Hacking nightmare victim chastises Apple and Amazon

Aug 07, 2012 by Nancy Owano report

(Phys.org) -- Wheezes, whispers, coughs and sidebar remarks might one day crash into a deafening roar: There is a disconnect problem in data management policies involving the technology industry as deployed and utilized. Everyone owning some kind of computing device and connecting to the Internet faces a three-Cs looming nightmare made up of connectivity, cloud computing, and compromise. A biting account by journalist Mat Honan has been published about wreaking havoc on his digital life in one day thanks to Apple and Amazon security weaknesses.

“In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook,” he wrote.

He said his accounts were daisy-chained, making this easy to occur. “Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter."

Honan said he regretted not having had two-factor authentication for his Google account. He thinks that if he had gone that route, it is possible that none of this would have happened. He also regrets not having regularly backed up data on his MacBook.

“Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” he said.

His account of his nightmarish Friday reckoning on August 3 is quite detailed. Many pieces of a hacking puzzle were given a post-mortem. But one takeaway is clear. Honan is alarmed at the inability of majors such as Apple to provide a reasonable level of security for its users.

What riled Honan is learning that a billing address and the last four digits of a credit card number are apparently the only two pieces of information anyone needs to get into the iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.

Reacting to that account of a relaxed policy experience, Apple spokesperson Natalie Kerris told Wired that Apple found that their own internal policies were not followed completely. She said that they are reviewing their processes for resetting account passwords to ensure customers’ data is protected.

As of Monday, however, those on Honan’s story at Wired tried to verify the hackers’ access technique by performing it on a different account. They succeeded.

Honan takes personal responsibility but he also feels justified in his disappointment in an ecosystem that he trusted, and which he said has let him down so thoroughly.

“I’m angry that Amazon makes it so remarkably easy to allow someone into your account, which has obvious financial consequences. And then there’s Apple. I bought into the system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life.”

He noted that with an AppleID, thousands of dollars of purchases can be done in an instant, not to ignore other damage, he said, at a cost that cannot be priced.

Elsewhere, advice has been coming into blogs and tech sites affirming the protective steps recognized by Honan. The useful means of protection listed include using Google two-factor authentication and using an external drive to back up data.

Explore further: A Closer Look: Your (online) life after death

Related Stories

Amazon offers Cloud Player app for iPhone

Jun 12, 2012

Amazon on Tuesday released its music player app for iPhone and iPod touch, a move that expands the reach of the Internet retail giant for Apple users.

Google account users get extra security

Feb 11, 2011

(PhysOrg.com) -- Google announced on Thursday that they are giving their Gmail users additional account security, free of charge. As of Thursday Google account users can turn on a "two-step authentication" ...

Senator's Twitter account hacked

Jan 23, 2012

A US senator's Twitter account was hacked Monday and a series of messages sent out to his more than 33,500 followers.

Hotmail in hot water over password flaw, rushes fix

Apr 28, 2012

Hackers tried to get the best of Hotmail by figuring out how to reset Hotmail user passwords for e-mail accounts this month. Locking hotmail users out of their own accounts when trying to key in their passwords ...

Recommended for you

A Closer Look: Your (online) life after death

3 hours ago

Sure, you have a lot to do today—laundry, bills, dinner—but it's never too early to start planning for your digital afterlife, the fate of your numerous online accounts once you shed this mortal coil.

Web filter lifts block on gay sites

3 hours ago

A popular online safe-search filter is ending its practice of blocking links to mainstream gay and lesbian advocacy groups for users hoping to avoid obscene sites.

Protecting infrastructure with smarter CPS

10 hours ago

Security of IT networks is continually being improved to protect against malicious hackers. Yet when IT networks interface with infrastructures such as water and electric systems to provide monitoring and control capabilities, ...

Apple helps iTunes users delete free U2 album

Sep 15, 2014

Apple on Monday began helping people boot U2 off their iTunes accounts after a cacophony of complaints about not wanting the automatically downloaded free album by the Irish rock band.

Habitual Facebook users: Suckers for social media scams?

Sep 15, 2014

A new study finds that habitual use of Facebook makes individuals susceptible to social media phishing attacks by criminals, likely because they automatically respond to requests without considering how they are connected ...

YouTube to go offline in India on Android phones

Sep 15, 2014

YouTube users in India will soon be able to save videos from the Google-owned service, making it possible to watch them offline, and the feature will eventually be available globally, the company said Monday.

User comments : 13

Adjust slider to filter visible comments by rank

Display comments: newest first

Deathclock
2 / 5 (4) Aug 07, 2012
It pays to be paranoid. No matter what any company does or does not do there is no guarantee that this won't happen to you, be mindful of that fact. Don't make yourself a target, becoming a random victim is much less likely than inadvertently making yourself a target of intentional malice.
xX_GT_Xx
5 / 5 (4) Aug 07, 2012
Imagine that arsonists are on the loose, intent on destroying all your paperback books. Everyone knows about these arsonists, and many take reasonable precautions like have deadbolts on the doors, but the arsonists are known to be extremely clever and manage to outwit many security protocols, eventually. They can break in at any time and sometimes successfully burn all they want.

Along comes a tech giant, who against all logic, reason, and simple common sense, convinces people that they should gather all their books in one place. This place is in the middle of a field, called a "cloud" because it sounds innocuous. But don't worry, they say, we put a big fence around the field. Now you can quickly and easily find any book you want because they're all in one place and isn't that easy?

The user says wow, neat! The arsonist says holy cow, you put your books all in one place? How dumb are you?
Deathclock
2 / 5 (4) Aug 07, 2012
I like that analogy! What an appealing scenario for the arsonist, as all those books piled together will make for a hell of a bonfire.

This is keeping with the analogy, FYI, people who get off on destruction want to destroy as much as they can as quickly as they can.
xX_GT_Xx
5 / 5 (4) Aug 07, 2012
All the arsonist has to do is find his way to the field and jump the fence, then pow, it's Fahrenheit 451 time.

No security will stop this. No security has ever stopped hackers, for long. All you've done is taken all the little targets hackers are always after and glommed them together into one big target, and made it easy for them to cause catastrophic damage.

And what's worse is that the real reason tech giants are pushing for cloud computing is so they can police your data. You already can't install apps they don't approve (for "security reasons", wink wink). Already you can't read a simple ebook unless it's in the right proprietary format, depending on your reader. Already we have video games that require logging in to remote servers, even in single player mode.

"Cloud" computing is going to go down as one of the biggest tech blunders in history.
Deathclock
3.5 / 5 (8) Aug 07, 2012
I agree with everything you've said, but it's a losing battle... people don't think, they want whats new and shiny on the assumption that new is better and "cloud computing" is new and shiny. I agree it's a disaster waiting to happen, either in terms of malicious activity or in terms of loss of personal freedom, but it is going to happen because most people don't care enough or aren't informed enough or aren't intelligent enough to prevent it.
Deathclock
2.6 / 5 (5) Aug 07, 2012
Specifically regarding games requiring you to log into remote servers even in single player... You can think of this in terms of Capitalism. This is a feature of the game, and if you don't like the feature you can choose not the play the game... HOWEVER, and this is a big however, there are no laws against all companies colluding on policy, which means that eventually the entire industry will operate this way and then your only option will be to accept it or to never play games. This is essentially forcing your hand through monopolistic practices, and we are quite powerless to stop it, because most of us, myself included, will not stop playing games solely due to this issue.

You can apply this to any number of issues in any number of industries, the truth remains the same. The control is in the hands of the corporations, and as long as you are not willing to completely stop using entire categories of products or services then you have no power over them.
Deathclock
1.8 / 5 (5) Aug 07, 2012
Sure, a small start-up company might pop up who opposes this policy, but what do you think will happen to them? Eventually they will either become large enough that they will be coerced by the rest of the industry to follow suit, or they will be strong-armed out of business, or they will be bought out by the giants... this happens ALL THE TIME, just look at EA's acquisition history, or any major game publisher for that matter.
Howard_Vickridge
5 / 5 (2) Aug 07, 2012
Stay independent, avoid the cloud. My data backups live in a fire-proof safe, I've quit facebook, and I don' link any twitter / google /etc passwords. Sure it has limited some functionality options, but I really don't feel inconvenienced. I do feel digitally safer, however.
gopher65
not rated yet Aug 07, 2012
Howard_Vickridge: Honestly, it only limits you in a fairly... low key way. Not being on facebook isn't a big deal, but even if you 'need' to be on facebook it's easy enough not to put any personal data on it besides things that are already available through oldschool sources like the whitepages (eg, where you live, your real name, a burner email address, etc. Maybe a picture of your pet if you're feeling adventurous). There is no need to put anything else up there. All primary facebook functionality (linking up with old friends mainly) will still work, and you'll be safeish.

Same with cloud services. It's fine to use them, but use them like I do: no personal information. No personal pictures, unless I absolutely don't care about losing them or every advertising company in the world having them to use against me. Just junk, that's it.

Everything else can come with me in a USB drive or a pocket HDD (or pocket SSD. Same difference). I don't have a fireproof safe yet, but I want one:).
Howard_Vickridge
5 / 5 (2) Aug 08, 2012
@ gopher65.
Thanks, I absolutely agree with you. Whatever I do have in cloud storage, I always keep my own copy on my own gear. And I put nothing into cloud that I wouldn't be relaxed about leaving in hard-copy on a park bench. For example if I'm working with people's medical records, I quail at the risk of having them under some anonymous system's protection; I still use tracked-courier or secure fax for the most sensitive material. And my laptop sits under my bed, with my wallet and credit cards and cellphone, every night. Being burgled while asleep in 2010 reminded me how vulnerable both data and devices are; we need to be digitally AND physically vigilant.
gopher65
5 / 5 (1) Aug 08, 2012
Yup. Another thing most people don't realize is that the internet is currently basically a cross between the lawless wild west and a laissez faire capitalist's wetdream. It's not that there aren't rules per say, it's that there is little to no law enforcement. Whether that a good thing or a bad thing depends greatly on how much you value security verses pure freedom.

But whatever your viewpoint on such things, you wouldn't walk down the street carrying valuables in a modern laissez faire wild west state (like Somalia) without some serious personal security, and probably body armor to boot. You'd be robbed blind and then killed without such protection. Yet people seem perfectly willing to waltz around the unsecured internet advertising their valuables (information in this case), and then act surprised when they discover criminals exist in the lawless recesses of the net!

People are either insane or (more likely) naive and ignorant of the reality of an online existence.
TSfraud
not rated yet Aug 08, 2012
Dont settle for anything less the Two-factor authentication. I have two-step authentication on my email and I like the extra security it offers. You just telesign into your account and its good to go. I'm hoping that more companies start to offer this awesome functionality. In reality this should be a prerequisite to any system that wants to promote itself as being secure. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection.
xX_GT_Xx
not rated yet Aug 08, 2012
Even 2FA can be beaten. It's harder, but 2FA doesn't eliminate the probability of being hacked, it just reduces it.

The point is that cloud computing doesn't really have any practical purpose. It doesn't offer you anything you don't already have. The only effect it has on your computing experience is to increase your overall vulnerability to attack and increase the potential severity of the attack.

So why do it? Who benefits? Certainly not the user.