Mat Honan’s hacking tale shed some light into some pretty ugly areas of Apple iCloud account management services, and tech support processes that are not up to scratch.
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
– How Apple and Amazon Security Flaws Led to My Epic Hacking (2012-Aug-06) Mat Honan [Wired]
The most concerning is the Apple’s tech support;
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
– How Apple and Amazon Security Flaws Led to My Epic Hacking (2012-Aug-06) Mat Honan [Wired]
It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud. — How Apple and Amazon Security Flaws Led to My Epic Hacking (2012-Aug-06) Mat Honan [Wired]
Why has Apple considered the last 4 digits, which are public available via many scenarios, enough of an identification to be authoritative? Amazon have changed their process overnight so that they are no longer a part of the equation, but these last 4 digits are available from many other sources (check one of your EFT receipts) and as such should not be considered as a secure form of identification.
After reading through this, and if you have an iCloud account … why are you still using it?
Related:
* Google: Getting started with 2-step verification [Google]
You’ll first need to set up your phone number to receive codes via SMS text message or voice call. If you have a smartphone, you can later download an app that allows you to generate codes without text messages and even without cell service.
* Secure your digital self: auditing your cloud identity (2012-Aug-07) [arstechnica]
Honan’s experience and the recent security breach at Dropbox are just the most recent examples of what can happen when our digital identities are too closely entwined. While you can’t make your cloud providers more secure, there are things you can do to make yourself less vulnerable to these kinds of hacks, or at least to limit the damage that can be done if one is exposed. Here’s how to do a self-audit of your identity in the cloud to find and fix potential problems.
* Amazon Quietly Closes Security Hole After Journalist’s Devastating Hack (2012-Aug-07) [Wired]
Amazon changed its customer privacy policies on Monday, closing security gaps that were exploited in the identity hacking of Wired reporter Mat Honan on Friday.
0 Responses to “Time to get off the iCloud”