WebApp Sec mailing list archives
Re: Why doesn't Amazon enforce a password policy?
From: Gunnar Rene Øie <gunnarre () nvg ntnu no>
Date: Wed, 1 Nov 2006 13:16:55 +0100 (CET)
On Wed, 1 Nov 2006, Gunnar Rene Øie wrote:
- ordering products and having them sent to one of the addresses that the user has used before - not very profitable, unless the identity thief is the usual family member or colleague. But if you're John Q. Cracker running around on the internet, you can't get any product.- previous order history - whish list if it was not public before - previous addresses - last digits of credit card numbers- making mayhem by submitting spam/insane reviews, but these are moderated anyway
Just note that this list isn't exhaustive. Access could be used to get value by other avenues such as social engineering, a cracked account in good standing could be used to offer "new and used" products and so on. I haven't tried buying or selling used product on Amazon, but I would assume that the used products trade there has the same dynamics as other used and auction sites like eBay. (Escrow scams, people who never send product, phishing etc.)
The main point is that you can't just take over a random account and order stuff for yourself.
-- Regards , Vennlig hilsen Gunnar René Øie, MSc. IDI/NTNU PGP public key available ------------------------------------------------------------------------- Sponsored by: WatchfireAppScan delivers new remediation capabilities, key regulatory compliance reporting, and productivity enhancements that dramatically improve, automate and streamline users' ability to quickly find, remediate and manage web application security vulnerabilities. Change the way you think about application security testing - download AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE --------------------------------------------------------------------------
Current thread:
- Why doesn't Amazon enforce a password policy? James Strassburg (Oct 27)
- Re: Why doesn't Amazon enforce a password policy? Peter Conrad (Oct 30)
- Re: Why doesn't Amazon enforce a password policy? Tom Whiting (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jamie Riden (Nov 01)
- <Possible follow-ups>
- RE: Why doesn't Amazon enforce a password policy? James Strassburg (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Gunnar Rene Øie (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Gunnar Rene Øie (Nov 01)
- Re: Why doesn't Amazon enforce a password policy? Jeff Robertson (Nov 01)
- RE: Why doesn't Amazon enforce a password policy? Brooks, Shane (Nov 01)
- RE: Why doesn't Amazon enforce a password policy? Jason Gregson (Nov 01)