How Amazon and Apple security flaws allowed a digital life to be destroyed

How Amazon and Apple security flaws allowed a digital life to be destroyed

Mat Honan was hacked over the weekend, his Apple ID/iTunes, Gmail, Amazon, and Twitter accounts all compromised, and his digital life laid ruin. Had his attackers been out for more than just "the lulz", they could have also done incredible harm to his financial life as well.

[What] happened to me exposes vital security flaws in several customer service systems, most notably Apple and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

It's a chilling tale, and it should embarrass and infuriate Apple and Amazon into implementing proper, modern security policies immediately if not sooner. It should also serve as a giant neon light, flashing, for everyone on the importance of good security and backup.

Go read it, then spend a few minutes wondering if you should take an axe to the network, Battlestar Galactica style. Because what happened to Mat Honan was just one very public example of the exploits and inattentiveness faced by all of us, every day.

Here's how to set up two-factor account verification for Google.

Source: Wired

Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, ZEN and TECH, MacBreak Weekly. Cook, grappler, photon wrangler. Follow him on Twitter, App.net, Google+.

More Posts

 

4
loading...
21
loading...
71
loading...
0
loading...

← Previously

iOS 6 beta 4 removes YouTube app from iPhone, iPad -- and that could be a good thing

Next up →

Forums: YouTube gone, Photo size increases, Are you upgrading to the next iPhone?

There are 19 comments. Add yours.

Premium1 says:

This is why I use the 2 step authentication with my gmail. And another reason I'm not a fan of the cloud.

Dev from tipb says:

It is just flabbergasting that Apple only requires those 4 digits. Amazon is far from the only place to get that information.

pcguy514 says:

Both very good comments id say sensational headlines from rene but it all boils down to this one line that i quote. "In many ways, this was all my fault. My accounts were daisy-chained together."

Dev from tipb says:

Very true; however, if the iCloud/iOS ecosystem is supposed to be "for the rest is us," then it needs to take into account the habits and likely skill sets of "the rest of us."

Yes, ultimately it was largely his fault. But Apple's practices did him no favors, and at bare minimum they need to tighten their support policies *now*.

TheDisher says:

This is currently happening to me! Just found out that the saved information in my Wal-mart account was used to purchase 2 iTunes gift cards... I spent the last hour on the phone with Chase trying to get it all straightened out. What made it hard was the idiot who stole my number had the gift cards sent to me. So if it weren't for the location of the purchase, I'd have to foot the bill.

johncblandii says:

I setup 2 factor last night w/ Google last night.

timberga says:

The last 4 of your credit card are not "secure" by credit card processing standards; therefore, Apple should not be using this information to verify security.

RC46 says:

Apple was the weakest link in this terribly sad story. The last four numbers of anyone's credit card are very easy to come by. They need to actually use the security questions that they made us set up.

entwined82 says:

I had a huge scare tonight. My itunes account randomly died/deactivated. I had to call up Apple to get them to bring it back but for a minute this story was in my head. I'm changing all of my passwords tomorrow morning.

Sieron007 says:

Well it's not like they can use the last 4 of a social security because apple doesn't collect that information. Granted they should have had to answer the security questions properly for a reset. Two step verification is pretty secure but until something more secure than passwords emerges like biometrics I see that always being a flaw even with other companies

robert.walter says:

And some commenters on other sites thought the Woz was hyperbolic in his concerns about the spate of horrible things to come vis-a-vis storing personal info and data in the cloud...

benjimen says:

It's not Apple, it's online life in general. Service ID's and passwords are a treasure trove for the same organized crime elements that previously dealt with stolen credit card info

Spaz888 says:

Do we have the short version of what happened? In any event, this is should be a warning to people who use iCloud. I don't and never will. For one thing, I have so much info on my device, i need to back everything up on my desktop. BTW, pcguy514 is spot on about Ritchie and his sensationalism.

iDonev says:

Don't hate and blame the hackers. They are simply human beings and as such they behave the way we all do. If you're not given constructive challenges in work/school/society, you'll go off inventing your own challenges.

While I sympathize with the victims of such crimes, I have no delusions that stronger security measures will prevent them.
As long as the root cause (urge) to hack people is still there, not much will change.

Carioca32 says:

With all due respect sir, that´s BS.

While I do agree that hackers will hack, and stronger measures will not stop a determined hacker, I think we have every right to blame and hate them, to the point of persecution and jail. They do not behave like we all do, they are criminals, and criminals belong in jail.

jgsimmons says:

Ridiculous over the top reporting Rene. You need to dial back the rhetoric and stick to factual reporting. As your ego has inflated over the past year or so, so has your hyperbole. You were a good, level headed editor at one time, get back to that form before you start losing readership. This Honan tale does no one credit, least of all a professional computer commentator like Honan, but at its most basic it is the story of a careless individual who learned a lesson that we could all stand to remember.

hearmeoutx says:

This is why all websites should have multi-step verification, and Amazon and other sites should not be displaying those numbers. It should require a verification code just to verify that those last four digits are the card you want to use. Nothing should be on display for whomever can get access to your account to see.

Spaz888 says:

I stopped following Ritchie's tweets because of his egoism and rhetoric. Goes to show you how power can corrupt and affect someone.

fury says:

Mine was hacked in very much the same way. I also made the mistake of adding my Apple email as a backup email to another email. And just like that, my Twitter name @fury was stolen from me and sold by the hacker for quick cash. I am in touch with Twitter and waiting to hear back from them on getting the name back.

I am more fortunate than Mat, in that I didn't lose my computer data, my photos, or get my phone wiped (as it is not the same Apple account), but still, this is all a huge wake-up call. So far, Apple is the only account I've gotten back in order which I could not install a two-factor authentication method, so it is still vulnerable, and they are only temporarily suspending over-the-phone password resets.