Going through a site that aggregates people's personal information, Spokeo, Geise found the comedian's Amazon account, his email address, and his house address. Using the email address, Geise found his Amazon Wish List.
Here's where the weaknesses start to show, of course – at the human level. The security expert calls up Amazon customer service (on the phone!) and adds a credit card to Stolhanske's account, which only requires his name, email address, and billing address, thanks to some loopholes and social engineering based on all the data he'd collected, is able to fully take over Stolhanske's Amazon account.
As the dominos begin to fall, Geise manages to take over Stolhanske's AOL account, Apple ID, and main email accounts. He started by calling Amazon back 30 minutes later saying he had lost his backup email address. He "confirmed" his identity with the last four digits of the credit card he just added to Stolhanske's account.
The final step was to guess an item Stolhanske had bought from Amazon recently. Geise already knew that he was a fan of Game of Thrones, so he said his wife had "recently bought a Game of Thrones book or DVD." He was allowed to change the reset the account, changing the password and email address it was associated with.
With access to more credit card info stored in the Amazon account, Geise used one card's last four digits to illegitimately verify his identity again and take over Stolhanske's AOL account, which he also found on Spokeo. The newly-compromised AOL email address was the backup email for his Apple ID, so it was a piece of cake to reset that as well. (This was also Stolhanske's main email address, so Geise now had access to his everyday email.)
Disclosure: Jeff Bezos is an investor in Business Insider through his personal investment company Bezos Expeditions.
No comments:
Post a Comment