How Apple and Amazon Security Flaws Led to My Epic Hacking

16

The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification.‪


In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

Those security lapses are my fault, and I deeply, deeply regret them.

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

This isn’t just my problem. Since Friday, Aug. 3, when hackers broke into my accounts, I’ve heard from other users who were compromised in the same way, at least one of whom was targeted by the same group.

Moreover, if your computers aren’t already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use iCloud. Google’s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system yet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.

I realized something was wrong at about 5 p.m. on Friday. I was playing with my daughter when my iPhone suddenly powered down. I was expecting a call, so I went to plug it back in.

It then rebooted to the setup screen. This was irritating, but I wasn’t concerned. I assumed it was a software glitch. And, my phone automatically backs up every night. I just assumed it would be a pain in the ass, and nothing more. I entered my iCloud login to restore, and it wasn’t accepted. Again, I was irritated, but not alarmed.

I went to connect the iPhone to my computer and restore from that backup — which I had just happened to do the other day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four-digit PIN.

I didn’t have a four-digit PIN.

Written By: Mat Honan
continue to source article at wired.com

16 COMMENTS

  1. There’s a reason why I have over 12TB of HDD space, a few TB of portable HDD’s and have 16/32 GB flash drives… so I don’t need to do the cloud thing.  It’s not secure and even access can be cut off (see Mega upload).  It’s not just in the digital space that security is lacking.  It’s fairly easy to get a new bank card without a govt. issued i.d. (which I had to do when I lost my wallet).

  2. Presumably to warn us all of the risks so we may take steps to avoid them? 
    Ironically, none of these ‘services’ is essential so why bother with them? 
    I don’t but am in the minority I suppose.
    One point- some sites use social networking to log in and give no other option, a disturbing development.

  3. . . . and presumably because so many of ‘us’ (although not including me) use Macs and rely heavily on them as the answer to all their non-prayers.  I think it is a good lesson to all of us, and the bit that frightens me most is that Amazon was such an easy touch.

  4. Thanks for sharing this tale of woe.  I don’t mind it being “off topic” for this site, as I’d probably have missed the original post.  Though with hindsight it’s all just common sense, it shows how easy it is to let a series of seemingly unimportant lazy choices add up to Total Vulnerability.

    The digital era equivalent to leaving the house keys under a flower pot and the cash under the mattress.

  5. Well, I don’t mind a bit the posting of a PSA of general interest no matter how far off topic.  Just another reason for people to log on.  The more content here, the merrier. 

    I don’t wish to dumb-down the site any more than I already do by my presence but a little variety every so often is refreshing.  After all, there are just so many ways theists and science-deniers can be intellectually groin-kicked and we might be nearing the end of that list.

    BTW, I was hacked through Amazon about a year ago.  I only lost money and it was later restored but I really empathize with this poor guy.  I remember a time before the world was quite so- as they say in Alabama- slap eat up wiff assholes, that to lose as much as this guy did required Windows 95.

  6. I hope Apple have some excuse for not using all the security questions they ask you for.  That really stinks. 

    Thanks for posting this I’ve just turned off “Find My Mac”.

    Michael

  7. Don’t settle
    for anything less the Two-factor authentication. I have two-step authentication
    on my email and I like the extra security it offers.  You just telesign into your account and it’s
    good to go. I’m hoping that more companies start to offer this awesome
    functionality. In reality this should be a prerequisite to any system that
    wants to promote itself as being secure. I feel suspicious when I am not asked
    to telesign into my account by way of 2FA, it just feels as if they are not
    offering me enough protection.
     

  8. They can crack this site, my email, Linked In and a poker site, that is all I have. There is nothing in my email. The people on Linked In wouldn’t notice. They may actually make me sound better if they broke in here.

  9. I’m the same, but the World is changing. The iPod and iTunes were just the beginning.

    This article is a timely reminder that those of us who exercise control could be about to lose it.

    Our desire for simplicity of use is driving Tech companies to be cavalier with our privacy and security – and not just in the personal sense that Mr. Honan highlights.

    As hardware becomes standardised and software becomes more fragmented profit margins in ICT are being squeezed. Tech companies are reacting by looking at services and homogenous platforms (Windows 8, IOS, Android) where the software, to a larger extent than previous generations of tech, are proprietary and the common standards are hardware-to-hardware and Net based only.

    Personally I have always liked Apple devices – but I have strongly disliked their approach to doing business since iPods. Their model is in the ascendant: the war on general purpose computing is coming.

    Are we ready?

    Do we have established digital rights?

    Are we ready to defend our right to control?

    Or are the Tech and Media companies, lobbying as they are for greater powers to be attached to copyright, trade secrets, and regulatory authorities.

    Are we sleep-walking into a nightmare World of corporate ownership of our data, corporate policing of the Net, censorship through professional politicians and corporate partnership to keep down the hoi-polio?

    I don’t claim to know. I just report what I see.

    Peace.

  10. To remind us all that blind faith in technology, as in religion, is not a good stance.

    “But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s.”

    No, it exposed the consequences of assuming that the enduring Steve Jobs would take care of everything.  On a side note, it may be helpful, if not sobering, to realize that Apple and all the other corporate masters have no interest in you, only as it relates to their cash flow.

    “Learning” from this experience through tweaking how you manage your online security is not enough.  Rather, consider that the application of science through technology has risks, many unknown or statistically dismissed as improbable.  You were honest to accept responsibility.  Now, carry on, but with the recognition that there are far more unknowns with their commensurate surprises to follow.

    You experienced a personal version of Fukushima, just as others experience their own personal impacts – some quite severe – when technology gets way ahead of science.  It gets worse when the white coat acts and is blindly accepted as a fully-fledged stand-in for the old degenerates who wear those funny crimson caps.

    /m

  11. I find this to be frightening. People get hacked and can potentially have their lives turned upside down. I recently got an email …….from myself with no real subject. Inside a link, which I would not click on. It’s extremely upsetting that they got this information. Yes, I changed my password, but it happened again.  I love the digital world, but hate this aspect of it.

Leave a Reply