un-fkn believable…Schneier on Security: Another Credit-Card-as-Authentication Hack

my head hurts…
you’d expect shit like that from GoDaddy, but paypal too furchristsakes…

This is a pretty impressive social engineering story: an attacker compromised someone’s GoDaddy domain registration in order to change his e-mail address and steal his Twitter handle. It’s a complicated attack.

My claim was refused because I am not the “current registrant.” GoDaddy asked the attacker if it was ok to change account information, while they didn’t bother asking me if it was ok when the attacker did it. […]

It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification.

The misuse of credit card numbers as authentication is also how Matt Honan got hacked.”

Bruce Schneier

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: