Wednesday, August 08, 2012

Hacker succeeds, forces Apple and Amazon to change security policies

The big news this week was the hijacking of Wired reporter Mat Honan's iCloud account. Honan was hacked via a security flaw in Apple and Amazon's security policies, which allowed the hacker to pretend to be him and obtain access to his email account and AppleID.
The hacker then proceeded to wipe his iPhone, iPad and MacBooks, all in an attempt to gain access to Honan's Twitter account, which has only three characters (@mat).

After recovering his account, Honan managed to chat with one of the hackers, who goes by the handle Phobia, and was told how the hack took place.

“You honestly can get into any email associated with Apple,” Phobia boasted to Honan in an email.

As the hackers' initial plan was to get access to Honan's Twitter, they first looked up his Twitter and guessed his Gmail account. From there, as Honan did not have two-factor authentication turned on, they were able to view his backup email address, which was also Honan's AppleID.

From there, it was a relatively simple affair. To gain access to Honan's AppleID, Phobia and his partner had to obtain the last four digits of Honan's credit card number through Amazon. They first called Amazon's support line and added a fake credit card account. Then the hacker called Amazon again and claimed to have lost the account password.

By giving the fake credit card number, Phobia was able to add a new email account which then allowed him to view the last four digits of Honan's credit card. The hacker then called AppleID and used the credit card number as well as Honan's birthdate (obtained from a Google search) to get a temporary password.

The rest, as they say, is history. The hackers then proceeded to attempt a recovery on this Gmail and used the password from the AppleID account to access his Gmail account as well as his Twitter feed.

While Honan managed to recover his account, data, including photos of his kids saved in his notebook, which was wiped using Apple's Find My Mac remote wipe feature, are likely irretrievably gone.

Since the incident, Amazon has changed its policies to prevent another exploit. The company no longer supports changing account settings via a phone call. Apple has yet to come up with a new policy, but is currently freezing all AppleID password requests made over the phone.

The hackers seem to have succeeded in their aims, which was to " to publicize security exploits, so companies will fix them". But at what cost? Imagine losing all your personal data, photos as well as access to your devices. While this did not happen to you, it could have, if all your data is stored on the cloud, and are not sufficiently secured.

Honan did say that if he had enabled two-factor authentication on his Gmail, this hack would not have been possible. While it's inconvenient, perhaps it's time to turn it on for your cloud accounts. Better hassled then sorry, no?

View the original article here

No comments:

Post a Comment