Amazon’s system is partially at fault, but the weakest link by far
is Apple. It’s appalling that they will give control of your
iCloud account to anyone who knows your name and address, which
are very easy for anyone to find, and the last four digits of your
credit card, which are usually considered safe to display on
websites and receipts.
At the bare minimum, for this level of recovery that bypasses
security questions, they should require confirmation of the entire
credit-card number and verification code, no matter what they need
to do to remain PCI-compliant and pull that off.
Apple needs to address this, and quickly. I can only wonder how many nogoodniks have been trying this scam in the last day now that it’s been widely publicized.