I feel naive but have to ask: How exactly do stolen passwords help someone steal my credit card etc.?
I ask because I'm assuming they do so by breaking into a website (Gawker was mentioned) and get the password file. That file has a hash of my password, and a very few other things like my login name. This is the only way they can crank on my hash to find words that translate into the hash .. assuming they know how the site uses it (salt etc). OK, they have my password. Now what? They won't have my credit card number, that is stored elsewhere, and on amazon etc it is reasonably well protected. And even I don't see the credit card number .. only the last few digits. Ditto for my email address, also often used as a login "name", it's not part of the password file, right? So how would they get my email address? I suppose they can search for my login name and hope to correlate it with an email address. Which brings me to the real threat Steve mentioned a while back: if someone can hack into your mail account, they can simply go to amazon and click "I forgot my password" .. and have it mailed to the compromised email account which the wily hacker is monitoring and deletes as soon as the pw is available. So shouldn't one's email account be the best secured? Best password? So I don't really understand how the theft of a password file automatically turns into stealing your identity, credit cards and all. How's it done?
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org
