Comments on: Amazon.com “PayPhrase” shortcut for paying http://tamebay.com/2009/11/amazon-com-payphrase-shortcut-for-paying.html eBay & ecommerce made easy Sun, 12 Feb 2012 08:10:15 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: John http://tamebay.com/2009/11/amazon-com-payphrase-shortcut-for-paying.html#comment-53270 John Sun, 15 Nov 2009 22:10:06 +0000 http://tamebay.com/?p=9579#comment-53270 I would like to see Amazon releasing seller funds alot quicker than they do...currently it takes a couple of weeks to get funds from them. I would like to see Amazon releasing seller funds alot quicker than they do…currently it takes a couple of weeks to get funds from them.

]]> By: Mark http://tamebay.com/2009/11/amazon-com-payphrase-shortcut-for-paying.html#comment-53151 Mark Thu, 12 Nov 2009 15:58:38 +0000 http://tamebay.com/?p=9579#comment-53151 This is slightly worrying. Amazon appear to be trying to reinvent the username and password. Rather than suggesting to customers use mixed case, letters and a combination of numbers - they are trying to push the use of standardised dictionary phrases or something which you can easily associate with an individual. Username and passwords should always have some input of randomness - this project needs a good rethink or should be scrapped. This is slightly worrying. Amazon appear to be trying to reinvent the username and password. Rather than suggesting to customers use mixed case, letters and a combination of numbers – they are trying to push the use of standardised dictionary phrases or something which you can easily associate with an individual. Username and passwords should always have some input of randomness – this project needs a good rethink or should be scrapped.

]]> By: ebuyerfb http://tamebay.com/2009/11/amazon-com-payphrase-shortcut-for-paying.html#comment-53096 ebuyerfb Wed, 11 Nov 2009 02:08:01 +0000 http://tamebay.com/?p=9579#comment-53096 Do you have to be logged into Amazon payments for this to work? Otherwise this looks like it has a huge security hole in it. The fact that no two pay phrases are identical suggests that you don't need to be logged in. All they've basically done is made a complex username (one with a first and last name). But that username is very easy to guess. And they attached a 4 digit pin (extremely weak). 1) pick a common phrase like "pay now", "buy now", two word movie titles, etc 2) see if registration fails 3) guess pin It says after a number of incorrect guesses it locks out the person but if this takes off there will be plenty of pay phrases to hack. Do you have to be logged into Amazon payments for this to work? Otherwise this looks like it has a huge security hole in it. The fact that no two pay phrases are identical suggests that you don’t need to be logged in.

All they’ve basically done is made a complex username (one with a first and last name). But that username is very easy to guess. And they attached a 4 digit pin (extremely weak).

1) pick a common phrase like “pay now”, “buy now”, two word movie titles, etc
2) see if registration fails
3) guess pin

It says after a number of incorrect guesses it locks out the person but if this takes off there will be plenty of pay phrases to hack.

]]>