If you’ve been following tech at all in the last few days, you have undoubtedly already heard that an iCloud account belonging to former Gizmodo and current Wired tech journalist, Mat Honan, was accessed by hackers and completely pwned. Let’s take a look at some of the headlines.
“Social engineering and weak tech support make strong passwords useless” – Examiner.com
“Cloud hack wipes out user, and Apple support was responsible” – Digital Journal
“How Apple let a hacker remotely wipe an iPhone, iPad, MacBook” – ZDNet
Ouch. It was initially reported, and believed, that Honan’s 7-character password was brute-force attacked. The astute reader, given the fact we’re reporting on it, already knows how the hack took place… social engineering… but was Apple the only company responsible here?
“I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.” – Honan’s Blog
Using the last four digits of Honan’s credit card, his billing address, and his .Me email address, the hackers had everything they needed to take over Honan’s AppleID, but how did they obtain this information? Let’s analyze and break down exactly what happened.
The billing address was obtained by performing a WhoIs search on Honan’s website. The hackers then called Amazon and added a credit card to Honan’s account. All you need to do this is the name on the account, the email address for the account, and the billing address. Once a credit card has been added, the hackers called Amazon back, said they could no longer access their account. In order for Amazon to add an email address to the account, you need three things, a name, a billing address, and… you guessed it, a credit card associated with the account! Once the email address was added, the hackers simply went to Amazon’s website and reset the password. Once the password was reset, the hackers had access to the last four digits of every credit card on file. Can you guess what Apple requires to reset someone’s account? That’s right, the last four digits of the credit card on file! Wired reporters apparently tried this exploit, successfully, a couple of times to verify. “It’s remarkably easy — so easy that Wired was able to duplicate the exploit twice in minutes.”, reports Wired. As of Monday, August 6th, 2012, both the Amazon exploit and Apple exploit were still working, according to Wired.
After gaining access to Honan’s AppleID account, the hackers proceeded to literally erase Honan’s digital life. His cloud storage was erased, iPad wiped, iPhone wiped, and MacBook Air wiped including all the photos of his daughter since her birth. His Twitter account was taken over and used to spam racist ramblings as well as the Twitter account of his former employer, Gizmodo.
Unfortunately for Honan, his only backup was to the iCloud service. Had he had a local backup, he would still have his data and photos. Honan also was not making use of Google’s two-factor authentication, which would have also prevented this incident. “If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here.”, said Mat Honan. Also, if Honan was not using iCloud’s Find My Mac service, his data could have been preserved. Perhaps using a service such as Prey would have given the same abilities, but at less of a risk.
The bottom line is, Honan’s digital life was wiped out not by someone acquiring his password, but by clever social engineers exploiting holes in tech support. The hackers, apparently, wanted to prove a point and make a statement regarding the current state of security. “I asked Phobia why he did this to me. His answer wasn’t satisfying. He says he likes to publicize security exploits, so companies will fix them.”, writes Honan. Honan is lucky this was their only motivation. The hackers could have wreaked havoc on his financial life as well as his personal life.
This familiar story reads the same as previous social engineering attacks, only this time it was two internet behemoths, Apple and Amazon, responsible for the carnage. We’ve seen a dramatic escalation of social engineering based attacks over the last few years and we only expect things to get worse. Until companies begin taking social engineering seriously, we will continue to see this efficient tactic being used with great success.
UPDATE August 7th, 2012
Apple employee, Natalie Kerris, in a statement to Wired, said “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password,” said Apple, via Kerris. “In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”