Mat Honan had a very, very bad digital day. His Google account was deleted. His Twitter account got hijacked. His AppleID was taken over and used to remotely delete all of the data on his iPhone, iPad and MacBook. (Update: Apple and Amazon are trying to address the exploited vulnerabilities.)
After reading the long article on Wired, here’s my summary of why this happened:
- Different security standards for different companies;
- Easy discoverability of identity information;
- Customer service problems;
- The victim’s choice to not take some steps to protect his data and accounts.
Here is a linchpin of the security breach: “The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification.”
And here’s how the hack was accomplished, in 17 steps extracted from Honan’s article:
1) Hacker goes to victim’s Twitter account.
2) Twitter account links to personal Web site.
3) Personal Web site lists victim’s Gmail address.
4) Hacker guesses this Gmail address is one used for Twitter
5) Hacker goes to Google’s account recovery page.
6) Victim lacks two-factor authentication, so when hacker entered the Gmail address on account recovery page, hacker could view alternate e-mail set up for Google account recovery. Alternate e-mail was firstname.lastname@example.org.
7) With a “.me” e-mail, hacker knows of AppleID account existence.
8) Hacker gets billing address with Whois search on victim’s personal Web domain. If whois doesn’t work, other options include Spokeo, WhitePages and PeopleSmart.
9) To get credit card number, call Amazon and tell them you are account holder and want to add credit card number to account.
10) All you need for this is name on account, associated e-mail address, and billing address.
11) Input new credit card and hang up.
12) Call Amazon back and say you’ve lost access to your account.
13) Provide name, billing address and credit card number you just gave to company. Then you can add new e-mail to the account.
14) Go to Amazon Web site and send a password reset to the new e-mail account.
15) This allows you to see last four digits of all credit cards on file for the Amazon account.
16) With info thus acquired, hacker calls AppleCare at 4:33 p.m. on Friday, Aug. 3.
17) The hacker could not answer security questions, but is able to provide e-mail address, billing address and last four digits of a credit card on file. That did the trick, and Apple gave out temporary password. The gates are open.