If account ownership verification is your concern, then the digits of a credit card offer relatively little assurance. Fun story: I used to work for a company that utilized the last four of a CC on file for verification. They also let anyone pay an outstanding balance without needing to otherwise verify, and kept the last four of the card on file. So...
Oh heck, let's just verify on the whole card number. Apparently GoDaddy's CSRs have access to it such that management can just arbitrarily increase the number of digits to check.
Not reported: whether PayPal will also increase the number of digits they hand out via social engineering.
That is not only a valid point, but a major one upon many levels. I would of thought storing the credit card in full (double eek if they also store the 3 digit security code) would be against the PCI compliance guidlines.
I'm aware if the customer gives permision (repeat customer) is an exception. Though in these situations if it is proven that access was your companies fault then you are liable. Which in this situation, whilst no charge to the credit card (we are aware of) was made. The lapse of security did have financial reprocusions.
Fair play for GoDaddy addressing this issue, though I do wonder if the issue was not as vocalised publicly how ling it would of taken to address. We may never know, and it changes nothing in the past.
What I don't know is how this effects the original user who lost there @N twitter account.
Did he get it back?
Had GoDaddy now respectfuly owning up to there oversight made any offer to restore things and/or compensation?
So far so good, but still missing the happy ending we all want to see for the user.
He hasn't gotten it back, but the attacker is no longer in possession of that handle having deleted the account. The handle was then apparently unavailable to take [0], but some time later Twitter allowed some random user to pick up the handle as you can see by visiting @N now.