Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.
The scariest part of his hacking was that it didn’t rely on a single password being guessed, brute-forced, phished, or stolen. It wouldn’t have mattered whether his password was “password” or “XEyOI^5FyC6gE!1BokW;uPpv2ick+lBo”.
Amazon’s system is partially at fault, but the weakest link by far is Apple. It’s appalling that they will give control of your iCloud account to anyone who knows your name and address, which are very easy for anyone to find, and the last four digits of your credit card, which are usually considered safe to display on websites and receipts.
At the bare minimum, for this level of recovery that bypasses security questions, they should require confirmation of the entire credit-card number and verification code, no matter what they need to do to remain PCI-compliant and pull that off.
And ideally, before resetting a password by phone, they’d send a forced “Find My”-style push alert to all registered devices on the account saying something like, “Apple Customer Service has received a request to reset your iCloud password. Please call 1-800-WHATEVER within 24 hours if this is unauthorized.”
Then make the person call back the next day. If you forget your password and the answers to your security questions, it’s not unreasonable to expect a bit of inconvenience.