[18463] in cryptography@c2.net mail archive
Re: Amazon's
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Sep 15 10:31:59 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: herzbea@macs.biu.ac.il
Cc: "'Cryptography'" <cryptography@metzdowd.com>
In-Reply-To: Your message of "Wed, 14 Sep 2005 19:04:07 +0200."
<43285807.3020300@cs.biu.ac.il>
Date: Wed, 14 Sep 2005 13:06:40 -0400
In message <43285807.3020300@cs.biu.ac.il>, Amir Herzberg writes:
>
>Amazon have this lovely service: if you tell if you forgot your pw, they
>send you to:
>https://www.amazon.com/exec/obidos/self-service-forgot-password-get-email-done
>/104-2901457-0883904
>
>where they ask you to confirm your identity... using 5 last digits of a
>credit card you used with them.
>
>Nice oracle to find last 5 digits... making it quite easy to find the
>full number.
>
It's actually an interesting tradeoff. The older scheme, as I recall,
would mail you your password; knowledge of that (say, by intercepting
the email) lets you at your account, which will display the last 5
digits of your credit cards.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
