back to article Amazon exploited by hacker in scribe's epic Apple iCloud pwn

Unfortunate journo Mat Honan has said the demolition of his digital life by a hacker started with a call to Amazon customer support. Just minutes after the call ended, the WiReD writer's Apple iCloud account was compromised and his iPhone, iPad and MacBook remotely erased. The writer's Google Mail and Twitter accounts were …

COMMENTS

This topic is closed for new posts.
  1. Dave Perry
    Thumb Down

    Would have been nice if he'd helped to get the guy's stuff back

    But I suspect said scribe will now be using Time Machine and syncing away from the cloud as well now.

  2. Ted Treen
    Boffin

    A fair response...

    "...Apple said in an emailed statement that its "internal policies were not followed completely" ..."

    Not followed by someone who is probably an ex-Apple employee now - or at least an Assistant Janitor (YTS).

    The put their hand up and admitted the fault lay with the weakest link in any system:- the liveware!

  3. Brewster's Angle Grinder Silver badge

    It's worth reading Mat's article. He's remarkably hard on Amazon and immensely lenient on Apple; specifically, he says:

    [I]t’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.

    1. Anonymous Coward
      Anonymous Coward

      You're also giving the pizza guy everything he needs to use your credit card and make fraudulent purchases, however it's that doesn't happen very often. Why? Because such employees would be easy to track down and taken to court.

      Amazon allowed anyone to take over an Amazon account and obtain part of the credit cards and delivery addresses by knowing one home address and making an essentially anonymous phone call.

      Apple was not right to unlock an iCloud account by just giving a name, address and part of the credit card number, but Amazon is also clearly in the wrong.

      1. Brewster's Angle Grinder Silver badge

        I only have one home. So all you're saying is Amazon will give you my home address if you already have my home address. :-P

        Yes, Amazon should've required a security question before handing out a partial credit card number. And my jaw bounced off the floor for that. But if it hadn't been Amazon, it would have been somebody else.

        However Apple left me aghast - my jaw ended up doing a samba . It started when they ignored the security question. It escalated when they required only the last four digits of the credit card number. And it carried on with what was possible once the hacker got inside.

        (And for the record, Mat still has my sympathies. I know how patchy my backups are. I think Phobia would have struggled with me, but that's down to luck not planning. As Woz said, the next five years are going to be interesting.)

        1. Anonymous Coward
          FAIL

          > I only have one home. So all you're saying is Amazon will give you my home address if you already have my home address. :-P

          The Amazon hack opened up ALL the addresses you have on Amazon... for many that's usually home and work addresses - including phone numbers.

          Also gave access family and friends names and addresses if you ever sent any gifts to them. Finally it gave hackers a nice history of everything you brought from Amazon.

          All they needed for this was to know the home address.

          1. Anonymous Coward
            Anonymous Coward

            In the UK if you have previous home address history (from past Amazon purchases) and a birthdate (from "social" sites) you can do a lot of interesting stuff... for example get an online credit report for that person - and it doesn't end there.

            1. Brewster's Angle Grinder Silver badge

              @anon 2012-08-07 16:53

              Unfortunately, lots of my friends know my address and D.O.B. I've got to fill out a form to have my library card replaced, and it wants both pieces of data. But this info is already available on line in public databases. Your home address and D.O.B. are not passwords, and a system that uses them as such is broken.

              Amazon are guilty of allowing someone to turn an address into four digits of a credit card number; but despite their lax security, there is little direct damage that could have been done. (I guess this is why we don't see many reports of hacked Amazon accounts.)

              Apple, who actually had a security question, turned four digits of a credit card into a total data wipe. That's atomic.

          2. Brewster's Angle Grinder Silver badge

            @nine circles

            Leveraging a work address to get a home address is a fair point, particularly as a business is more likely to leave their whois entry public. If that's possible (and I've not tested), then even colleagues could get access to your account... But the damage possible once they get in is small. I'd rather people didn't know the addresses of my relatives and what I'd been buying them for Xmas, but neither would have allowed the cracker to erase all my data.

    2. toadwarrior

      Anytime you give someone your card you risk them. Taking information. That's why it's nice most restraunts do payments at the table via the chip & pin machine. Otherwise if they walk off with your card they have everything to make purchases and that sort of thing has happened.

      Whether the apple guy was being lax in his checks or apple is just saying that, the fact is you can do a lot with just having someone's name, address and last 4 digits of their card number. Hell the only thing extra the bank used to ask for was dob which the hacker probably could have figured out quite easily since the guy has a pretty public life.

      It would be nice if domain records were not public by default either and a user has to make a formal request for that info with good reason as to why they need it or a messaging system that forwards on messages to the owner's email address if they need to contact them. Obviously no one will pay for the privacy option in most cases given how much sellers bleed you for it.

      1. Brewster's Angle Grinder Silver badge

        @toadwarrior

        I do pay for whois privacy on my .com address (and it doesn't cost me anything on my .uk addresses, as the sites are non-commercial.) And my bank require me to describe my most recent transactions before they will verify me. (That said, my most recent offline backup was eighteen months old - until this morning... :oops: )

        But Amazon won't deliver to a new address unless you re-enter your credit card details. So if your account is breached, there is little hackers can do. Mat came across as asking Amazon to second guess and defend against Apple's poor security model. (Amazon ought to have had a security question, but they still might have ended up ignoring it, like Apple did.)

        1. VinceH

          Re: @toadwarrior

          " But Amazon won't deliver to a new address unless you re-enter your credit card details. So if your account is breached, there is little hackers can do."

          Well, that's some small mercy, then, given what I discovered last year:

          http://misc.vinceh.com/2011/04/potential-security-issue-amazon/

          1. Brewster's Angle Grinder Silver badge

            @VinceH

            Disclaimer: I don't work for Amazon.

            Here's what I think happened: Amazon were (are?) using your email address as your customer ID. So changing your email address would mean cloning the entire account, and then deleting the old one. If that second step fails to complete, e.g. because the system crashed, then the old account would remain active. Obviously the whole thing should happen as a single transaction. But...

    3. DJ Smiley

      Sounds like thats hard on apple;

      And I wonder who I think is more at fault - Had the hacker started buying products on amazon and the iStore; I know he'd be covered on Amazon (due to credit card law - at least in the UK?) but would Apple have refunded iDevice purchases?

  4. Anonymous Coward
    Anonymous Coward

    The most difficult part?

    Getting hold of Amazons phone number and getting through to them.

    1. GettinSadda
      Thumb Up

      Re: The most difficult part?

      It's not that hard to find - a few minutes on Google will tell you it's 0800 496 1081

  5. Steve Button Silver badge
    Linux

    I've got a three letter twitter account - @sbu

    ... but I've had 2-step auth switched on for ages, so I'll be OK - right?

  6. Captain Underpants
    Meh

    While I sympathise to a certain extent with anyone who's on the receiving end of nonsense like this, Honan should still primarily be kicking *himself* in the balls for this whole SNAFU. Amazon and Apple deserve a shoeing for being so easily duped, but despite being a tech journalist for over a decade, Honan had :

    no backups of his phone (even though this is trivially done in iTunes);

    no backups of his main work machine (again, trivially done with Time Machine);

    enabled a remote-wipe service that he didn't really need (why?!);

    bad security habits in terms of email address naming and linking.

    Gizmodo also deserve at least a toe in the vicinity of the ballbag for having an ex-staff-writer account still associated with their main Twitter feed.

    Maybe he'll be lucky and get some of his stuff back via PhotoRec, but between this and Wozniak's comments about Cloud dependence it looks like this is the week to remember that clouds (Fruity or otherwise) should only ever be one part of a multi-part data storage backup/redundancy strategy. Anything contrary invites disaster and/or misery...

    1. GettinSadda
      Boffin

      no backups of his phone (even though this is trivially done in iTunes);

      no backups of his main work machine (again, trivially done with Time Machine);

      Actually he did have backups of his phone - on his MacBook

      He had backups of his MacBook - in the iCloud.

      This was not enough, but he did have backups

      1. Anonymous Coward
        Thumb Down

        > He had backups of his MacBook - in the iCloud.

        No he didn't, you don't backup Macs to iCloud. That's what Time Machine is for.

        His phone was backed up to iCloud and he did manage to restore it, but his Mac hasn't backed up anywhere.

        1. GettinSadda

          My reading of his own account on Wired is that the phone data was not recoverable as the cloud account had been deleted. Also I was under the impression that iCloud could be set to store all your photos (the main thing he is upset about) but looking deeper it seems that this is only true of pictures less than 30 days old. So it looks like he was a fool! I have 3 automatic backups that copy my photos, including one in a non-Apple cloud, but I am still worried that they could vanish!

          1. Anonymous Coward
            Anonymous Coward

            He didn't mention it in his Wired piece, but on his blog he said:

            "My phone and iPads are down (but are restoring)"

            So it seems he was able to restore them from somewhere. As he didn't have his computer anymore I guess he did it from the iCloud backup. The hacker probably didn't get to delete that backup since it's not possible to do it over the web.

      2. KroSha
        FAIL

        "Actually he did have backups of his phone - on his MacBook

        He had backups of his MacBook - in the iCloud.

        This was not enough, but he did have backups"

        iCloud is not a backup. Had he done things properly and taken a backup with Time Machine, then not only would he have the contents of his Macbook, but that would contain the contents of his iPhone as well, stored in his iTunes Library.

        Really basic FAIL for a tech journo.

        1. P. Lee

          My understanding is that iCloud is for sync, not backup.

          You should sync mobile to your PC and back that up - time-machine for a mac.

          As for gmail, IMAP is easy to backup and probably happens automatically if you use mac mail and timemachine.

          Having said that, time machine can be really slow.

      3. Anonymous Coward
        Anonymous Coward

        @GettinSadda - More speciffically

        He backed up his machine but he really did not have a backup. What's the point in having backups if you're not sure you will have them when needed ?

      4. Captain Underpants
        Thumb Down

        @GettinSadda

        No, that doesn't cut the mustard.

        If your only backup for Device A is stored on Device B, which has a remote wipe functionality, then you don't actually have a backup worth a damn.

        Similarly, iCloud is a data sync tool, not a be-all end-all backup solution - as I would have thought this incident demonstrates!

        If he had an external hard drive with Time Machine backups of his MacBook (including iTunes snapshots of his iPhone) then iCloud account takeover notwithstanding, he would have the lion's share of his stuff intact. A backup, by definition, should be something of which you have entire control - ideally something you can stick, unused, in a drawer somewhere so that it can't get banjaxed in the event of Unspecified IT Woes befalling you.

        1. Dave Perry
          Stop

          Re: @GettinSadda

          If you value your data and it's security, don't trust iCloud. I had to look at it for sync with the day job (education), and Apple's own advice was don't use iCloud for really critical stuff.

  7. Anonymous Coward
    Anonymous Coward

    I've faced this dilemma myself

    when setting up a small customer service operation for an online shop.

    Most of the time the the only solid information you have about a customer is their name, address and payment details.. Stuff like answers to security questions is so easily forgotten by the public that even banks don't enforce it too much. Asking for birthdates is seen as too intrusive (and for good reason, if it falls in the wrong hands)

    Next problem is that by PCI-DSS standards for card processing you aren't allowed to have full credit card numbers in databases accessible to support representatives. These must be well guarded behind secure systems who only a few can access. So the accepted tradeoff is to show CS staff the last 4 digits of the card.

    So that doesn't leave much to identify the customer when they call saying they lost their password and can't login to their accounts. You can add some questions about past orders to throw off low hanging hackers, but these days people even post what they get on whatever social network they're on so it's not very safe.

    1. Dan 55 Silver badge

      Re: I've faced this dilemma myself

      Not appropriate advice for a small online shop but Apple easily set up some system where the CS bod hands the call over to a computer which asks for one or more of the full credit card number/CVV/expiry date to be dialled in which then makes a query to the DB and comes back to the CS bod with 'yes' or 'no'.

      Apple IDs appear to be far too easily hijackable. I did have everything set up right for MobileMeh but after I closed it down I put false data for my name and address, and laboriously deleted my credit card info (I forgot how I did it but it involved faffing around with iTunes).

    2. Raz

      Re: I've faced this dilemma myself

      PCI-DSS allows you to store the first 4 and last 4 digits of the card number. Asking for the first 4 makes more sense, as most of the receipts printed by point of sales are showing the last 4.

      1. Charles 9

        Re: I've faced this dilemma myself

        Trouble is, under the credit card system currently in place, the first four digits have a rigid formatting that make them far easier to predict. They're not dependent on the cardholder but rather on the network and the institution that issued it. The formatting is the reason companies can identify your credit card just from the first digit (AmExs always start with a 3, Visas with a 4, MasterCards with a 5, and Discovers with a 6). It gets more complicated than this, but the fact is the first SIX digits (formally known as the Institution Identification Number or IIN) can probably be deduced by knowing enough about the customer's bank or shopping habits.

  8. HamsterNet
    Thumb Down

    ID10T error

    How about Forgot password

    Best remember it then or get some new iShiney toys...

  9. Spoonsinger
    Pint

    I wish I was a pundit...

    a bit like a 'banker', win if you follow the crowd, win when you get shown up for being incompetent but can turn the failure into a 'learning experience' for media exploitation.

    (Beer obviously, because I don't have the nad's.).

  10. mtcoder

    Problem is sites need more generic information about people

    The problem is companies are forced to secure "sensitive" data and in doing so make it hard for customer support to accurately validate the person on the other end of the line. But it's a business model that can change. For example when he called into amazon for the account changes they should go thank you for the call, please hang up and we will call you on the phone number on the account. Poof instead of making the account change Matt gets a phone call saying hey we just talked want me to make that change now? Um hell no and what change? Something so simple quickly rips most of the control away from the hacker. To add on to security take a step like blizzard does to cut down on hacked accounts, with their authenticator service. A free phone application or even a cheap key chain, that generates authentication codes associated with the account to validate the end user. So now to even log into an account the hacker needs the authenticator. So this really helps, but what happens when matt is at a party and gets drunk and passed out someone swipes his phone for a few and changes all of his accounts. Well shame on matt, but still possible or if it became the new industry standard stealing a phone would be gold mine for stealing identity. So then what? Well add on an occasional personal information data. This can work for smaller companies that couldn't afford to setup authenticators. When I sign up ask me my shoe size, birthmarks, scars, bra size, body mass index, tattos. When there is an account concern you can quickly identify the person with said things, and well dumpster diving and most likely even social media scraping won't give you the data. If amazon asked phobia what his shoe size was he would of been like um 9, and I don't like that metric cause it could be guessed via seeing a photo of his feet, but it's a 40% chance to randomly guess it. Add on a scar or birthmark or tatoo and you can lock it down pretty tightly. Now the problem with using this is people will freak out, over a company knowing this data. So it will rarely be given out by people. Which is ironic cause well the marketers already know most of it. But the illusion is people don't know it. Security questions tend to be an ok step but often get worked around cause people don't remember what they typed, and it's usually case sensitive. I know I have locked self out of an account cause I didn't put a capital for my dog's name, but hey calling support was easy and they didn't even ask for security question, cause it was what caused acocunt to get locked out. Non of these stop it completely, but with customer call backs, aka amazon calling the phone on file to preform account changes, adding on an authenticator for log ins on the web aka when no support is involved, and asking personal identifying questions that actually work, aka shoe size, tattoo, birth mark, and having all of them, listed will make use very secure and make it hard to hack into an account. Cause even if they steal passwords, without the authenticator configured to the person's phone the password is pointless.

    1. Anonymous Coward
      Anonymous Coward

      There's always holes

      For your callback example: People change phone numbers, forget to update the websites, but then need would need it for your scenario. What would the company do then?

      There would have to be some workaround for that, and that would then be the next weak point....

      Maybe biometrics, if done right, will change this. But until then most methods for the real world will always be easily breakable.

      1. Charles 9

        Re: There's always holes

        There's also the fact that people may not be too fond of callbacks or screen their callbacks via the Caller ID, and if the number and/or name is not familiar to them, they may not take the call, fearing it to be a telemarketer, scammer, (Americans) campaign call, or (for debtors) a collecting agency.

      2. mtcoder

        Re: There's always holes

        The average person changes their phone number about 3 times their lifetime. Not that much of an inconvienance to remember to update accounts. Also nothing states the systems can't just create you a new account. Oh you don't know your phone number no problem, please go setup a new account. Now for things like Apple / Google services where a new account means being locked out of your life. chances are you aren't going to forget to update the account information, but in those cases, there is still email confirmation options. Ok we will gladly make those changes I have sent you an email with a confirmation number. Please check your email and let me know that code. At least then their is that "3rd party" validation. Nothing will be fool proof, but having those other accounts he user has to have access to already in order to make account access style changes, greatly peels off the hackers ability to break into an account. There is some responsibility of the consumer to protect themselves and if all it means is they have to update their account information that blocks access to their compute, facebook account, twitter account, backup's, music library, etc it wouldn't be too hard to ensure a few profile pieces are up to date. And just like most systems provide a secondary number fall over. If we can't reach you at your primary phone please provide a secondary, like a relative parent, brother, sister. Chances are both of you changing your phone numbers at the same time without you updating your account becomes really unlikely.

  11. A. Coatsworth Silver badge
    Paris Hilton

    A lingering question

    "Phobia said that the whole intrusion was designed to take control of Honan's Twitter feed because it had a three-character handle: @mat."

    Why? What's so special about a three-character name?

    .... Or Phobia has phobia of short handles?

  12. Anonymous Coward
    Anonymous Coward

    Would you please, sir, clear the area around your neck and stand still so I can....

    I personally wouldn't put too much blame on Amazon and Apple. The lesson to remember here is that nobody else will take care of your digital life if you don't do it. Precious family photos stored on a computer which can be controlled remotely by you'll never know who ?

  13. Anonymous Coward
    Anonymous Coward

    The last 4 digits are not secret

    They appear on every printed credit card receipt in the US and every my-account page I've ever seen. They are sent in clear text in emails more often than not. The PCI standards do not require them to be hidden. In fact, it is essential they are public, in order for merchants to identify to a customer with more than one card which one they used for a transaction.

    If Apple does not start groveling soon they will be deprived of my account.

  14. chris 17 Silver badge
    Facepalm

    so apple support wasn't the primary attack vector

    The first article and his blog stated this was apple's fail for providing the hacker access, but we now know this was all dependant on Amazon's initial failings.

    http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard.

    would this attack have been foiled if he used his wife's account for his gmail password retrieval account instead?

  15. Charles 9

    To boil this problem down in IT terms, it seems what this illustrates is a tricky problem in trust: establishing a means of proving identity when (A) Alice cannot request most personally identifiable information from Bob due to legal restrictions, and (B) Bob has a bad memory. IOW, How does Bob prove he's Bob if Alice (by law) has nothing that actually describes Bob as such, and he has a hard time answering spontaneous security questions about stuff that can't be deduced by Mallory from outside sources (like the ol' Mother's Maiden Name; the First College Roommate probably isn't too hard of a dig, and favorite fictional characters might be found by blogs or shopping habits; you get the point)?

  16. Anonymous Coward
    Anonymous Coward

    tl;dr

    short form, don't use amazon.

    1. Anonymous Coward
      Anonymous Coward

      Re: tl;dr

      Short form, don't use cloud backup

      , and for the apple users, pay very close attention as to how much damaged was caused by NOT having physical access to an apple device.......simply secure my ass......MicroSoft hasn't f$cked up that bad.....yet.

    2. Captain Underpants
      Thumb Down

      Re: tl;dr

      @j arthur rank

      Yeah, don't use amazon but do continue to have remote wiping of all your devices enabled on a system whose identity verification processes aren't exactly gold-standard. Can't imagine how that might bite you on the ass.

      Alternatively, pay attention when evaluating each potential point of failure in the systems you use to store precious data and attempt to address them when devising a backup strategy. It's not necessarily easy, and it will be time-consuming, but then nobody ever promised otherwise...

      1. B4PJS
        Stop

        Re: tl;dr

        Dont use ActiveSync on iOS or Android. They suffer from MiTM attacks unlike WinPho http://wmpoweruser.com/ios-android-devices-vulnerable-to-remote-wipe-with-false-certificate-windows-phone-not/

  17. Trapped
    Mushroom

    Don’t settle for anything less the Two-factor authentication.

    Don’t settle for anything less the Two-factor authentication. I have two-step authentication on my email and I like the extra security it offers. You just telesign into your account and it’s good to go. I'm hoping that more companies start to offer this awesome functionality. In reality this should be a prerequisite to any system that wants to promote itself as being secure. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection.

  18. Anonymous Coward
    Anonymous Coward

    Might teach the idiot a lesson.

    not to entrust everything to his beloved Apple because they gave him some shiny toys in exchange for some nice Apple gushing reviews...

    Now who is up next?

This topic is closed for new posts.

Other stories you might like