Image: Flickr/mnsc
Mat Honan, the technology reporter who was digitally disemboweled this past weekend, has revealed exactly how he was so spectacularly owned. His case, a cascade of security failures that involved four well-known companies, should be a warning to anyone overly reliant on cloud-computing services.
"What happened to me exposes vital security flaws in several customer-service systems, most notably Apple's and Amazon's," Honan wrote in a long piece published on the Wired magazine website last night (Aug. 6). "Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit-card number — that Apple used to release information.
"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification."
More than one party at fault
Honan admits that he's partly to blame, for daisy-chaining three online accounts so that the failure of one would lead to the failure of the next; for putting his street address on his personal website's domain registration (when a P.O. box would have worked); for not backing up his laptop to a physical disk; for not using two-factor authentication on his Gmail account; and, worst of all, for enabling his iCloud account to wipe his laptop's hard drive.
"While that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers," Honan wrote. "You are almost certainly more likely to have your computer accessed remotely than physically."
But Apple and Amazon are also at fault, both for making it too easy for malicious actors to access vital details of other people's accounts, and for having conflicting policies regarding which parts of a credit-card number should be visible.
Amazon hides all of a credit-card number except the last four digits. Apple considers those last four digits the "keys to the kingdom" and, according to Honan, requires only those digits and a billing address to give someone a temporary password to an existing Apple account.
An Apple spokeswoman told Honan that "in this particular case," the company had "found that our own internal policies were not followed completely."
Honan and his Wired colleagues wanted to make sure. They tried the same method on a different Apple account — and got in.
"You honestly can get into any email associated with Apple," a Twitter user who claimed to be part of the crew that hacked Honan told him.
Amazon, Honan said, wasn't such a pushover. To get the last four digits of Honan's credit-card number, the attackers had to make two calls to Amazon tech support: the first to add a new credit card to the account, the second to reset the designated email address.
Amazon will send a password-reset email to the new email address listing all the credit cards on file, with all digits but the last four obscured. (Honan and his colleagues confirmed that this method also worked.) Sadly for Honan, those last four digits held the key to his entire digital life.
Who didn't mess up
Ironically, the hacker who spoke to Honan said he and his friends were only after his Twitter account, which was linked to Honan's Gmail address. Honan's erased iPhone, iPad, iCloud account and all the lost data on his MacBook, including every photo he had of his year-old daughter, were collateral damage.
See what we're tweeting about
20 Comments
Add Comment"Do not any online retailer store your credit-card information; use"
Reply | Report Abuse | Link to thisPathetic. Not only are there no editors or proofreaders, there aren't even any intelligent writers anymore.
yes, disgusting, and it starts to happen regularly; it's become a joke already. Goes hand in hand with SciAm publishing a promo article for a female boxer (no disrespect to her) without any scientific link or content whatsoever. One hit to the head too many?
Reply | Report Abuse | Link to thisAgreed. My sister's blog has better oversight. SciAm needs a wake up call. Perhaps a meeting with Jesus to get back in to the flock.
Reply | Report Abuse | Link to thisOn the topic, what moron would put all of his/her important info in someone else's hands? That's like saying, "Hey, would you mind hanging onto my wallet for me? It's become too cumbersome to store in my back pocket."
Reply | Report Abuse | Link to this"Oh, you'll do it for free? Awesome!! I'll just give you a ring whenever I need some cash, or to make a purchase, and then you can read my credit card numbers to me over the phone, okay?"
Seriously, who in their right mind would do this?
Humans; what an entertaining species, especially all the depraved ways they prey on each other.
Reply | Report Abuse | Link to thisI thought SA had actually fired the headline writer; apparently they promoted him to editor. They could change it to AA: Almost-Science American.
I think they should do a piece on the negative, nasty nature of people who frequently comment online. I'm not sure, but it may be a more lazy version of individuals that I have encountered in real life who prefer to complain about what others put together than to constructively work towards something themselves.
Reply | Report Abuse | Link to thisPersonally, I thought the article was useful and interesting. I managed to live through the typo and understand that sometimes timeliness take precedence over perfection.
Eric,
Reply | Report Abuse | Link to thisTry not to take it personally, they're creationist trolls. They think if they comment on the blogs they somehow discredit the magazine. I'm particularly tickled by the fact that they don't know the difference between the magazine content and the blog network. You can generally tell when they're here by the fact that they say the same things over and over, provide no evidence for their claims regarding their anti-science comments, and are of the opinion that the aforementioned repetition somehow renders their arguments valid. They usually work in some sort of "Wake up America before it's too late" Teabagger catastrophism reference as well.
Jesus? Oh please!
Reply | Report Abuse | Link to thisWasn't sapbucket being ironic? As in, "they should have a come-to-jesus meeting"?
Reply | Report Abuse | Link to thisI did stumble over the typo in the headline, as my brain tried several options for the missing word, then gave up. Nevertheless, I found the article interesting.
Early adopters of new technology always run the risk of catastrophes. That's the way technology works, from atlatls to aircraft, and how it is improved over time.
I have some google docs, none of which contain mission-critical info, and a few online photo albums, none of which are un-backed up. I store everything at home on two SETS of (two each) external hard drives. Am I paranoid? Well, no, I don't think so; but after four hard disk crashes so far in my lifetime (one of which was a backup drive), I no longer trust just one hard disk to contain everything safely AND I really don't trust the cloud.
Besides, I live in earthquake country. If I have to run for it, I want to be able to grab one of the 2 terabyte backup drives, and nothing else, and know I have all my data.
<On the topic, what moron would put all of his/her important info in someone else's hands?>
Reply | Report Abuse | Link to this<g> that "thinking" might explain the quality of the headline
Fully disagree.
Reply | Report Abuse | Link to this<who prefer to complain about what others put together than to constructively work towards something themselves.>
Theater critics, product testers, teachers grading schoolwork, restaurant reviewers, rocket controllers, peer-to-peer reviews, no good? You want a critic-free world?
I can guess what you are going to reply, that your comment was only directed towards the mindless commenters but:
a) you are criticizing commenters and you forget to differentiate: in what category would your comment then fall?
b) how would you like to work for an organization or live in a country that does not accept criticism?
<Personally, I thought the article was useful and interesting.>
Yes.
<I managed to live through the typo>
There are standards
This is SciAm
<and understand that sometimes timeliness take precedence over perfection.>
THAT kind of typo is not excused by any timeline. And timelines are to be calculated incl. including proofreading.
How about students coming home and explaining their grades by timelines?
Last, English is not even my second language so I feel I must make an effort to write my best and for the sake of communication I expect same.
No disrespect, but I can't agree with you.
<they don't know the difference between the magazine content and the blog network>
Reply | Report Abuse | Link to thisThis is the SciAm WEBSITE content. It's ONE.
If a blogger can't work to SciAm standards, he's in the wrong place.
If SciAm believes that bloggers can mess up their standards they have a problem.
I personally believe that the content of the item is good, but form has to reflect content. How would you feel about an expensive menu that is made of good ingredients, but looks a mess?
*yawn*
Reply | Report Abuse | Link to thisPage 2 of the comments is still all about typos? Science is not English literature -- why don't all of you T-crossers and I-dotters go buzz a grammar blog somewhere?
This sort of thing doesn't degrade SciAm articles -- it degrades the point of reading comments on SciAm articles. Biggest waste of time of the day so far, thank you gents.
right - then don't read them
Reply | Report Abuse | Link to this> Do not "daisy chain" your accounts so that one password-reset attempt leads to another.
Reply | Report Abuse | Link to thisWhat do you mean by daisy-chaining accounts?
In order to purchase the Lion and later Mountain Lion operating systems from Apple, the clerk in the Apple store informed me I could only do it with an i-tunes account. Yes Apple has my credit card info. I do not understand how to not provide that information and still purchase their products through an i-tunes account. The article did not make that clear.
Reply | Report Abuse | Link to thisI hate storing my number with a merchant. I do not trust merchants not to screw up for the very reasons mentioned. A number of the merchants in this town check the last 4 digits of the credit card when I purchase anything. If those are the only ones Apple keeps secret, any crook wanting my credit card information can stand behind me in almost any check out line in town and get them. They can get the rest from Apple.
This is bad. Maybe I should switch to Microsoft.
jctyler,
Reply | Report Abuse | Link to this"... There are standards
This is SciAm ..."
Alas, this WAS SciAM.
But you HAVE to read them to know they are not worth reading, jctyler, sifting trough to find the useful comments on the topic itself. I'd say "OK - then don't WRITE them then".
Reply | Report Abuse | Link to thisSometimes these columns are like sorting through garbage bags looking for some jewellery thrown away by accident (as our neighbours had to do a week ago).
Why excuse these sad people who worry so much about things that matter so little here?
Sure one has to read them and they are essential and I didn't say the contrary.
Reply | Report Abuse | Link to thisIf you had seen my comment in context (as a reply to someone complaining about worthless comments), then your reply would have had to be directed at Laroquod (comment nr 13) who complained about having to read yet more comments about a "typo". Which is why I said that if he doesn't like to read comments he shouldn't read them. See?
Consider this: Ever noticed how many people comment on a comment without having read what the comment they read was commenting on or in reply of? Or were only reading the last comment in line without looking up the chain that led to the last comment? How do I know? Cos it happened to me! <g>
Reply | Report Abuse | Link to this