Amazon 'wish list' is gateway to epic social engineering hack

Comedian Erik Stolhanske didn't know what he was getting himself into when he let a cybersecurity expert at SecureState take a crack at hacking him. The "Super Troopers" actor gave the company the green light to try to access his Twitter account with nothing more than his name. What he found out was that his entire digital life could have been compromised using simple techniques.

SecureState profiling consultant Brandan Geise went on a mission to hack into Stolhanske's Twitter account, but instead was also able to gain access to his Amazon, AOL, Apple and Dropbox accounts, as well his Web hosting account.

A manipulation tactic called social engineering can give anyone smart enough to connect the dots a gateway into your digital domain. It doesn't require a single line of programming code.

"Pretty much anyone can do this," Geise told CBSNews.com.

Geise started by running a search of Stolhanske's name on Spokeo.com, a website that aggregates public information about people. Information found on Spokeo can include a home phone number, email address, all associated home addresses, family members and occupation. It took two pieces of information from Spokeo to gain access to Stolhanske's Amazon.com account: an email and home address.

Amazon has a feature called wish lists that let members bookmark items that they want to buy and save them in a list. Anyone can run a search for wish lists using either a name or email address. That may be convenient when friends or relatives are wondering what you want for your birthday, but it can make you vulnerable. By trying all of the email addresses found on Spokeo, Geise was able to find Stolhanske's Amazon wish list, confirming that he also had a registered account.

The next step would be the key to making the rest of the dominoes drop.

Geise called Amazon customer service and asked to add a credit card using an account name, email address and billing address. When it came time to verify his identity, Geise told the Amazon representative that he forgot which home address he used for the account, and went down the list he obtained from Spokeo. A match was found, and he was able to add a credit card to the account.

After hanging up, he called back 30 minutes later saying he lost access to his account and backup email address. Geise was able to verify his identity by using the last four digits of the credit card he added in his previous call. He faced one last hurdle: Amazon required him to name an item that he recently purchased. Geise was able to bypass this requirement partially due to thorough research and a bit of luck.

During his initial research, Geise found a lot of personal information on Stolhanske just by going through his Twitter and Facebook posts.

"It definitely required a lot of recon work," Geise said. "But to find that kind of information, you don't have to dig that deep."

Geise knew from social media that Stolhanske was a fan of the HBO series "Game of Thrones." He told the Amazon customer representative that he rarely used the account, and that his wife may have purchased a "Game of Thrones" book or DVD. It was an educated guess that turned out to be correct.

He was in.

Geise was allowed to change the email address and reset the password to the account.

"Once I had access to Erik's account, there were quite a few credit cards on there. It didn't show the full credit card number, but showed the last four digits," Geise said.

He points out that most of the times when are people asked to verify an account, they are asked for the last four digits of the card and a billing address. Armed with that information, Geise went down the line and accessed the rest of Stolhanske's accounts -- starting with AOL.

Geise was able to gain access to Stolhanske's AOL account over the phone, by providing just his billing address and last four digits of his credit card number.

Many people link accounts together, so breaching the right combination of accounts could lead to a jackpot for a cyber criminal. In Stolhanske's case, accessing the Amazon and AOL accounts opened the door for taking over his digital life. As it turns out, Stolhanske's AOL account was the email address used to reset his Apple account, which was also his main email address. After taking control of the Apple account, Geise was able to search Stolhanske's emails to find other accounts associated with the email address, and send requests to reset passwords.

If this all sounds familiar, it's because a similar case was reported last year, when a hacker gained access to Wired reporter Mat Honan's email, Twitter, Amazon and Apple accounts. Wired later reported that Amazon quietly closed the loophole that allowed a hacker to add a credit card to an account, but Geise says the only additional hurdle he faced was naming a recent purchase.

Amazon declined to comment on Geise's claims.

Geise says using two-factor authentication could stop the potential hacker in their tracks because it would also require access personal devices, like a smartphone. But it would not make the social engineering hack impossible to accomplish. Apple, Twitter and Facebook have added the additional security measure in the last year.

Sometimes it could just be negligence of old accounts that could be the weak link. In Stolhanske's case, it was the combination of being on social media, having old mailing addresses listed on his account and having a public Amazon wish list that caused a chain effect.

Geise suggests deleting old email accounts, adding complex passwords, using random email accounts for password recovery and making Amazon wish lists private.

Comments