Amazon 'wish list' is gateway to epic social engineering hack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.ktva.com/home/outbound-xml-feeds/Amazon-wish-list-is-gateway-to-epic-social-engineering-hack-221326651.html

Comedian Erik Stolhanske didn't know what he was getting himself into,
when he let a cybersecurity expert at SecureState take a crack at
hacking him. The "Super Trooper" actor gave the company the green
light to try to access his Twitter account with nothing more than his
name. What he found out was that his entire digital life could have
been compromised using simple techniques.

SecureState profiling consultant Brandan Geise went on a mission to
hack into Stolhanske's Twitter account, but instead was also able to
gain access to his Amazon, AOL, Apple and Dropbox accounts, as well
his Web hosting account.

A manipulation tactic called social engineering can give anyone smart
enough to connect the dots a gateway into your digital domain. It
doesn't require a single line of programming code.

"Pretty much anyone can do this," Geise told CBSNews.com.

Geise started by running a search of Stolhanske's name on Spokeo.com,
a website that aggregates public information about people. Information
found on Spokeo can include a home phone number, email address, all
associated home addresses, family members and occupation. It took two
pieces of information from Spokeo to gain access to Stolhanske's
Amazon.com account: an email and home address.

Amazon has a feature called wish lists that let members bookmark items
that they want to buy and save them in a list. Anyone can run a search
for wish lists using either a name or email address. That may be
convenient when friends or relatives are wondering what you want for
your birthday, but it can make you vulnerable. By trying all of the
email addressed found on Spokeo, Geise was able to find Stolhanske's
Amazon wish list, confirming that he also had a registered account.

The next step would be the key to making the rest of the dominoes drop.

Geise called Amazon customer service and asked to add a credit card
using an account name, email address and billing address. When it came
time to verify his identity, Geise told the Amazon representative that
he forgot which home address he used for the account, and went down
the list he obtained from Spokeo. A match was found, and he was able
to add a credit card to the account.

After hanging up, he called back 30 minutes later saying he lost
access to his account and backup email address. Geise was able to
verify his identity by using the last four digits of the credit card
he added in his previous call. He faced one last hurdle: Amazon
required him to name an item that he recently purchased. Geise was
able to bypass this requirement partially due to thorough research and
a bit of luck.

During his initial research, Geise found a lot of personal information
on Stolhanske just by going through his Twitter and Facebook posts.

"It definitely required a lot of recon work," Geise said. "But to find
that kind of information, you don't have to dig that deep."

Geise knew from social media that Stolhanske was a fan of the HBO
series "Game of Thrones." He told the Amazon customer representative
that he rarely used the account, and that his wife may have purchase a
"Game of Thrones" book or DVD. It was an educated guess that turned
out to be correct.

He was in.

Geise was allowed to change the email address and reset the password
to the account.

"Once I had access to Erik's account, there were quite a few credit
cards on there. It didn't show the full credit card number, but showed
the last four digits," Geise said.

He points out that most of the times when are people asked to verify
an account, they are asked for the last four digits of the card and a
billing address. Armed with that information, Geise went down the line
and accessed the rest of Stolhanske's accounts -- starting with AOL.

Geise was able to gain access to Stolhanske's AOL account over the
phone, by providing just his billing address and last four digits of
his credit card number.

Many people link accounts together, so breaching the right combination
of accounts could lead to a jackpot for a cyber criminal. In
Stolhanske's case, accessing the Amazon and AOL accounts opened the
door for taking over his digital life. As it turns out, Stolhanske's
AOL account was the email address used to reset his Apple account,
which was also his main email address. After taking control of the
Apple account, Geise was able to search Stolhanske's emails to find
other accounts associated with the email address, and send requests to
reset passwords.

If this all sounds familiar, it's because a similar case was reported
last year, when a hacker gained access to Wired reporter Mat Honan's
email, Twitter, Amazon and Apple accounts. Wired later reportedthat
Amazon quietly closed the loophole that allowed a hacker to add a
credit card to an account, but Geise says the only additional hurdle
he faced was naming a recent purchase.

Amazon declined to comment on Geise's claims.

Geise says using two-factor authentication could stop the potential
hacker in their tracks because it would also require access personal
devices, like a smartphone. But it would not make the social
engineering hack impossible to accomplish. Apple, Twitter and Facebook
have added the additional security measure in the last year.

Sometimes it could just be negligence of old accounts that could be
the weak link. In Stolhanske's case, it was the combination of being
on social media, having old mailing addresses listed on his account
and having a public Amazon wish list that caused a chain effect.

Geise suggests deleting old email accounts, adding complex passwords,
using random email accounts for password recovery and making Amazon
wish lists private.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.