Amazon's
Steven M. Bellovin
smb at cs.columbia.edu
Wed Sep 14 13:06:40 EDT 2005
In message <43285807.3020300 at cs.biu.ac.il>, Amir Herzberg writes:
>
>Amazon have this lovely service: if you tell if you forgot your pw, they
>send you to:
>https://www.amazon.com/exec/obidos/self-service-forgot-password-get-email-done
>/104-2901457-0883904
>
>where they ask you to confirm your identity... using 5 last digits of a
>credit card you used with them.
>
>Nice oracle to find last 5 digits... making it quite easy to find the
>full number.
>
It's actually an interesting tradeoff. The older scheme, as I recall,
would mail you your password; knowledge of that (say, by intercepting
the email) lets you at your account, which will display the last 5
digits of your credit cards.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list