August 7, 2012 report
Hacking nightmare victim chastises Apple and Amazon
(Phys.org) -- Wheezes, whispers, coughs and sidebar remarks might one day crash into a deafening roar: There is a disconnect problem in data management policies involving the technology industry as deployed and utilized. Everyone owning some kind of computing device and connecting to the Internet faces a three-Cs looming nightmare made up of connectivity, cloud computing, and compromise. A biting account by journalist Mat Honan has been published about wreaking havoc on his digital life in one day thanks to Apple and Amazon security weaknesses.
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook, he wrote.
He said his accounts were daisy-chained, making this easy to occur. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter."
Honan said he regretted not having had two-factor authentication for his Google account. He thinks that if he had gone that route, it is possible that none of this would have happened. He also regrets not having regularly backed up data on his MacBook.
Amazon tech support gave them the ability to see a piece of information a partial credit card number that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification, he said.
His account of his nightmarish Friday reckoning on August 3 is quite detailed. Many pieces of a hacking puzzle were given a post-mortem. But one takeaway is clear. Honan is alarmed at the inability of majors such as Apple to provide a reasonable level of security for its users.
What riled Honan is learning that a billing address and the last four digits of a credit card number are apparently the only two pieces of information anyone needs to get into the iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.
Reacting to that account of a relaxed policy experience, Apple spokesperson Natalie Kerris told Wired that Apple found that their own internal policies were not followed completely. She said that they are reviewing their processes for resetting account passwords to ensure customers data is protected.
As of Monday, however, those on Honans story at Wired tried to verify the hackers access technique by performing it on a different account. They succeeded.
Honan takes personal responsibility but he also feels justified in his disappointment in an ecosystem that he trusted, and which he said has let him down so thoroughly.
Im angry that Amazon makes it so remarkably easy to allow someone into your account, which has obvious financial consequences. And then theres Apple. I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life.
He noted that with an AppleID, thousands of dollars of purchases can be done in an instant, not to ignore other damage, he said, at a cost that cannot be priced.
Elsewhere, advice has been coming into blogs and tech sites affirming the protective steps recognized by Honan. The useful means of protection listed include using Google two-factor authentication and using an external drive to back up data.
© 2012 Phys.org