Mat Honan, the technology reporter who was digitally disemboweled this past weekend, has revealed exactly how he was so spectacularly owned. His case, a cascade of security failures that involved four well-known companies, should be a warning to anyone overly reliant on cloud-computing services.
“What happened to me exposes vital security flaws in several customer-service systems, most notably Apple’s and Amazon’s,” Honan wrote in a long piece published on the Wired magazine website last night (Aug. 6). “Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit-card number — that Apple used to release information.
“In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification.”
More than one party at fault
Honan admits that he’s partly to blame, for daisy-chaining three online accounts so that the failure of one would lead to the failure of the next; for putting his street address on his personal website’s domain registration (when a P.O. box would have worked); for not backing up his laptop to a physical disk; for not using two-factor authentication on his Gmail account; and, worst of all, for enabling his iCloud account to wipe his laptop’s hard drive.
“While that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers,” Honan wrote. “You are almost certainly more likely to have your computer accessed remotely than physically.”
But Apple and Amazon are also at fault, both for making it too easy for malicious actors to access vital details of other people’s accounts, and for having conflicting policies regarding which parts of a credit-card numbershould be visible.
Amazon hides all of a credit-card number except the last four digits. Apple considers those last four digits the “keys to the kingdom” and, according to Honan, requires only those digits and a billing address to give someone a temporary password to an existing Apple account.
An Apple spokeswoman told Honan that “in this particular case,” the company had “found that our own internal policies were not followed completely.”
Honan and his Wired colleagues wanted to make sure. They tried the same method on a different Apple account — and got in.
“You honestly can get into any email associated with Apple,” a Twitter user who claimed to be part of the crew that hacked Honan told him.
Amazon, Honan said, wasn’t such a pushover. To get the last four digits of Honan’s credit-card number, the attackers had to make two calls to Amazon tech support: the first to add a new credit card to the account, the second to reset the designated email address.
Amazon will send a password-reset email to the new email address listing all the credit cards on file, with all digits but the last four obscured. (Honan and his colleagues confirmed that this method also worked.) Sadly for Honan, those last four digits held the key to his entire digital life.
Who didn’t mess up
Ironically, the hacker who spoke to Honan said he and his friends were only after his Twitter account, which was linked to Honan’s Gmail address. Honan’s erased iPhone, iPad, iCloud account and all the lost data on his MacBook, including every photo he had of his year-old daughter, were collateral damage.
The hackers took a look at the password-recovery page Gmail generated when they tried to break in using a bad password. There, they saw the backup contact email address listed: “firstname.lastname@example.org.”
“If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here,” Honan wrote. “But using the .Me [iCloud] email account as a backup meant told the hacker I had an AppleID account, which meant I was vulnerable to being hacked.”
Unlike Apple or Amazon, Google comes out of this well-publicized episode well. It offered security that, while not used, would have stopped the attack. Likewise, Twitter looks good for not compromising anything and for giving Honan his account back promptly.
Avoid the dark clouds behind the silver lining
In a way, it’s better for everyone that such a disaster happened to such a high-profile person at this stage in the growth of cloud computing.
Honan, to put it bluntly, believed too well in the virtues of always-connected, available-from-everywhere services. He doesn’t believe in it any more.
“My experience leads me to believe that cloud-based systems need fundamentally different security measures,” he wrote. “Password-based security mechanisms — which can be cracked, reset and socially engineered — no longer suffice in the era of cloud computing.”
Until those new security methods arrive, here’s how to avoid becoming the next Mat Honan:
— Do not let Amazon, Apple or, indeed, any online retailer store your credit-card information. Type it in yourself every time. It’s a pain in the butt, but there it is.
— Do not use a credit card at all to pay for iTunes purchases. Instead, use gift cards that you buy at physical stores.
— Turn on two-factor authentication in Gmail. It can be a hassle to set up, especially for mobile access, but once it’s done, it’ll be much harder for someone to hijack your Google account. (Facebook also offers two-factor authentication.)
— Split your Apple accounts: Create one account for iTunes, another for iCloud. Again, that’s inconvenient, but it’ll protect your Apple devices in case your iTunes account gets hijacked, which happens more frequently than you’d think.
— Do not “daisy chain” your accounts so that one password-reset attempt leads to another. Instead, create a new email account to be used only for such notifications, perhaps even a new one for each account. If you’re the kind of person who runs his or her own Web server, make it an email address based on a server you control.
UPDATE: According to Wired, Amazon on Tuesday (Aug. 7) apparently changed its security policies so that customers could no longer add a credit card or an email address to their accounts by telephone.
The magazine discovered the change when it found that the Amazon-specific social-engineering methods used by Honan’s hackers would no longer work. (They did work over the weekend.) Amazon refused to comment.
Wired also reported Tuesday that an internal Apple source had told it that Apple was suspending over-the-phone password resets for at least 24 hours.
The Apple-specific social-engineering method that was used against Honan no longer worked Tuesday, and a customer-service representative, who had not been told the reason for the change, suggested that callers try again the next day.