Another Credit-Card-as-Authentication Hack
This is a pretty impressive social engineering story: an attacker compromised someone’s GoDaddy domain registration in order to change his e-mail address and steal his Twitter handle. It’s a complicated attack.
My claim was refused because I am not the “current registrant.” GoDaddy asked the attacker if it was ok to change account information, while they didn’t bother asking me if it was ok when the attacker did it.
[…]
It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification.
The misuse of credit card numbers as authentication is also how Matt Honan got hacked.
Jeff Martin • January 31, 2014 7:13 AM
I think it is absurd that credit card numbers and SSNs are ever treated as any sort of secret. Pretending we are going to safeguard information that we have to give to hundreds of different organizations in a year is crazy. I have to give my SSN to every employer, landlord, medical institution, bank, credit card company, government agency, and so on. Yet this is supposed to remain a secret? That’s never going to happen. All the talk of encrypt this and secure that is ultimately going to be futile. The cost of thousands of organizations all doing things properly is just too high, and the probability of them all doing it properly is near zero. The technology exists to eliminate this issue, the problem is the overall level of fraud is too low to motivate us to change the system.