RE: "At the bare minimum, for this level of recovery that bypasses security questions, they should require confirmation of the entire credit-card number and verification code."
That's still a fail because if your wallet probably contains credit cards, which have your name and credit card number, obviously. And driver's licenses in the US, as far as I know, include an address. So it's all there. You're screwed.
What is necessary is 2-factor authentication, which is what a lot of us have been saying for a long time (I wrote this blog post in 2009, after another Twitter-related hacking: "Why The Twitter Breach Is Bullish for Two-Factor Authentication": http://chrisco.wordpress.com/2009/07/16/why-the-twitter-brea...). If not 2-factor, at least don't make recover possible with things so easily obtained, such as information from items typically contained in a person's wallet.
My thought is that they should additionally charge a fee for this, using a card that passed name, zip code, and CVC checks. Now you have a higher bar to fake your way over, and in addition whatever laws were broken by the perpetrator, he would have credit card fraud as well, and that's something that prosecutors, courts and juries can understand a lot more easily.
That's still a fail because if your wallet probably contains credit cards, which have your name and credit card number, obviously. And driver's licenses in the US, as far as I know, include an address. So it's all there. You're screwed.
What is necessary is 2-factor authentication, which is what a lot of us have been saying for a long time (I wrote this blog post in 2009, after another Twitter-related hacking: "Why The Twitter Breach Is Bullish for Two-Factor Authentication": http://chrisco.wordpress.com/2009/07/16/why-the-twitter-brea...). If not 2-factor, at least don't make recover possible with things so easily obtained, such as information from items typically contained in a person's wallet.