← Back to Blog Home

“ Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.”

If you haven’t read Gizmodo writer Mat Honan’s gut-wrenching play-by-play of how his entire digital life was evaporated in the matter of hours, do yourself a favor and Instapaper it. Or, if you’re too busy to read the whole article, I’ve created a quick-and-dirty summary that retraces the hacker’s steps and highlights some steps we can take to protect ourselves from similar attacks.

How It Happened

1.) Hacker targets @mat via Twitter

2.) Hacker browses to @mat’s personal website, which is linked from his Twitter profile

3.) Hacker sees @mat’s Gmail address on his website

4.) Hacker tries to login to Gmail using @mat’s (knowing he won’t get in)

Hmm, if the hacker can’t break into @mat’s Gmail account, why is this important?

When you tell Gmail that you’ve lost your password, it responds by showing you the partially obscured alternate email address it has on file for account recovery.

This is a big hole. Why? Because m***n@me.com was enough information to know which service to attack next – iCloud, which, as you’ll see in a minute, is extremely vulnerable to social engineering.

It’s worth noting that, as @mat mentions in Wired, if Gmail’s two-factor authentication was enabled, the nightmare ends here. Hopefully Google will figure out a better mechanism for securing your alternate email account other than blanking out a few characters (a security question would be a good start!).

Email is the skeleton key to your online identity since so many services reset your account via a confirmation link sent to your email address.  Guard it well.

How can you protect your Gmail account?

Go enable two-factor authentication for your gmail account…now! Jeff Atwood wrote an excellent tutorial for Gmail in his Make Your Email Hacker Proof post and Matt Cutts posted a video today.

5.) Hacker obtains @mat’s billing address by doing a simple WHOIS lookup on his website’s domain name

I can’t really ding @mat here since, as he points out, most peoples’ billing addresses are obtainable via WhitePages or a similar service unless you’re unlisted, which isn’t a bad idea. If you own a domain name, think about paying the extra $20/year for private registration.

6.) Hacker obtains last 4 digits of @mat’s credit card

Why was the hacker after the last 4 digits?  Because this was the last piece of the iCloud-cracking puzzle. In order to verify your identity, AppleCare phone support requires: 1) name, 2) email,  3) billing address, and 4) the last 4 digits of the credit card on file.  The hacker already had 3 of the 4.

Where might someone’s credit card number be stored? Amazon!

The hacker (correctly) assumed that @mat had an Amazon account that used one of his two known email addresses as the account name.  But how did the hacker gain access?  Hint: he didn’t crack the password.  He used social engineering.

The hacker placed a call to Amazon tech support claiming to be @mat.  He provided his name, address, and email (yikes!), and then asked the tech support rep to add a new credit card number to the account. Then he hung up the phone and waited.

Later, the hacker placed a subsequent call to Amazon saying he lost access to his account. Upon providing name, address, and the newly added fake credit card number, Amazon support let the hacker add a new email address to the account (e.g., hacker@danger.com).

Game over.

The hacker could now click “forgot password” on the Amazon login page and the subsequent password reset email would go to hacker@danger.com instead of @mat’s real email address.  Having reset the password, the hacker then logged into the Amazon account and nabbed the last 4 digits of the real credit card on file.

@mat notes:

“And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’re giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.”

How can you protect your Amazon account?

Until Amazon rethinks their identity verification process, the only way to protect against this social engineering hack is to delete any credit card data you have on file with Amazon. Yes, it’s painful to have to enter your credit card information every time you place an order, but is it as painful as having your digital identity stolen?

Let’s recap: Hacker grabs public information: name, gmail address, billing address.  Gmail’s login system reveals that @mat has an AppeID (m***n@me.com).  The hacker knows that in order to own that AppleID the only missing piece is the last 4 digits of @mat’s credit card, which can be socially engineered from Amazon support.  Whew.

Still with me?  Good.  Here’s where it gets really ugly.

7.) Hacker calls AppleCare with the information required to infiltrate an iCloud account: name (public), email (public), billing address (public) and last 4 digits of a credit card (virtually public).

How can you protect your AppleID?

Apple requires you to have a credit card on file if you want to use iTunes and the App Store, so deleting your credit card data might not be a viable option.  However, you could dedicate a single purpose credit card for Apple.  If the card @mat stored with Amazon didn’t match the card stored with Apple, the attack would have stopped here.  Regardless, Apple needs to seriously rethink their identity verification process.

8.) Hacker remote wipes @mat’s iPhone, iPad and Macbook Pro

There are more security steps involved to opt into a MailChimp newsletter than to remotely decimate an entire laptop. The way iCloud’s remote wipe process was designed leads me to believe they didn’t even think through the possibility that an iCloud account could be hacked.

How can you protect your data?

Backup your data. No excuses. Have multiple backups and test your restores. You can get a 2TB external hard drive for $120 on (wait for it…) Amazon, and online backup services are a few bucks a month for unlimited data. (Anecdotally, the only hard drive failure I ever experienced was 1 day after my very first online backup completed. Most people aren’t so lucky.)

So many systems are interconnected in the cloud making things more convenient than ever before, but we have to realize that this same interconnectedness makes security exponentially harder.  Passwords are no longer good enough—not for the important stuff.  If Apple, Amazon, and (too a much lesser extent) Google—companies with a combined market cap of 900B—can’t get security right, what are the lesser known providers doing?

  1. Couple thoughts on this:
    1) Amazon announced that they had changed some security policies in the wake of this – good on them. http://bit.ly/N3WCAT

    2) Apple still hasn’t announced their security changes. Although Amazon messed up – badly – Apple messed up much worse. Apple has proven to be one of the worst companies out there in regard to their security practices. They lived in that walled garden called low market share for so long that they didn’t invest properly in this arena. I recently read an article talking about how far Microsoft is ahead of Apple on security, and we all know about Microsoft’s past security gaffes. Imagine how bad Apple really is? http://bit.ly/IgS02d

    3) The one disagreement I have with this posting is the recommendation to do online backups. Your article points out how fraught with peril the online world is, and specifically singles out the smaller providers as a danger zone. Wouldn’t putting all of your data online increase your risk greatly, considering the online backup providers don’t have the scale of Apple, Amazon, or Google?

    Shawn McKnight
  2. Thanks for the comments Shawn!

    Amazon and Apple are both guilty of having abhorrent security policies when it comes to verifying identity over the phone. Name, address, and a credit card number?! For something as severe as a password reset, they should request a vile a blood.

    I think it’s hard to measure Apple and Amazon against Microsoft using this attack as a benchmark because this was a social engineering attack primarily.

    From a technology standpoint, the article you cited actually disagrees with Kaspersky (and so do I) citing that OSX’s UNIX underpinnings make it more secure than Windows. And Microsoft’s track record with malware, viruses, and general security vulnerabilities is way worse than Apple’s.

    Lastly, with respect to online backups–my opinion is that you should treat the data you’re backing up as nearly public. Most services encrypt your data at rest, but they hold the keys. I’m completely fine with that for my family photos.

    For more secure stuff (tax records, financial information), I use TrueCrypt to encrypt the data before backing it up to the cloud. For super top secret stuff, I would only keep local backups (in multiple locations). In any case, always multiple backups.

    Rob Sobers (Author)

Leave a Comment