Amazon, Apple security measures factors in journalist's hacked iCloud account

Posted:
in General Discussion edited January 2014
A combination of Amazon's credit card record keeping and Apple's user authentication requirements amounted to a relatively easy "social engineering" hack that wreaked havoc on Wired writer Mat Honan's iCloud and Twitter accounts.

Hackers late Friday managed to break into Honan's iCloud account, wipe his MacBook Air, iPad and iPhone and cause general mayhem to all other associated accounts, including Gizmodo's Twitter feed.

While Honan first believed a brute force method was employed to obtain his short alphanumeric password, he later wrote on his blog that the "social engineering" of an Apple tech support employee was to blame. In a more detailed account from Wired on Monday, the tech writer notes the hackers gained unauthorized access by stringing together a set of data easily obtainable for someone who knows where to look.

Interestingly, one of the supposed hackers calling himself "Phobia" reached out to Honan who, after promising not to press charges, learned exactly how the breach occurred and why.

Honan notes all his accounts, from Amazon to Apple, are "daisy-chained" together with credit card information, email address and a physical address all connected in a such a way as to allow the bypassing of security measures. This breach would not be possible if it weren't for the human element which in Honan's case came in the form of both Amazon and Apple support staff.

Honan writes:
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple?s and Amazon?s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
Mat Honan
Mat Honan. | Source: Wired


The target was Honan's @Mat Twitter feed, which was accessed though a number of relatively simple steps. First the hackers found Honan's Gmail address from the personal webpage linked to his Twitter account. Because the Gmail account was the default Twitter address, the hackers then moved to Google's account recovery page which yielded the partial address "[email protected]" as the default backup. All the hackers needed now was Honan's home address, found through domain registry logs, his .me account address and the last four digits of the credit card on file at Apple.

It is that last bit of information where human support staff enter the picture, and where the security system breaks down. The hackers called Amazon's support staff and "socially engineered" the employee or employees to give out the last four digits of Honan's credit card using what appears to be standard protocols.

As explained by Honan:
First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry?s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you?ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.
The gambit was so simple, Wired was able to recreate the process twice in minutes.

From there the hackers took the credit card, billing address and Honan's name to AppleCare where the information was enough to issue a temporary iCloud password. At that point Honan was no longer in control of his digital life.

According to Honan:
Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.
?You honestly can get into any email associated with apple,? Phobia claims.

Honan notes that while Apple and Amazon's security systems should be more carefully vetted, the ultimate responsibility falls on the user. Regularly backing-up files, not using redundant credit cards or email addresses and taking all precautions available are key to thwarting such an attack.

Also at issue is Apple's Find My iPhone and Find My Mac features which allow users to locate, ping and remotely wipe a device if it is lost or stolen. While Find My iPhone may be useful for Apple's relatively easy to lose handset, the utility of Find My Mac is somewhat less clear.
«13

Comments

  • Reply 1 of 47
    muppetrymuppetry Posts: 3,328member
    They definitely need to increase the authentication security. Using only (relatively) publicly available information (email, last 4 CC, billing address) is unnecessarily lax.
  • Reply 2 of 47


    Scary....Sounds like a great article for MacWorld...start with 1Password, Ghostery....don't use Google or Facebook (they're both "evil!:), have one specific CC for online purchases (only) and a yahoo account for dealing with online transactions only and a .me/mac email address for all other personal email...I'm sure there is more one can do....

  • Reply 3 of 47


    I have always liked, and believe in the "SEND A CODE TO MY iPHONE" to make changes, like many banks do.


     


    Apple should adopt immediately

  • Reply 4 of 47

    Quote:

    Originally Posted by BuffyzDead View Post


    I have always liked, and believe in the "SEND A CODE TO MY iPHONE" to make changes, like many banks do.


     


    Apple should adopt immediately



    Interesting...but not sure what you mean? :)

  • Reply 5 of 47
    Ask to send code to cellphone, when you log in, the website will send you the generator number like 123456 to prove that it's you and your account before gets in your account. My bank do that for xtra secure.
  • Reply 6 of 47
    nagrommenagromme Posts: 2,834member


    Google’s security measures factored in too: showing the person’s alternate email address (an obvious AppleID) with no meaningful concealment, to any old stranger!


     


    All very scary. I have shut off Find My [Device] for now.


     


    And I keep local backups painlessly, thanks to Apple’s Time Machine! Awesome device backed by awesome software. (I also manually drag or CCC from time to time, to yet another backup.)

  • Reply 7 of 47


    Apple needs to address this immediately.


     


    Also, I'd like to warn anyone against shutting off Find My Phone or Mac. It's an incredibly effective tool if one of your Apple products is lost or stolen. I recently had my MacBook Pro stolen and was able to see the residence it was being used in. Police got it back within 48 hours. To me, this is much more valuable then the off chance someone decides to single you out for a hacking attempt via iCloud. A remote erase - assuming you have your files backed up, as you should - is nothing compared to losing a $1,500+ machine.

  • Reply 8 of 47
    nagromme wrote: »
    Google’s security measures factored in too: showing the person’s alternate email address (an obvious AppleID) with no meaningful concealment, to any old stranger!

    All very scary. I have shut off Find My [Device] for now.

    And I keep local backups painlessly, thanks to Apple’s Time Machine! Awesome device backed by awesome software. (I also manually drag or CCC from time to time, to yet another backup.)
    I realize the actual problem here, and corrections do need to be made, but why is it that only Amazon and Apple are held to blame for this incident? Google was a key part of this identity theft and somehow they managed to escape the headline. With the Gizmodo connection with this person...well, it just seems suspect. Am I the only one seeing this? Or am I just paranoid?
  • Reply 9 of 47


    You're paranoid. The article is about Amazon and Apple because their customer care let him down.


     


    Once they had full control of the Apple account they then used it to attack his google.

  • Reply 10 of 47
    dunksdunks Posts: 1,240member

    Quote:

    Originally Posted by christopher126 View Post


    Interesting...but not sure what you mean? :)



     


    Netcode SMS.


     


     


    A unique six digit pin is sent to the mobile registered to the account. This pin must then be physically entered to confirm sensitive changes to the account.


     


    The pin expires in minutes/attempts to prevent brute force attacks. The hacker would physically have to be holding your unlocked phone to be able to complete the necessary steps.
  • Reply 11 of 47
    deadpeanut wrote: »
    You're paranoid. The article is about Amazon and Apple because their customer care let him down.

    Once they had full control of the Apple account they then used it to attack his google.
    So unlike it states in the article, they didn't get his iCloud email address from the Google account recovery page first? This theft would not be possible without this information first. I'll have to try reading it again...

    Also, is it painful when someone attacks your google?
  • Reply 12 of 47
    freerangefreerange Posts: 1,589member
    And the press is publishing the process to hack because.... ? Because you're irresponsible morons???
  • Reply 13 of 47
    djkikromedjkikrome Posts: 189member


    Why blame Amazon OR Apple.  Blame yourself, dumbass, for putting your life out there on the internet and then being surprised that there was a repercussion.  You are a dumbass and that is the one and only problem in your life and the systems which within you operate.


     


    Just like others in the world, can't accept responsibility for their own actions.  You put yourself in traffic, then expect to get hit.

  • Reply 14 of 47

    Quote:

    Originally Posted by diplication View Post





    So unlike it states in the article, they didn't get his iCloud email address from the Google account recovery page first? This theft would not be possible without this information first. I'll have to try reading it again...

    Also, is it painful when someone attacks your google?


    I wouldn't call your post an attack.


     


    The email that they got from google was a partial. Unfortunetly they were able to make a logical leap to work out the full email. But thats not really the issue.


     


    The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.


     


    Also, Google has tools available to hinder unauthorized access. Such as the two step verification method. (ie sending a verification code to your phone when logging onto a new computer)

  • Reply 15 of 47
    rayzrayz Posts: 814member

    Quote:

    Originally Posted by deadPeanut View Post


    I wouldn't call your post an attack.


     


    The email that they got from google was a partial. Unfortunetly they were able to make a logical leap to work out the full email. But thats not really the issue.


     


    The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.


     


    Also, Google has tools available to hinder unauthorized access. Such as the two step verification method. (ie sending a verification code to your phone when logging onto a new computer)



     


    The partial email they got from Google was enough, just as having only part of his credit card was enough. No single entry was enough to compromise his stuff, but the hacker used the rather bizarre security procedures from all three companies to engineer a perfect storm. And if this had happened to a regular fella then I'd be more sympathetic, but even regular fellas have enough about them to back up their important data. He also bears some responsibility for linking so much of his private information to his public persona.


     


    Trying to stick Apple, Amazon or Google with the blame for this is just hiding a much bigger problem: personal information being linked across sites means that hackers can pretty much own you with just a few clicks. This is where we have to be a little bit smarter to protect ourselves.


     


    Unlike Mat.


     


    Quote:


    The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.


     




     


    Yes, because they didn't need to call customer support to get the information they needed from Google. It was right there on a web page.

  • Reply 16 of 47
    rayzrayz Posts: 814member

    Quote:

    Originally Posted by FreeRange View Post



    And the press is publishing the process to hack because.... ? Because you're irresponsible morons???


     


    Now that it's out there, companies will move much faster to make sure this doesn't happen again.


     


    Which, of course, it will.

  • Reply 17 of 47
    tribalogicaltribalogical Posts: 1,181member


    Almost everyone I deal with (banks, Apple, etc.) has implemented the "three security terms" questions… beyond 'mother's maiden name', each of the 3 has a variety of options… in some cases you can invent your own.


     


    Anytime important changes are being requested, or a "give me all my info" request, and ESPECIALLY a "password reset", at least one of those security questions should be required.


     


    I have quite a few data points that WILL be common across multiple accounts. I only have one home address. A limited number of email addresses. A limited number of credit cards (although in my case, I can create a 'virtual number' that applies only to a single account or even a single purchase).


     


    If someone can figure out how to 'connect dots' like these hackers did (are they really "hackers"? They didn't really do any coding, or "cracking"… they just thought through a big logic puzzle, and succeeded in connecting dots and spoofing reps at two companies…), then this data poses a risk.


     


    There needs to always be a unique data point for each account. Something NEVER common to multiple accounts, and ALWAYS referenced any time that account info (especially password) needs to be accessed.


     


    To me, that's the major lapse in this scenario...

  • Reply 18 of 47
    flaneurflaneur Posts: 4,510member
    I realize the actual problem here, and corrections do need to be made, but why is it that only Amazon and Apple are held to blame for this incident? Google was a key part of this identity theft and somehow they managed to escape the headline. With the Gizmodo connection with this person...well, it just seems suspect. Am I the only one seeing this? Or am I just paranoid?

    No you're not paranoid, or if you are I am too. There are a few fishy things about the story besides the Giz connection. The Wired connection, the Google non-connection, the tear-jerk detail about the daughter's whole life in pictures (a red herring?), the too-perfect stupidity of having no backup, the talkative Phobia, the eagerness not to press charges. If you wanted to rain on Apple's iCloud party . . .
    deadpeanut wrote: »
    I wouldn't call your post an attack.

    The email that they got from google was a partial. Unfortunetly they were able to make a logical leap to work out the full email. But thats not really the issue.

    The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.

    Also, Google has tools available to hinder unauthorized access. Such as the two step verification method. (ie sending a verification code to your phone when logging onto a new computer)

    Google has customer support?
  • Reply 19 of 47
    lightknightlightknight Posts: 2,312member

    Quote:

    Originally Posted by TexDeafy View Post



    Ask to send code to cellphone, when you log in, the website will send you the generator number like 123456 to prove that it's you and your account before gets in your account. My bank do that for xtra secure.




    What if you don't have/want to have a phone?

  • Reply 20 of 47
    deadpeanut wrote: »
    I wouldn't call your post an attack.

    The email that they got from google was a partial. Unfortunetly they were able to make a logical leap to work out the full email. But thats not really the issue.

    The difference between google and the other two in this case is google customer support weren't tricked into handing over the accounts to the hacker.

    Also, Google has tools available to hinder unauthorized access. Such as the two step verification method. (ie sending a verification code to your phone when logging onto a new computer)

    How does one contact this "Google Customer Support" you speak of?
Sign In or Register to comment.