Hackers Use Amazon to Crack Apple Users' Clouds

Hackers Use Amazon to Crack Apple Users' Clouds

image

Phone password resets for Apple ID are frozen for 24 hours as Apple faces a hacking crisis.

Last weekend Wired reporter Mat Honan had his Apple ID hacked, and everything went to hell in a handbasket. His Google account was deleted, his Twitter used to broadcast racist and homophobic messages, and all data was erased on his iPhone, iPad, and MacBook. Honan admits that part of the problem was his habit of using the same security details for each account - something that more than a few people do - but says that the bigger issue was the Cloud and Apple support, which gave the hackers access to everything they wanted so long as they provided Honan's name, address, and email account.

Apple's response has been to freeze all Apple ID phone support password changes while it works out what to do next. The problem is with their phone verification system, as the tech support gurus apparently give out the keys to the kingdom provided the person asking provides a billing address and the last four digits of a credit card. Neither of these pieces of information are that difficult to get; it's thought that Honan's hackers got their information from his Amazon account. Once the hackers have this information they can get access to the Cloud, and once they have Cloud access they can do pretty much whatever they like.

Amazon, though it was unwilling to comment directly on Honan's situation, has since plugged at least one of the security holes. Honan's hackers first got access by phoning Amazon claiming to be him and asking for some account setting changes, all of which were to be emailed to an account of their choosing. That was how they got to his Amazon account and learned the information they needed to fool Apple. Amazon no longer allows account changes to happen over the phone. Apple has yet to decide exactly what to do; it may or may not take the same steps as Amazon.

According to Honan, this is what happened:

At 4:33 p.m., according to Apple's tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn't get into his .Me e-mail - which, of course was my .Me e-mail.

In response, Apple issued a temporary password. It did this despite the caller's inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.

At 4:50 p.m., a password reset confirmation arrived in my inbox. I don't really use my .Me e-mail, and rarely check it. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password.

At 4:52 p.m., a Gmail password recovery e-mail arrived in my .Me mailbox. Two minutes later, another e-mail arrived notifying me that my Google account password had changed.

At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud's "Find My" tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack.

Honan blames himself for not backing up his MacBook - thus losing a lot of data he'll never get back - and for daisy-chaining his accounts. He ought to have had a recovery email address for his accounts, he acknowledges, one that wasn't linked to anything else. "I have only myself to blame," he says, for those mistakes. The rest was down to Apple, and its security verification procedure that could apparently be fooled with just a few bits of easily obtained information and which ignored security question verification procedures. "I'm also upset that this ecosystem that I've placed so much of my trust in has let me down so thoroughly."

Source: Wired, Guardian

UPDATE: Apple's freeze on over-the-phone password changes continues, but there has been no clear indication as to how Apple intends to proceed.

The hackers have since revealed that their primary target was Honan's Twitter account, which was three letters long and therefore highly prized. The other accounts were deleted in order to prevent Honan from recovering his Twitter account.

Permalink

Amazon already fixed their "loophole".

Sure lucky I don't have an Amazon account.

I am gonna double check anything just in case.

Cloud services may have some advantages, but that "all your eggs in one basket" saying really does apply if we move from physical media to this.

This is why the cloud is bad people.

it really sounds like he has a case however here, the guy supposedly him could not answer any of his security questions? but the person on the phone just said meh gimme your name and address and a PARTIAL cc number, not a full CC billing security code they could verify on file most likely, how many people cannot get their own security questions?

how many of you have tried to get into an account that is really old and you get the security questions wrong for w/e reason they usually lock you out right then and there and tell you to call customer service at that point. and at that point you usually have to give them ID, SS, CC number maybe even something with your address on it, depending on what it is.

this was far far too easy to spoof their system such as it is.

He seems a bit calmer about it than I would be.
If someone was able to remotely wipe my phone, my tablet, and my laptop I would be out for blood.

Am I the only one wondering what kind of dirt Honan had on someone that would make him a target?

Karloff:
Honan blames himself for not backing up his MacBook - thus losing a lot of data he'll never get back - and for daisy-chaining his accounts. He ought to have had a recovery email address for his accounts, he acknowledges, one that wasn't linked to anything else. "I have only myself to blame," he says, for those mistakes. The rest was down to Apple, and its security verification procedure that could apparently be fooled with just a few bits of easily obtained information and which ignored security question verification procedures. "I'm also upset that this ecosystem that I've placed so much of my trust in has let me down so thoroughly."

I know what you mean Mr. Honan. I once put my wallet on a park bench in East LA when I was going on my daily stroll (it's heavy, man!), and when I got back, wouldn't you know it, it was gone! Though I admit it was partially my fault, I am deeply, deeply hurt.

Schadenfreude aside, he's right. We give the cloud too much power.

llafnwod:

Karloff:
Honan blames himself for not backing up his MacBook - thus losing a lot of data he'll never get back - and for daisy-chaining his accounts. He ought to have had a recovery email address for his accounts, he acknowledges, one that wasn't linked to anything else. "I have only myself to blame," he says, for those mistakes. The rest was down to Apple, and its security verification procedure that could apparently be fooled with just a few bits of easily obtained information and which ignored security question verification procedures. "I'm also upset that this ecosystem that I've placed so much of my trust in has let me down so thoroughly."

I know what you mean Mr. Honan. I once put my wallet on a park bench in East LA when I was going on my daily stroll (it's heavy, man!), and when I got back, wouldn't you know it, it was gone! Though I admit it was partially my fault, I am deeply, deeply hurt.

Schadenfreude aside, he's right. We give the cloud too much power.

Gotta say it, that sarcasm there was ... a tad bit too much and in no way Schadenfreude. He is responsible for the extent of the loss, but the loss to begin with is a fault on Apple's end (And Amazon's, but gawd, they couldn't know there are idiots crazy enough to link Amazon data to Apple Accounts.).

Thaaaaat said ... Holy mother in hell, whoever was sitting in the AppleCare booth there deserves a nice slapping and a good-bye letter.

Another reminder to keep separate passwords for everything, and another reason to not use cloud storage, to have as few online accounts as possible, and to live without a constant online presence wherever one goes.

It's a shame; I really wanted my mistrust of these technologies to be proven wrong so that I could catch up with the last 5 years.

Ironically I learned a similar lesson recently; it was my Diablo 3 account.

I didn't think of it this way back then, but I guess I was lucky to have learned this through something that could easily be 'rolled back'.

This is the kind of thing that happens when you centralize. I'd like to know why their security protocols were so easy to beat.

I am so very glad I don't use 'the cloud' right about now. Stuff like this is the reason I don't trust my data to not be actually stored on my hard drive rather than some mystical data farm at some far-off location.

It did this despite the caller's inability to answer security questions I had set up.

Well that right there could have done a little something to fix things if someone had been doing their job properly.

i dont have amazon nor apple but i mean a hacker said he will do it and then actually did it, this is big people. anonymous type of big.

McMullen:
Another reminder to keep separate passwords for everything, and another reason to not use cloud storage, to have as few online accounts as possible, and to live without a constant online presence wherever one goes.

It's a shame; I really wanted my mistrust of these technologies to be proven wrong so that I could catch up with the last 5 years.

Never gonna happen. I get upset when MS and everyone else wants me to have all sorts of data on their system. Go fuck yourselves. I got into an argument with MS about them storing my CC number after the transaction was over. What did I do? I got my CC company to give me a new number. The number MS has on my account is invalid.

Similarly, everyone seems to want to link all sorts of profiles to Apple and Google. This seems like a tremendously bad idea. I just don't get why others don't see it.

Hell... I still have issue with my credit card having a chip in it. I don't like that someone can steal the pin (and there are ways) and make a fake and leave me hanging.

PS... the cloud can go fuck itself.

I will never trust anyone other than myself to backup my data. Cloud services are absolutely useless from a security standpoint.

im gunna sound evil and all, yes i know hackers are bad people, they ruin internet lives and rip the feeling of "safty" from everyone but. i smile when i hear news like this, the hackers targeting the giant jerks of entertainment. they're way stronger than our voices, even if we're in a crowd. if only they were good hackers that attacked the wrong and not the innocent for fun.

WHY WAS EVERYTHING LINKED TOGETHER? I know what he said, but.... WHY?

But separate from all that, it looks like I gotta make some changes to my Amazon account. :/ I did not realize it was that easy to grab someone's account.

 

Reply to Thread

Posting on this forum is disabled.