Originally Posted by electric_head
Still laughin my a$$ of @unabomber. Too funny bro. "tinfoil hats" lol!!
I'm laughing too... but for another reason. ...
My company just tested the security of several financial services applications for the finance division of a particular (big) auto conglomerate that the dealers and end users use to service their loans, apply for loans, payoff loans, etc....
Guess what piece of personal, private
, information was needed to either initiate an online account or perform password resets? DING! DING! DING!
The only authorization tokens were VIN + Zipcode, or VIN + model or model/year. In some cases it was VIN + lastname
So what could we do with just a VIN?
- Initiate online access for accoutns that didnt set them up
- Change the email address on file for existing accounts
- Reset passwords for existing accounts
- Change the address and billing information for existing accounts
- View payment history
- If the loan was linked to a creditcard, view the credit card transactions
- If the loan was linked to a creditcard, generate one-time use creditcard numbers and make fradulent online purchases
- If the loan was linked to a creditcard, initiate balance transfers
- Add a name to the loan/title
- Payoff the loan, and with the updated address and new name on the title, basically steal the car
I bet if I did some digging I can find similar authorization flaws in most automakers financial service applications.
So we have a online forum here, where users designate their region, and if the user is old-school enough, they have probably disclosed their real name once or twice....