www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
Illustration: Ross Patton/Wired In the space of one hour, my entire digital life was destroyed. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it's possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Had I been regularly backing up the data on my MacBook, I wouldn't have had to worry about losing more than a year's worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location. Those security lapses are my fault, and I deeply, deeply regret them. But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information -- a partial credit card number -- that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices. The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification. Moreover, if your computers aren't already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use iCloud. And Windows 8, the most cloud-centric operating system yet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms -- which can be cracked, reset, and socially engineered -- no longer suffice in the era of cloud computing. I was playing with my daughter when my iPhone suddenly powered down. I just assumed it would be a pain in the ass, and nothing more. I entered my iCloud login to restore, and it wasn't accepted. I went to connect the iPhone to my computer and restore from that backup -- which I had just happened to do the other day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four-digit PIN. For the first time it occurred to me that I was being hacked. Unsure of exactly what was happening, I unplugged my router and cable modem, turned off the Mac Mini we use as an entertainment center, grabbed my wife's phone, and called AppleCare, the company's tech support service, and spoke with a rep for the next hour and a half. It wasn't the first call they had had that day about my account. In fact, I later found out that a call had been placed just a little more than a half an hour before my own. But the Apple rep didn't bother to tell me about the first call concerning my account, despite the 90 minutes I spent on the phone with tech support. Nor would Apple tech support ever tell me about the first call voluntarily -- it only shared this information after I asked about it. And I only knew about the first call because a hacker told me he had made the call himself. At 4:33 pm, according to Apple's tech support records, someone called AppleCare claiming to be me. It did this despite the caller's inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover. At 4:50 pm, a password reset confirmation arrived in my inbox. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password. Two minutes later, another e-mail arrived notifying me that my Google account password had changed. At 5:00 they used iCloud's "Find My" tool to remotely wipe my iPhone.
posted a message to my account on Twitter taking credit for the hack. By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access. And crazily, in ways that I don't and never will understand, those deletions were just collateral damage. My MacBook data -- including those irreplaceable pictures of my family, of my child's first year and relatives who have now passed from this life -- weren't the target. Nor were the eight years of messages in my Gmail account. My MacBook data was torched simply to prevent me from getting back in. One of the reasons it took me so long to get anything resolved with Apple during my initial phone call was because I couldn't answer the security questions it had on file for me. Because of that, I couldn't answer my security questions. Me account: a billing address and the last four digits of my credit card. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud. Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said. We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected." On Monday, Wired tried to verify the hackers' access technique by performing it on a different account. This means, ultimately, all you need in addition to someone's e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. By exploiting the customer service procedures employed by Apple and Amazon, hackers were able to get into iCloud and take over all of Mat Honan's digital devices -- and data.
On the night of the hack, I tried to make sense of the ruin that was my digital life. I decided to set up a new Twitter account until my old one could be restored, just to let people know what was happening. I logged into Tumblr and posted an account of how I thought the takedown occurred. At this point, I was assuming that my seven-digit alphanumeric AppleID password had been hacked by brute force.
and, oh, the comments) others guessed that hackers had used some sort of keystroke logger. At the end of the post, I linked to my new Twitter account. We started a dialogue via Twitter direct messaging that later continued via e-mail and AIM. Phobia was able to reveal enough detail about the hack and my compromised accounts that it became clear he was, at the very least, a party to how it went down. I agreed not to press charges, and in return he laid out exactly how the hack worked. But first, he wanted to clear something up: "didnt guess ur password or use bruteforce.
No, Phobia said they hadn't even been aware that my account was linked to Gizmodo's, that the Gizmodo linkage was just gravy. He said the hack was sim...
|
http://csua.com/feed/