer (Jun 15, 2011)

DYB said:


> Amazon closed the loop-hole on their end earlier today. Customer service reps have been instructed that they can no longer add credit cards or changing e-mail via phone.
> 
> http://www.pcmag.com/article2/0,2817,2408185,00.asp


Yay Amazon! I thought they'd be on the case.


----------



## Betsy the Quilter (Oct 27, 2008)

hsuthard said:


> I kinda thought so too at that point, but the app things were much simpler to do, you just enter a different password for your gmail (and google calendar if you use it) on the iPhone and iPad apps. Once you've done it once, it's done forever.


Holly, I'm sorry for being dense, but which apps? The Google security page gave me a long list of things that needed passwords and suggested that I give them aliases so I could remember them.

Betsy


----------



## 25803 (Oct 24, 2010)

DYB said:


> Amazon closed the loop-hole on their end earlier today. Customer service reps have been instructed that they can no longer add credit cards or changing e-mail via phone.
> 
> http://www.pcmag.com/article2/0,2817,2408185,00.asp





Cherise Kelley said:


> YAY!


Double YAY! Thanks DYB!


----------



## Ann in Arlington (Oct 27, 2008)

FWIW, I did the google two step thing. The six digit thing came to my phone just fine and was no problem. I got an 'application specific password' and used it to access GMail on my phone.  Used the SAME one to access it on my Xoom tablet.  

Now, my only concern is that I have my google calendar and my outlook calendar set to sync up.  But I sort of forget how I did that. . .going to have to do some thinking. . .this morning there was a warning about the password being wrong, which says to me that it's because of this two step thing. . .but I've gotta figure out where to enter it.  I entered google calendar directly with no problem, but Outlook is apparently not talking to it.

The good thing is, if it all becomes too much of a pain. . . . .I can go in and turn it all off. But I don't use gmail all that often . . . mostly, though, I need my google calendar to sync.


----------



## Betsy the Quilter (Oct 27, 2008)

And I use it a lot.  I know you set up the application specific password on Google, under account security.  We'll see.  I may turn it off...

Betsy


----------



## Ann in Arlington (Oct 27, 2008)

Update:  I had to uninstall and reinstall Google Calendar Sync to get it to sync with my Outlook.  I was able to use the same 'application specific password' to log in and it synced just fine.  I'm now happy.  I'll see if I get annoyed with the six digit thing to the phone. . . . .I won't know that for a month, though.


----------



## hsuthard (Jan 6, 2010)

Betsy the Quilter said:


> Holly, I'm sorry for being dense, but which apps? The Google security page gave me a long list of things that needed passwords and suggested that I give them aliases so I could remember them.
> 
> Betsy


No, it is confusing, definitely. I use the default Apple Mail app on my iPhone and iPad and I'm guessing you do, too. Once you've changed your gmail to do the two step verification, when you try to open mail on your phone you'll get an error message saying something's wrong. You can click Settings on that error message and it brings up the gmail account settings screen where you can then enter the new password Google gives you when you enter "iPhone email app" on the google page and it gives you a 16-digit character string to input.

For me, I entered the app I used (e.g., iPad Mail) and it spit out the character string, then I picked up my iPad and opened mail, got the error message, changed the password, opened calendar (I use a gmail calendar too so that was linked as well), got an error message and changed that to the same 16-digit string, and then it worked. Then repeat with the iPhone and then again with hubby's iPhone for the calendar.

It was easier than it is to explain, but I kinda took a leap of faith and it worked.


----------



## hsuthard (Jan 6, 2010)

Be sure to download the Google Authenticator app, too. You use it whenever you login to your gmail from a new computer.


----------



## RM Prioleau (Mar 18, 2011)

Well this explains the email I got from Amazon about resetting my password. Glad the issue is resolved....for now.


----------



## jennsilverwood (Jul 9, 2012)

Wow this is really creepy. Glad to hear though that they are getting it sorted out. And glad I learned another reason to pick Smashwords as a distributor.


----------



## mistyd107 (May 22, 2009)

Cherise Kelley said:


> I opened an email strictly for Amazon. I would not divulge anywhere which service it is with.


your right temporary brain cramp thx


----------

