View Single Post
Old 12-14-2008, 05:56 PM   #274
AaronWRX
Scooby Specialist
 
Member#: 7194
Join Date: Jun 2001
Chapter/Region: MAIC
Location: NoVa
Vehicle:
2011 997.2 Turbo
Black

Default

Quote:
Originally Posted by electric_head View Post
Still laughin my a$$ of @unabomber. Too funny bro. "tinfoil hats" lol!!
I'm laughing too... but for another reason. ...

My company just tested the security of several financial services applications for the finance division of a particular (big) auto conglomerate that the dealers and end users use to service their loans, apply for loans, payoff loans, etc....

Guess what piece of personal, private, information was needed to either initiate an online account or perform password resets? DING! DING! DING!

The only authorization tokens were VIN + Zipcode, or VIN + model or model/year. In some cases it was VIN + lastname

So what could we do with just a VIN?
  • Initiate online access for accoutns that didnt set them up
  • Change the email address on file for existing accounts
  • Reset passwords for existing accounts
  • Change the address and billing information for existing accounts
  • View payment history
  • If the loan was linked to a creditcard, view the credit card transactions
  • If the loan was linked to a creditcard, generate one-time use creditcard numbers and make fradulent online purchases
  • If the loan was linked to a creditcard, initiate balance transfers
  • Add a name to the loan/title
  • Payoff the loan, and with the updated address and new name on the title, basically steal the car

I bet if I did some digging I can find similar authorization flaws in most automakers financial service applications.

So we have a online forum here, where users designate their region, and if the user is old-school enough, they have probably disclosed their real name once or twice....
* Registered users of the site do not see these ads.

Last edited by AaronWRX; 12-14-2008 at 06:09 PM.
AaronWRX is offline