Subscribe

Apple, Amazon quietly fix security holes


Johannesburg, 08 Aug 2012

Apple has stopped allowing its support staff to process AppleID password resets telephonically, following the widely publicised hacking of Wired's Mat Honan.

Honan's entire digital life was erased on Friday (3 August) by hackers who exploited the security flaws of a number of customer service systems - including those of Apple and Amazon - with the sole intention of gaining control of Honan's Twitter account.

A hacker who identified himself as 'Phobia' contacted Honan via Twitter and agreed to explain the methods he used in exchange for Honan not pressing charges.

The hacker told Honan he did not guess his password or use brute force, and stated he could get into any e-mail associated with Apple. When Honan asked why he specifically had been targeted, the hacker said he had just wanted to grab Honan's three-character Twitter handle “@mat”.

Explaining how the hack happened, Honan says: “Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number - that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification.

“The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices,” says Honan.

Linked threat

Since the hack, which resulted in Honan's iPhone, iPad and Mac being remotely wiped, Apple has been trying to determine exactly which security policies should be changed. Meanwhile, Amazon has quietly changed its customer privacy policies to no longer allow customers to call in and change their account settings, including the credit cards and addresses associated with the user accounts.

In Honan's case, the hackers were able to view the last four digits of the credit card he had linked to the account (after providing customer support with just a name, e-mail address and mailing address). Those four digits were then all the hackers needed to fool Apple support into believing they were dealing with the real Mat Honan. They were given a temporary password to access Honan's AppleID - and subsequently all of his linked devices and accounts - including his e-mail and Twitter.

It is not clear if the halt on over-the-phone password resets by Apple is a temporary measure or if it will be introduced as a new security policy. Wired reports that on Tuesday when it attempted to replicate the hacker's strategy, Apple customer services told them a password reset over the phone required the serial number of a device linked to the AppleID in question.

Apple's only statement to date has claimed that in the case of the hacking of Honan's account, its own internal policies were not followed completely. However, Wired reports that according to its source within Apple, if the support representative who handled the call from the hackers issued a temporary password based on the AppleID, billing address and the last four digits of a credit card, they would have been in compliance with the existing policies.

Honan's experience has highlighted the potential dangers of linked accounts. Honan says: “In many ways, this was all my fault. My accounts were daisy-chained together.

“Had I used two-factor authentication for my Google account, it's possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc.” Honan's full account of his experience and the associated security flaws can be read here.

Share