First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.
If you haven’t already taken the time to read Mat Honan’s mind-blowing story in Wired about how easy it was for a 19-year-old hacker to infiltrate his Amazon, Apple, Gmail and Twitter accounts, and then wipe out everything on his computer, including photos of his daughter’s first year, please take the time. Apple and Amazon’s security policies are pretty appalling.
Two years ago, a hacker got into my Gmail account, and for whatever reason, started deleting my messages. I quickly reset my password, and now have the two-step authentication process for my Gmail account. If I want to change my password or get into my account, Google has to send a pin number to my cell phone, which then has to be inputted into my account. It doesn’t make me feel 100 percent secure, but it does make me feel safer. Honan admits that he has been lucky: “They could have used my e-mail accounts to gain access to my online banking, or financial services,” he notes, but the hackers ultimately wanted access to his Twitter account.