Re: Why doesn't Amazon enforce a password policy?

[Gunnar Rene Øie <gunnarre () nvg ntnu no>]

On Wed, 1 Nov 2006, Gunnar Rene Øie wrote:

> - ordering products and having them sent to one of the addresses that the 
> user has used before - not very profitable, unless the identity thief is the 
> usual family member or colleague. But if you're John Q. Cracker running 
> around on the internet, you can't get any product.
> - previous order history
> - whish list if it was not public  before
> - previous addresses
> - last digits of credit card numbers
> - making mayhem by submitting spam/insane reviews, but these are moderated 
> anyway

Just note that this list isn't exhaustive. Access could be used to get 
value by other avenues such as social engineering, a cracked account in 
good standing could be used to offer "new and used" products and so on. I 
haven't tried buying or selling used product on Amazon, but I would 
assume that the used products trade there has the same dynamics as other 
used and auction sites like eBay. (Escrow scams, people who never send 
product, phishing etc.)

The main point is that you can't just take over a random account and order 
stuff for yourself.
--
Regards , Vennlig hilsen
Gunnar René Øie, MSc. IDI/NTNU
PGP public key available


-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan delivers new remediation capabilities, key regulatory compliance 
reporting, and productivity enhancements that dramatically improve, 
automate and streamline users' ability to quickly find, remediate and 
manage web application security vulnerabilities. Change the way you think 
about application security testing - download AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE
--------------------------------------------------------------------------