or Connect
AppleInsider › Forums › General › General Discussion › Amazon, Apple security measures factors in journalist's hacked iCloud account
New Posts  All Forums:Forum Nav:

Amazon, Apple security measures factors in journalist's hacked iCloud account

post #1 of 47
Thread Starter 
A combination of Amazon's credit card record keeping and Apple's user authentication requirements amounted to a relatively easy "social engineering" hack that wreaked havoc on Wired writer Mat Honan's iCloud and Twitter accounts.

Hackers late Friday managed to break into Honan's iCloud account, wipe his MacBook Air, iPad and iPhone and cause general mayhem to all other associated accounts, including Gizmodo's Twitter feed.

While Honan first believed a brute force method was employed to obtain his short alphanumeric password, he later wrote on his blog that the "social engineering" of an Apple tech support employee was to blame. In a more detailed account from Wired on Monday, the tech writer notes the hackers gained unauthorized access by stringing together a set of data easily obtainable for someone who knows where to look.

Interestingly, one of the supposed hackers calling himself "Phobia" reached out to Honan who, after promising not to press charges, learned exactly how the breach occurred and why.

Honan notes all his accounts, from Amazon to Apple, are "daisy-chained" together with credit card information, email address and a physical address all connected in a such a way as to allow the bypassing of security measures. This breach would not be possible if it weren't for the human element which in Honan's case came in the form of both Amazon and Apple support staff.

Honan writes:

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple?s and Amazon?s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.


Mat Honan
Mat Honan. | Source: Wired


The target was Honan's @Mat Twitter feed, which was accessed though a number of relatively simple steps. First the hackers found Honan's Gmail address from the personal webpage linked to his Twitter account. Because the Gmail account was the default Twitter address, the hackers then moved to Google's account recovery page which yielded the partial address "m?n@me.com" as the default backup. All the hackers needed now was Honan's home address, found through domain registry logs, his .me account address and the last four digits of the credit card on file at Apple.

It is that last bit of information where human support staff enter the picture, and where the security system breaks down. The hackers called Amazon's support staff and "socially engineered" the employee or employees to give out the last four digits of Honan's credit card using what appears to be standard protocols.

As explained by Honan:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry?s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you?ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.


The gambit was so simple, Wired was able to recreate the process twice in minutes.

From there the hackers took the credit card, billing address and Honan's name to AppleCare where the information was enough to issue a temporary iCloud password. At that point Honan was no longer in control of his digital life.

According to Honan:

Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.


?You honestly can get into any email associated with apple,? Phobia claims.

Honan notes that while Apple and Amazon's security systems should be more carefully vetted, the ultimate responsibility falls on the user. Regularly backing-up files, not using redundant credit cards or email addresses and taking all precautions available are key to thwarting such an attack.

Also at issue is Apple's Find My iPhone and Find My Mac features which allow users to locate, ping and remotely wipe a device if it is lost or stolen. While Find My iPhone may be useful for Apple's relatively easy to lose handset, the utility of Find My Mac is somewhat less clear.
post #2 of 47
They definitely need to increase the authentication security. Using only (relatively) publicly available information (email, last 4 CC, billing address) is unnecessarily lax.
post #3 of 47

Scary....Sounds like a great article for MacWorld...start with 1Password, Ghostery....don't use Google or Facebook (they're both "evil!:), have one specific CC for online purchases (only) and a yahoo account for dealing with online transactions only and a .me/mac email address for all other personal email...I'm sure there is more one can do....

post #4 of 47

I have always liked, and believe in the "SEND A CODE TO MY iPHONE" to make changes, like many banks do.

 

Apple should adopt immediately

post #5 of 47
Quote:
Originally Posted by BuffyzDead View Post

I have always liked, and believe in the "SEND A CODE TO MY iPHONE" to make changes, like many banks do.

 

Apple should adopt immediately

Interesting...but not sure what you mean? :)

post #6 of 47
Ask to send code to cellphone, when you log in, the website will send you the generator number like 123456 to prove that it's you and your account before gets in your account. My bank do that for xtra secure.

Please excuse my lame English grammar. American Sign Language is my first language and English's the second.
Tallest Skill, you can edit my English grammar for me. My English grammar sucks! lol

Reply

Please excuse my lame English grammar. American Sign Language is my first language and English's the second.
Tallest Skill, you can edit my English grammar for me. My English grammar sucks! lol

Reply
post #7 of 47

Google’s security measures factored in too: showing the person’s alternate email address (an obvious AppleID) with no meaningful concealment, to any old stranger!

 

All very scary. I have shut off Find My [Device] for now.

 

And I keep local backups painlessly, thanks to Apple’s Time Machine! Awesome device backed by awesome software. (I also manually drag or CCC from time to time, to yet another backup.)

post #8 of 47

Apple needs to address this immediately.

 

Also, I'd like to warn anyone against shutting off Find My Phone or Mac. It's an incredibly effective tool if one of your Apple products is lost or stolen. I recently had my MacBook Pro stolen and was able to see the residence it was being used in. Police got it back within 48 hours. To me, this is much more valuable then the off chance someone decides to single you out for a hacking attempt via iCloud. A remote erase - assuming you have your files backed up, as you should - is nothing compared to losing a $1,500+ machine.

post #9 of 47
Quote:
Originally Posted by nagromme View Post

Google’s security measures factored in too: showing the person’s alternate email address (an obvious AppleID) with no meaningful concealment, to any old stranger!

All very scary. I have shut off Find My [Device] for now.

And I keep local backups painlessly, thanks to Apple’s Time Machine! Awesome device backed by awesome software. (I also manually drag or CCC from time to time, to yet another backup.)
I realize the actual problem here, and corrections do need to be made, but why is it that only Amazon and Apple are held to blame for this incident? Google was a key part of this identity theft and somehow they managed to escape the headline. With the Gizmodo connection with this person...well, it just seems suspect. Am I the only one seeing this? Or am I just paranoid?

We've always been at war with Eastasia...

Reply

We've always been at war with Eastasia...

Reply
post #10 of 47

You're paranoid. The article is about Amazon and Apple because their customer care let him down.

 

Once they had full control of the Apple account they then used it to attack his google.

post #11 of 47
Quote:
Originally Posted by christopher126 View Post

Interesting...but not sure what you mean? :)

 

Netcode SMS.

 

 

A unique six digit pin is sent to the mobile registered to the account. This pin must then be physically entered to confirm sensitive changes to the account.
 
The pin expires in minutes/attempts to prevent brute force attacks. The hacker would physically have to be holding your unlocked phone to be able to complete the necessary steps.
post #12 of 47
Quote:
Originally Posted by deadPeanut View Post

You're paranoid. The article is about Amazon and Apple because their customer care let him down.

Once they had full control of the Apple account they then used it to attack his google.
So unlike it states in the article, they didn't get his iCloud email address from the Google account recovery page first? This theft would not be possible without this information first. I'll have to try reading it again...

Also, is it painful when someone attacks your google?

We've always been at war with Eastasia...

Reply

We've always been at war with Eastasia...

Reply
post #13 of 47
And the press is publishing the process to hack because.... ? Because you're irresponsible morons???
post #14 of 47

Why blame Amazon OR Apple.  Blame yourself, dumbass, for putting your life out there on the internet and then being surprised that there was a repercussion.  You are a dumbass and that is the one and only problem in your life and the systems which within you operate.

 

Just like others in the world, can't accept responsibility for their own actions.  You put yourself in traffic, then expect to get hit.

post #15 of 47
Quote:
Originally Posted by diplication View Post


So unlike it states in the article, they didn't get his iCloud email address from the Google account recovery page first? This theft would not be possible without this information first. I'll have to try reading it again...
Also, is it painful when someone attacks your google?

I wouldn't call your post an attack.

 

The email that they got from google was a partial. Unfortunetly they were able to make a logical leap to work out the full email. But thats not really the issue.

 

The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.

 

Also, Google has tools available to hinder unauthorized access. Such as the two step verification method. (ie sending a verification code to your phone when logging onto a new computer)

post #16 of 47
Quote:
Originally Posted by deadPeanut View Post

I wouldn't call your post an attack.

 

The email that they got from google was a partial. Unfortunetly they were able to make a logical leap to work out the full email. But thats not really the issue.

 

The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.

 

Also, Google has tools available to hinder unauthorized access. Such as the two step verification method. (ie sending a verification code to your phone when logging onto a new computer)

 

The partial email they got from Google was enough, just as having only part of his credit card was enough. No single entry was enough to compromise his stuff, but the hacker used the rather bizarre security procedures from all three companies to engineer a perfect storm. And if this had happened to a regular fella then I'd be more sympathetic, but even regular fellas have enough about them to back up their important data. He also bears some responsibility for linking so much of his private information to his public persona.

 

Trying to stick Apple, Amazon or Google with the blame for this is just hiding a much bigger problem: personal information being linked across sites means that hackers can pretty much own you with just a few clicks. This is where we have to be a little bit smarter to protect ourselves.

 

Unlike Mat.

 

Quote:

The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.

 

 

Yes, because they didn't need to call customer support to get the information they needed from Google. It was right there on a web page.


Edited by Rayz - 8/7/12 at 12:17am
post #17 of 47
Quote:
Originally Posted by FreeRange View Post

And the press is publishing the process to hack because.... ? Because you're irresponsible morons???

 

Now that it's out there, companies will move much faster to make sure this doesn't happen again.

 

Which, of course, it will.

post #18 of 47

Almost everyone I deal with (banks, Apple, etc.) has implemented the "three security terms" questions… beyond 'mother's maiden name', each of the 3 has a variety of options… in some cases you can invent your own.

 

Anytime important changes are being requested, or a "give me all my info" request, and ESPECIALLY a "password reset", at least one of those security questions should be required.

 

I have quite a few data points that WILL be common across multiple accounts. I only have one home address. A limited number of email addresses. A limited number of credit cards (although in my case, I can create a 'virtual number' that applies only to a single account or even a single purchase).

 

If someone can figure out how to 'connect dots' like these hackers did (are they really "hackers"? They didn't really do any coding, or "cracking"… they just thought through a big logic puzzle, and succeeded in connecting dots and spoofing reps at two companies…), then this data poses a risk.

 

There needs to always be a unique data point for each account. Something NEVER common to multiple accounts, and ALWAYS referenced any time that account info (especially password) needs to be accessed.

 

To me, that's the major lapse in this scenario...

post #19 of 47
Quote:
Originally Posted by diplication View Post

I realize the actual problem here, and corrections do need to be made, but why is it that only Amazon and Apple are held to blame for this incident? Google was a key part of this identity theft and somehow they managed to escape the headline. With the Gizmodo connection with this person...well, it just seems suspect. Am I the only one seeing this? Or am I just paranoid?

No you're not paranoid, or if you are I am too. There are a few fishy things about the story besides the Giz connection. The Wired connection, the Google non-connection, the tear-jerk detail about the daughter's whole life in pictures (a red herring?), the too-perfect stupidity of having no backup, the talkative Phobia, the eagerness not to press charges. If you wanted to rain on Apple's iCloud party . . .
Quote:
Originally Posted by deadPeanut View Post

I wouldn't call your post an attack.

The email that they got from google was a partial. Unfortunetly they were able to make a logical leap to work out the full email. But thats not really the issue.

The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.

Also, Google has tools available to hinder unauthorized access. Such as the two step verification method. (ie sending a verification code to your phone when logging onto a new computer)

Google has customer support?
post #20 of 47
Quote:
Originally Posted by TexDeafy View Post

Ask to send code to cellphone, when you log in, the website will send you the generator number like 123456 to prove that it's you and your account before gets in your account. My bank do that for xtra secure.


What if you don't have/want to have a phone?

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #21 of 47
Quote:
Originally Posted by deadPeanut View Post

I wouldn't call your post an attack.

The email that they got from google was a partial. Unfortunetly they were able to make a logical leap to work out the full email. But thats not really the issue.

The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.

Also, Google has tools available to hinder unauthorized access. Such as the two step verification method. (ie sending a verification code to your phone when logging onto a new computer)

How does one contact this "Google Customer Support" you speak of?
post #22 of 47

Here's what I posted in the earlier thread on this:-

 

 

 

Quote:
Originally Posted by hill60 View Post

I'd like to know more about the "social engineering" as I suspect it would involve identity theft.
"This is my name, my date of birth, my home address, my phone number, my email address, I've forgotten my password and my questions don't work, can you help me out here, is there any more information I need to give you?"
I doubt Apple reps (like anyone else working for a holder of secure information) would have access to credit card and social security numbers, maybe the last 3 or 4 digits but not the whole number.
It will be interesting to see what this "social engineering" involved.

 

 

Seems I was pretty dead on.

 

Now there has to be a balance between when to give someone what is rightfully theirs and when to withhold it, it's a matter of convenience, how much of your private information should customer service reps have access to, how much should you have to give them to get what is yours?

 

The weak link was Amazon with the credit card details and Google with the email address details, without those the "hacker" would have got nowhere.

 

My iCloud account is safe due to the simple fact that I have never used Amazon and have never given them CC details.

 

I have also not used a .me.com address with gmail besides which I have separate Apple ID's for iTunes and iCloud.

 

Surprisingly Microsoft has come up with a fairly good new service, outlook.com where you can set up an exchange based email account and assign multiple aliases for various purposes, I've added  a few to the ten or so email addresses, most of them unused a "hacker" would have to unravel to get to my iCloud.

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #23 of 47
Quote:
Originally Posted by nagromme View Post
All very scary. I have shut off Find My [Device] for now.

 

As someone else points, "Find My [Device]" is perfectly okay to have, but remote wiping of a device should be accompanied by PIN settings beforehand.

 

Quote:
Originally Posted by diplication View Post
Also, is it painful when someone attacks your google?

 

My doctor prescribed me two Instagram to get me through the pain and asked me to call him in the morning.

 

Quote:
Originally Posted by djkikrome View Post

Why blame Amazon OR Apple.  Blame yourself, dumbass, for putting your life out there on the internet and then being surprised that there was a repercussion.  You are a dumbass and that is the one and only problem in your life and the systems which within you operate.

 

Just like others in the world, can't accept responsibility for their own actions.  You put yourself in traffic, then expect to get hit.

 

This is a blame-the-victim response.  He was attacked for the simple crime of having a three-character Twitter account, not because he was a public figure.  For everything else, if you read the article, he does go into a lot of self-hate.  But I think he has a very valid point--if identity verification is done with information that's available in the public domain, how can it ever be secure?

post #24 of 47
Quote:
Originally Posted by blewharvest View Post


How does one contact this "Google Customer Support" you speak of?

 

I've helped a few people who had forgotten their gmail password for their Android phones, basically you answer a few questions on a web based form and they say they will get in touch in a few days.

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #25 of 47
Quote:
Originally Posted by LoopyChew View Post
...if identity verification is done with information that's available in the public domain, how can it ever be secure?

 

The partial credit card details are NOT in the public domain, an Amazon account had to be accessed to obtain them.

 

Without that specific information this would not have worked.

 

The reason it's the last four numbers?

 

So no-one working for a company has access to the full number.

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #26 of 47

Mostly the fault of Amazon. Apple can say that the last four digits is their fall back if security questions are forgotten - as they often are. Clearly that is a problem if someone has your credit card. That was always the case, and it is compliant with industry standards. So... well they may have to change. 

I wanted dsadsa bit it was taken.
Reply
I wanted dsadsa bit it was taken.
Reply
post #27 of 47
Quote:
Originally Posted by BuffyzDead View Post

I have always liked, and believe in the "SEND A CODE TO MY iPHONE" to make changes, like many banks do.

 

Apple should adopt immediately

 

...say someone got access to your cellphone account details, walked into a store and did a SIM swap?

 

"I've lost my phone and need a new SIM"

 

Put SIM in any other phone, "SEND A CODE TO MY iPHONE" and BAM, they are in.

 

Meanwhile you are left wondering why your phone stopped working.

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #28 of 47
Quote:
Originally Posted by Flaneur View Post

No you're not paranoid, or if you are I am too. There are a few fishy things about the story besides the Giz connection. The Wired connection, the Google non-connection, the tear-jerk detail about the daughter's whole life in pictures (a red herring?), the too-perfect stupidity of having no backup, the talkative Phobia, the eagerness not to press charges. If you wanted to rain on Apple's iCloud party . . .
Google has customer support?

I agree completely. In fact, the Gizmodo connection is the least interesting point for me. It is the fact that the hacker picked this journalist well placed to publicize the hack, did serious harm (erasing data, not just changing passwords and announcing "I'm here") and then contacted him and explained everything to make Apple and Amazon look bad. It just seems too pat.
Not to say that this "hack" I isn't a problem, but the story just seems to cute...
Progress is a comfortable disease
--e.e.c.
Reply
Progress is a comfortable disease
--e.e.c.
Reply
post #29 of 47
Quote:
Ask to send code to cellphone, when you log in, the website will send you the generator number like 123456 to prove that it's you and your account before gets in your account. My bank do that for xtra secure.

 

Sometimes I wonder whether people think their ideas through.  You login to iCloud to use Find My iPhone, iCloud sends a message to the stolen phone?  Good luck getting both your iCloud account AND your phone back now!  Perhaps you should call your carrier and have the number reassigned to a new phone (or a new card mailed), but what if the information they have on record for you is outdated?  Oops, now you've lost your phone, your phone number, AND your iCloud account because of a problem that would have never actually existed if you had not published personal information online!  Blaming the service providers for this is simply retarded!  Rent a PO Box if you absolutely must have an address published for the world to see!

post #30 of 47
Quote:
Originally Posted by diplication View Post

I realize the actual problem here, and corrections do need to be made, but why is it that only Amazon and Apple are held to blame for this incident? Google was a key part of this identity theft and somehow they managed to escape the headline. With the Gizmodo connection with this person...well, it just seems suspect. Am I the only one seeing this? Or am I just paranoid?

No, you're not the only one. I stated earlier that the fact that they apparently never reported this to the authorities to try to get the guy arrested suggests that it's an inside job.
Quote:
Originally Posted by hill60 View Post

Now there has to be a balance between when to give someone what is rightfully theirs and when to withhold it, it's a matter of convenience, how much of your private information should customer service reps have access to, how much should you have to give them to get what is yours?

The weak link was Amazon with the credit card details and Google with the email address details, without those the "hacker" would have got nowhere.

My iCloud account is safe due to the simple fact that I have never used Amazon and have never given them CC details.

I have also not used a .me.com address with gmail besides which I have separate Apple ID's for iTunes and iCloud.

Surprisingly Microsoft has come up with a fairly good new service, outlook.com where you can set up an exchange based email account and assign multiple aliases for various purposes, I've added  a few to the ten or so email addresses, most of them unused a "hacker" would have to unravel to get to my iCloud.

Re the bolded:
That's the fundamental issue. If Apple required the entire credit card, then there would be complaints that the customer service reps have access to your credit card info. If everyone chose a different 4 digits of the credit card, a hacker could eventually get the full card number by assembling information from different sources. The more private information you require, the more secure, but at the expense of requiring more private information to become available to companies you do business with.

There's no doubt that there are flaws in the system and the system could be improved. But it's not a trivial matter like some people are suggesting - the entire system has a problem. In the end, no matter where you set the balance between security and privacy, someone is going to be unhappy. Until there's a new technology (perhaps some truly foolproof biometric if that could be developed), someone is going to be unhappy.

It is, of course, interesting that when this article came out, Apple was the one attacked. Later, Amazon was added to the mix, but Google (along with the millions of other companies who do the same thing as Apple and Amazon and Google) was left out.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #31 of 47

The partial email they got from Google was enough? Come again? In what way will that be enough for the thief to force his way in? Is this Mat Honan, being an IT writer tha he is, seems intelligent enough to you? The fact that he didn't back up his important data off-line someplace actually qualifies him to become an idiot who possibly didn't practice what he preached, i.e. backup your data- backup your data- backup your data. And, of course, as many people do, to make things worse, he chooses an easier and a lazy way to choose an email address, that is using personal_name@whatever.com. If you use that lazy email naming address as one of the key info's to get in to a very secured site, you'll be in for some nasty surprises. So, you figured it's Google's fault that the ID thief guessed this Mat Noman uses his personal name for his alternate email address for email recovery. He could've used I_am_an_idiot_blog_writer@me.com, and that would be enough to save him from his ordeal.

 

Personally, to prevent unauthorized access to any important and highly secured sites, I would not use the lazy email addressing scheme which apparently many seems to be very fond of doing. It's an accident waiting to happen. It's good that this idiot Mat Noman's incident had occured. It will definitely open so many eyes about the possibility of so-called "social-engineering" for gaining access to secured sites due to users' laziness or indifferent attitudes about the possibility of identity thefts and all the disaster which will follow.

 

Quote:
Originally Posted by Rayz View Post

 

The partial email they got from Google was enough, just as having only part of his credit card was enough.\


Edited by mcrs - 8/7/12 at 5:52am
post #32 of 47

On the flip side - one of my store credit cards has removed the ability to reset a password via their website and I was unsuccessful in getting any assistance from the help desk number provided on the web page - and when I try to re-register I am unable to because it says I am already registered. And no password I have ever used for anything seems to work for that site. The help desk suggested I send an email to their account services team which I have done twice with no response. The account has not been compromised and I can still use the card and can still call the phone number to get balance and payment date etc - but I cannot do anything with the account online. It would seem my only option is to close the account, wait a bit, and then open a new one. 

post #33 of 47
Quote:
Originally Posted by christopher126 View Post

have one specific CC for online purchases (only) and a yahoo account for dealing with online transactions only and a .me/mac email address for all other personal email...I'm sure there is more one can do....

That's the stuff that got him into trouble. It's more like 'don't use a domain registrar that displays billing addresses, or don't use your real one', 'don't use the sme credit card on every site', 'don't use your freaking name as your email' and most important 'don't forget to back your stuff up'

We don't know what policy was overlooked by Apple but in the end is that as important as the fact that he had linked up his accounts as he did or that other companies make it so easy to get the vital info. If Googje hadn't shown his email address even partly blanked it would have spotted things dead even. And yet everyone is yelling about Apples blame and policies and this vague comment.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #34 of 47
Quote:
Originally Posted by deadPeanut View Post

You're paranoid. The article is about Amazon and Apple because their customer care let him down.

Once they had full control of the Apple account they then used it to attack his google.

The whole thing started with the fact that they knew his apple id because google exposed it. So yes, they share the blame

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #35 of 47
Quote:
Originally Posted by deadPeanut View Post

I wouldn't call your post an attack.

The email that they got from google was a partial. Unfortunetly they were able to make a logical leap to work out the full email. But thats not really the issue.

The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.

Google wasnt tricked because they gave out the info so they didn't have to be tricked. So yes that exposed email is part of the issue.

Quote:
Also, Google has tools available to hinder unauthorized access. Such as the two step verification method. (ie sending a verification code to your phone when logging onto a new computer)

Those tools aren't mandatory, which is why Honan wasn't using them. That Google makes them optional adds to their part in the shared blame

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #36 of 47
Quote:
Originally Posted by mcrs View Post

The partial email they got from Google was enough? Come again? In what way will that be enough for the thief to force his way in?

If a thief doesn't know your address he can't come steal from you. And this attack was personal. So with that partial address they would have been dead in the water.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #37 of 47
Quote:
Originally Posted by mcrs View Post

The partial email they got from Google was enough? Come again? In what way will that be enough for the thief to force his way in?

 

Yes, that does read a little bit strangely. I'll try again.

 

 

 

Quote:
The partial email they got from Google was enough, just as having only part of his credit card was enough. No single entry was enough to compromise his stuff,

 

What I meant was that all that was needed was a piece of the information from each company to form the whole 'key' to this person's life. It was the parts that were the problem. No single part would have been enough to allow the break-in, but each company and the user did not consider these pieces being used together.

 

Amazon shouldn't be handing over partial credit card numbers

Google shouldn't be handing over partial recovery email addresses

Apple shouldn't be relying on publicly known details as a security check (though we don't know what procedures weren't followed).

Mat shouldn't have been such an idiot.

 

Take any one of those out the equation and the 'hack' wouldn't have worked half as well.

 

 

 

Quote:

Is this Mat Honan, being an IT writer tha he is, seems intelligent enough to you? The fact that he didn't back up his important data off-line someplace actually qualifies him to become an idiot who possibly didn't practice what he preached, i.e. backup your data- backup your data- backup your data. And, of course, as many people do, to make things worse, he chooses an easier and a lazy way to choose an email address, that is using personal_name@whatever.com. If you use that lazy email naming address as one of the key info's to get in to a very secured site, you'll be in for some nasty surprises. So, you figured it's Google's fault that the ID thief guessed this Mat Noman uses his personal name for his alternate email address for email recovery. He could've used I_am_an_idiot_blog_writer@me.com, and that would be enough to save him from his ordeal.

 

Personally, to prevent unauthorized access to any important and highly secured sites, I would not use the lazy email addressing scheme which apparently many seems to be very fond of doing. It's an accident waiting to happen. It's good that this idiot Mat Noman's incident had occured. It will definitely open so many eyes about the possibility of so-called "social-engineering" for gaining access to secured sites due to users' laziness or indifferent attitudes about the possibility of identity thefts and all the disaster which will follow.

 

Why are you ranting? Most people agree with you. Most people know more about online security that Mat, it would seem.

 

In fact, I find it so hard to believe that a 'tech journalist' had no backups that I'm inclined to think that this is a setup.

post #38 of 47

Regardless of all of the other details here, it's disconcerting that all that is required to get a new temporary ID is the user's billing address and the last four digits of their credit card.  If you're sitting in front of someone's computer while it's logged on half the time you can go into their email, doesn't take a genius just the opportunity.  If you know the address and steal a glance at their card that's all it takes to hijack an account and in minutes many of their accounts.   

 

I'm not thinking of any grand underworld hacking scheme.  I'm thinking about the time years ago I went to the bathroom and came back and found the painter at my laptop.  He gave some lame excuse and slinked away, and I figured he couldn't have done much, he couldn't have compromised any accounts, nothing logged on automatically and he had no passwords.  If I hear of such a story today I'll think differently.

post #39 of 47
Quote:
Originally Posted by Rayz View Post

 

The partial email they got from Google was enough, just as having only part of his credit card was enough. No single entry was enough to compromise his stuff, but the hacker used the rather bizarre security procedures from all three companies to engineer a perfect storm. And if this had happened to a regular fella then I'd be more sympathetic, but even regular fellas have enough about them to back up their important data. He also bears some responsibility for linking so much of his private information to his public persona.

 

Trying to stick Apple, Amazon or Google with the blame for this is just hiding a much bigger problem: personal information being linked across sites means that hackers can pretty much own you with just a few clicks. This is where we have to be a little bit smarter to protect ourselves.

 

Unlike Mat.

 

 

Yes, because they didn't need to call customer support to get the information they needed from Google. It was right there on a web page.

 

Thank you.  These people seem to think Google is a do no wrong because they give them stuff for free.  Wait until they get hacked and you find our all the info they really store on each of us. 
 
post #40 of 47

Why does Apple only require the last 4 digits of your CC number to verify your account?  In addition to other sources, those show up on paper receipts all the time... perfect puzzle piece for social engineering schemes, especially when you know the victim in person. So many people are careless with CC receipts.

 

The whole "customer service reps would have to have access to the whole number" thing doesn't make any sense.  Just:

1. Rep asks for your full CC number

2. Rep types in what you say

3. Computer responds to rep with "yes it matches" or "no it doesn't"

 

or even better

 

1. Rep says "I'm going to pass you on to our computerized verification system"

2. Computerized voice asks for your full CC number

3. You type it in with your touch-tone phone

4. You get passed back to the rep, who is told by the computer whether you typed in the right number or not

 

As a whole though, this shows a huge new problem: how various accounts with different companies interact, each disclosing different little bits of information and each requiring different bits to get in.  The only way to solve this is with a law or at least a universal policy adopted by the industry as a whole specifying (1) what information it takes to get full control of an account, (2) what information can be disclosed to someone who doesn't have full control of an account and (3) what actions can be taken by someone who doesn't have full control of an account.  Without this, it'll be impossible to ever figure out all the various interactions between companies and it'll turn into a never-ending cat and mouse game of attacks and policy changes.  The current process of daisy-chaining accounts off each other for recovery purposes is a disaster waiting to happen.  If (1) is well thought out, it'll be hard for an attacker to put together from public information, plus if it's standardized people will know what specifically to keep secret.

 

Ultimately down the road, we need a better way. Military/secret service security specialists have known for a long time that for ultimate authentication you need three things:

1) something you know (ie password)

2) something you have (ie physical key)

3) something you are (ie fingerprint)

 

I don't understand why in this day and age, we're still so centered around "something you know".  Password, billing address, CC number, mother's maiden name are all things someone with malicious intent could find out. As our lives depend more and more on our accounts, we need to do better....

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Amazon, Apple security measures factors in journalist's hacked iCloud account