On Wed, 1 Nov 2006, Gunnar Rene Øie wrote:
- ordering products and having them sent to one of the addresses that the
user has used before - not very profitable, unless the identity thief is the
usual family member or colleague. But if you're John Q. Cracker running
around on the internet, you can't get any product.
- previous order history
- whish list if it was not public before
- previous addresses
- last digits of credit card numbers
- making mayhem by submitting spam/insane reviews, but these are moderated
anyway
Just note that this list isn't exhaustive. Access could be used to get
value by other avenues such as social engineering, a cracked account in
good standing could be used to offer "new and used" products and so on. I
haven't tried buying or selling used product on Amazon, but I would
assume that the used products trade there has the same dynamics as other
used and auction sites like eBay. (Escrow scams, people who never send
product, phishing etc.)
The main point is that you can't just take over a random account and order
stuff for yourself.
--
Regards , Vennlig hilsen
Gunnar René Øie, MSc. IDI/NTNU
PGP public key available
-------------------------------------------------------------------------
Sponsored by: Watchfire
AppScan delivers new remediation capabilities, key regulatory compliance
reporting, and productivity enhancements that dramatically improve,
automate and streamline users' ability to quickly find, remediate and
manage web application security vulnerabilities. Change the way you think
about application security testing - download AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE
--------------------------------------------------------------------------
