There‘s a New ’Epic’ Hack That Uses Only Two Easily Found Pieces of Information — And Here’s How to Protect Yourself
Security flaws by both Apple and Amazon has Matt Honan describing in a blog post on Wired’s GadgetLab the “epic hacking” that happened to him within the space of an hour over the weekend:
First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
Honan acknowledges that while some of this was his fault — his accounts were easily connected to each other — Apple and Amazon already knew of the vulnerabilities that led to this hacking, which Honan found others had experienced as well. Honan writes it was a partial credit card number revealed by Amazon that allowed Apple tech support to change the password to his iCloud account, which then led hackers into his Gmail and Twitter and gave them the ability to wipe data from his devices.
“In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” he wrote. “The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”
Honan goes on to give a play-by-play of how and when he realized he was being hacked, the results of it, and the time he spent on the phone with Apple Customer Support that eventually revealed they had given the hacker access into his iCloud account. All the hacker needed to have Apple reset Honan’s password into the cloud was his email address, billing address and last four digits of a credit card on file.
Apple spokesperson Natalie Kerris said to Wired that whoever hacked Honan had enough of his personal information for authorization and some of the company’s own internal policies were not followed, resulting in the resetting of Honan’s Apple ID password, which eventually led to the destruction of his “entire digital life.” As a result of this incident, Kerris said Apple is reviewing its process for resetting account passwords.
Things get even more disconcerting when Honan begins to describe the new Twitter account he established until his hacked one was reinstated. His hackers began to follow and converse with him on this new account (Editor’s note: Some language has been redacted):
We started a dialogue via Twitter direct messaging that later continued via e-mail and AIM. Phobia was able to reveal enough detail about the hack and my compromised accounts that it became clear he was, at the very least, a party to how it went down. I agreed not to press charges, and in return he laid out exactly how the hack worked. But first, he wanted to clear something up:
“didnt guess ur password or use bruteforce. i have my own guide on how to secure emails.”
I asked him why. Was I targeted specifically? Was this just to get to Gizmodo’s Twitter account? No, Phobia said they hadn’t even been aware that my account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy. He said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted. They just wanted to take it, and f*** s*** up, and watch it burn. It wasn’t personal.
“I honestly didn’t have any heat towards you before this. i just liked your username like I said before” he told me via Twitter Direct Message.
Overall, this event Honan said leads him to believe cloud services that are being pressed upon users need different security measures — a password system doesn’t cut it anymore.
Honan writes that his hacking, which appears merely to have occurred for the purpose of trolling his Twitter followers, could have been much worse if it had led into his banking systems or to some of his contacts as a journalist. Still, like Honan said, when he first encountered this issue, he found he wasn’t alone. Here are some tips from Honan on how to protect yourself from digital demise:
Backup your computer. In the event of a hacking, if your data is somehow wiped clean, this way you’ll be covered.
Avoid linking accounts together when possible. By associating his Gmail with his iCloud accounts, the hackers were able to get further into his digital life. He writes using a different email prefix could help avoid “daisy-chaining” accounts. He also suggests making sure your recovery email account is used only for recovery, not associated with other vital uses.
Begin using Google’s two-step verification. This essentially requires a password and a verification code that will either be texted or called to you each time you try to login from an unknown computer.
Avoid using Find My Mac app. Although Honan says the version for finding your iPhone is useful, the Find My Mac app allowed the hackers to remotely wipe his devices.
Gizmodo also points out that every printed credit card receipt is bound to have the last four digits of the card as well, so Amazon is not the only thing you need to worry about.
Security flaws by both Apple and Amazon has Matt Honan describing in a blog post on Wired’s GadgetLab the “epic hacking” that happened to him within the space of an hour over the weekend:
First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
Honan acknowledges that while some of this was his fault — his accounts were easily connected to each other — Apple and Amazon already knew of the vulnerabilities that led to this hacking, which Honan found others had experienced as well. Honan writes it was a partial credit card number revealed by Amazon that allowed Apple tech support to change the password to his iCloud account, which then led hackers into his Gmail and Twitter and gave them the ability to wipe data from his devices.
“In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” he wrote. “The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”
Honan goes on to give a play-by-play of how and when he realized he was being hacked, the results of it, and the time he spent on the phone with Apple Customer Support that eventually revealed they had given the hacker access into his iCloud account. All the hacker needed to have Apple reset Honan’s password into the cloud was his email address, billing address and last four digits of a credit card on file.
Apple spokesperson Natalie Kerris said to Wired that whoever hacked Honan had enough of his personal information for authorization and some of the company’s own internal policies were not followed, resulting in the resetting of Honan’s Apple ID password, which eventually led to the destruction of his “entire digital life.” As a result of this incident, Kerris said Apple is reviewing its process for resetting account passwords.
Things get even more disconcerting when Honan begins to describe the new Twitter account he established until his hacked one was reinstated. His hackers began to follow and converse with him on this new account (Editor’s note: Some language has been redacted):
We started a dialogue via Twitter direct messaging that later continued via e-mail and AIM. Phobia was able to reveal enough detail about the hack and my compromised accounts that it became clear he was, at the very least, a party to how it went down. I agreed not to press charges, and in return he laid out exactly how the hack worked. But first, he wanted to clear something up:
“didnt guess ur password or use bruteforce. i have my own guide on how to secure emails.”
I asked him why. Was I targeted specifically? Was this just to get to Gizmodo’s Twitter account? No, Phobia said they hadn’t even been aware that my account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy. He said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted. They just wanted to take it, and f*** s*** up, and watch it burn. It wasn’t personal.
“I honestly didn’t have any heat towards you before this. i just liked your username like I said before” he told me via Twitter Direct Message.
Overall, this event Honan said leads him to believe cloud services that are being pressed upon users need different security measures — a password system doesn’t cut it anymore.
Honan writes that his hacking, which appears merely to have occurred for the purpose of trolling his Twitter followers, could have been much worse if it had led into his banking systems or to some of his contacts as a journalist. Still, like Honan said, when he first encountered this issue, he found he wasn’t alone. Here are some tips from Honan on how to protect yourself from digital demise:
Backup your computer. In the event of a hacking, if your data is somehow wiped clean, this way you’ll be covered.
Avoid linking accounts together when possible. By associating his Gmail with his iCloud accounts, the hackers were able to get further into his digital life. He writes using a different email prefix could help avoid “daisy-chaining” accounts. He also suggests making sure your recovery email account is used only for recovery, not associated with other vital uses.
Begin using Google’s two-step verification. This essentially requires a password and a verification code that will either be texted or called to you each time you try to login from an unknown computer.
Avoid using Find My Mac app. Although Honan says the version for finding your iPhone is useful, the Find My Mac app allowed the hackers to remotely wipe his devices.
Gizmodo also points out that every printed credit card receipt is bound to have the last four digits of the card as well, so Amazon is not the only thing you need to worry about.
