Hackers late Friday managed to break into Honan's iCloud account, wipe his MacBook Air, iPad and iPhone and cause general mayhem to all other associated accounts, including Gizmodo's Twitter feed.
While Honan first believed a brute force method was employed to obtain his short alphanumeric password, he later wrote on his blog that the "social engineering" of an Apple tech support employee was to blame. In a more detailed account from Wired on Monday, the tech writer notes the hackers gained unauthorized access by stringing together a set of data easily obtainable for someone who knows where to look.
Interestingly, one of the supposed hackers calling himself "Phobia" reached out to Honan who, after promising not to press charges, learned exactly how the breach occurred and why.
Honan notes all his accounts, from Amazon to Apple, are "daisy-chained" together with credit card information, email address and a physical address all connected in a such a way as to allow the bypassing of security measures. This breach would not be possible if it weren't for the human element which in Honan's case came in the form of both Amazon and Apple support staff.
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple?s and Amazon?s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
Mat Honan. | Source: Wired
The target was Honan's @Mat Twitter feed, which was accessed though a number of relatively simple steps. First the hackers found Honan's Gmail address from the personal webpage linked to his Twitter account. Because the Gmail account was the default Twitter address, the hackers then moved to Google's account recovery page which yielded the partial address "firstname.lastname@example.org" as the default backup. All the hackers needed now was Honan's home address, found through domain registry logs, his .me account address and the last four digits of the credit card on file at Apple.
It is that last bit of information where human support staff enter the picture, and where the security system breaks down. The hackers called Amazon's support staff and "socially engineered" the employee or employees to give out the last four digits of Honan's credit card using what appears to be standard protocols.
As explained by Honan:
First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry?s published self-check algorithm.) Then you hang up.
Next you call back, and tell Amazon that you?ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.
The gambit was so simple, Wired was able to recreate the process twice in minutes.
From there the hackers took the credit card, billing address and Honan's name to AppleCare where the information was enough to issue a temporary iCloud password. At that point Honan was no longer in control of his digital life.
According to Honan:
Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.
?You honestly can get into any email associated with apple,? Phobia claims.
Honan notes that while Apple and Amazon's security systems should be more carefully vetted, the ultimate responsibility falls on the user. Regularly backing-up files, not using redundant credit cards or email addresses and taking all precautions available are key to thwarting such an attack.
Also at issue is Apple's Find My iPhone and Find My Mac features which allow users to locate, ping and remotely wipe a device if it is lost or stolen. While Find My iPhone may be useful for Apple's relatively easy to lose handset, the utility of Find My Mac is somewhat less clear.