Mat Honan, the technology reporter who was digitally disemboweled this past weekend, has revealed exactly how he was so spectacularly owned. His case, a cascade of security failures that involved four well-known companies, should be a warning to anyone overly reliant on cloud-computing services.
"What happened to me exposes vital security flaws in several customer-service systems, most notably Apple's and Amazon's," Honan wrote in a long piece published on the Wired magazine website last night (Aug. 6). "Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit-card number — that Apple used to release information.
"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification."
More than one party at fault
Honan admits that he's partly to blame, for daisy-chaining three online accounts so that the failure of one would lead to the failure of the next; for putting his street address on his personal website's domain registration (when a P.O. box would have worked); for not backing up his laptop to a physical disk; for not using two-factor authentication on his Gmail account; and, worst of all, for enabling his iCloud account to wipe his laptop's hard drive.
"While that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers," Honan wrote. "You are almost certainly more likely to have your computer accessed remotely than physically."
But Apple and Amazon are also at fault, both for making it too easy for malicious actors to access vital details of other people's accounts, and for having conflicting policies regarding which parts of a credit-card number should be visible.
Amazon hides all of a credit-card number except the last four digits. Apple considers those last four digits the "keys to the kingdom" and, according to Honan, requires only those digits and a billing address to give someone a temporary password to an existing Apple account.
An Apple spokeswoman told Honan that "in this particular case," the company had "found that our own internal policies were not followed completely."
Honan and his Wired colleagues wanted to make sure. They tried the same method on a different Apple account — and got in.
"You honestly can get into any email associated with Apple," a Twitter user who claimed to be part of the crew that hacked Honan told him.
Amazon, Honan said, wasn't such a pushover. To get the last four digits of Honan's credit-card number, the attackers had to make two calls to Amazon tech support: the first to add a new credit card to the account, the second to reset the designated email address.
Amazon will send a password-reset email to the new email address listing all the credit cards on file, with all digits but the last four obscured. (Honan and his colleagues confirmed that this method also worked.) Sadly for Honan, those last four digits held the key to his entire digital life.
Who didn't mess up
Ironically, the hacker who spoke to Honan said he and his friends were only after his Twitter account, which was linked to Honan's Gmail address. Honan's erased iPhone, iPad, iCloud account and all the lost data on his MacBook, including every photo he had of his year-old daughter, were collateral damage.