The hack into a writer’s iCloud account puts a spotlight on steps consumers should take to protect their data and flaws in the policies of Apple, Amazon and other vendors.
The hack into a Gizmodo writer’s Amazon and Apple accounts over the weekend is being used as a cautionary tale for consumers, a call to action for cloud providers regarding security policies and a sounding board for concerns about the rush to the cloud.
In a lengthy first-person account in Wired magazine, writer Mat Honan outlines how an attacker quickly found his way into Honan’s iCloud account and wiped everything from his Mac, iPhone and iPad, all of which were linked to Apple’s cloud service. The attacker also hacked into his Twitter and Gmail accounts. In the story, Honan admonishes himself for failing to follow basic security protocol—his online accounts were linked together, and he had failed to back up his data, for example.
However, the larger concern was how quickly and easily the attacker—who called himself “Phobia”—was able to get gain control of Honan’s Apple iCloud account though just a couple of phones calls to Amazon and Apple, convincing customer service representatives at both places that he was Honan. The attack was less about hacking into the accounts via a computer and more about social engineering glean the necessary personal information from Amazon and Apple.
According to Honan, the hacker was able to get ahold of his email address, and used that and the billing address to convince Amazon customer service representatives that he was Honan to talk his way into seeing Honan’s account. With that access, Phobia was able to see the last four digits of Honan’s credit card number. With that in hand, he called Apple tech support and—armed with the last four credit card numbers, email address and billing address—convinced them that he was Honan and to reset the iCloud login. The hacker now had access to all the account and the devices Honan owned.
“Amazon tech support gave them the ability to see a piece of information—a partial credit card number—that Apple used to release information,” Honan wrote. “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”
He wrote that since his experience Aug. 3, he’s learned of others who have been attacked in the same way. It also back up comments made by Apple founder Steve Wozniak, who after a recent performance of “The Agony and the Ecstasy of Steve Jobs” in Washington, told the audience in a discussion that he saw bad times coming as the world embraced cloud computing.
“I really worry about everything going to the cloud,” Wozniak said, according to reports. “I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years. … I want to feel that I own things. A lot of people feel, ‘Oh, everything is really on my computer,’ but I say the more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.”
In the wake of Honan’s article, computer security experts have talked about steps consumers need to take to retain as much control as possible over the data they are putting into the cloud. And it goes beyond passwords, according to Lisa Myers, a blogger on the Mac Security Blog site for Apple security software vendor Intego.
“As much as we like to trumpet the use of good passwords, this is one instance in which this would not have made a difference,” Myers said. “You can use the best password in the world, but if someone can socially engineer you or someone from the site or service itself to reveal your password, it will make no difference. That isn’t to say that strong passwords are not important; having a strong password will protect you against the majority of common attacks. But you should definitely not bet the farm on a password.”
There are steps consumers should take, she and others said. That includes encrypting as much of the online data as possible, making it more difficult for hackers to use data they gain access to. Reconsider linking accounts—trading in convenience for security—and using two-factor authentication when possible. Also, for such accounts, use an email that is unknown to others. In addition, according to Paul Ducklin, head of technology for Asia-Pacific for security software vendor Sophos Lab, consumers should make and keep backups outside of the cloud, and use an independent remote wipe service rather than one that is part of the cloud service.
As much as consumers have to take steps to protect themselves, vendors like Apple and Amazon, which hold so much personal information of their users, need to bulk up their policies. An Apple spokesperson told Honan that in his case, the company’s internal policies were not followed. In addition, Wired reported that Amazon Aug. 6 changed its customer privacy policies, including no longer allowing people to call in and change account settings in their user accounts.
Neither Apple nor Amazon have commented publically about Honan’s case.
Sophos’ Ducklin said in an Aug. 6 post on his company’s Naked Security blog that Apple recently bolstered its security policies by asking users to provide a number of security questions for further authentication. However, he said that in Honan’s case, because the hacker used social engineering and talked an Apple representative into giving him the information, the tighter security policies wouldn’t have mattered.
Apple, Amazon and others are in a difficult spot, Ducklin said. Companies can enforce “utterly inflexible procedures for password reset,” he said, but that is done more to save money by reducing the workforce rather than security. It also leads to situations where legitimate consumers can’t solve password reset issues.