Apple and Amazon are taking steps to change some of their security policies after it came to light that hackers tricked staff members into helping them change the passwords of Gizmodo journalist Mat Honan’s online accounts.
In a first-person article published on Wired, Honan details how a hacker was able to access his iCloud account and wipe everything from his iPad, Mac and iPhoneall with an assist from the support staffs of Amazon and Apple, whom the hacker tricked by impersonating Honan.
“We’ve temporarily suspended the ability to reset AppleID passwords over the phone,” Apple spokesperson Natalie Kerris told eWEEK. “We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com). This system can reset a password in one of two wayseither have a password reset sent to an alternate email address already on record or challenge the customer to answer security questions they had previously set up.”
“When we resume over-the-phone password resets, customers will be required to provide even stronger identify verification to reset their password,” she added.
Amazon said they made a change to their security approach Aug. 6.
According to Honan, who was able to get in contact with a hacker who goes by the name of “Phobia” and was at the center of the scheme, the ultimate goal was to seize control of his Twitter account. To do that, the hackers looked up his Twitter and found that it linked to his personal website, which had his Gmail address. He then went to the Google account recovery page.
Once there, Phobia entered Honan’s Gmail address and was able to view the alternate email Honan set up for password recovery. Though the email was partially obscured, the hackers were able to guess it and when they saw it was a .me account the hackers knew Honan had an AppleID.
In order to get access to his AppleID, Phobia and his partner needed the last four digits of Honan’s credit card and billing address. The billing address was discovered with a whois search of Honan’s Web domain.
To get it, Phobia’s partner called Amazon’s support line pretending to be Honan and added a fake credit card number to the account. Then they called Amazon again and claimed to have lost the account password. After giving the fake credit card number as well as a name and billing address, Amazon allowed them to add a new email address to the account. From there, they sent a password reset to the new email and could see the last four digits of all the credit card numbers on file for the account, Honan explained in the article.
With those last four digitsand his name and addressthe hackers were able to get Apple to reset the account login. Because his online accounts were linked together, the hackers now had the keys to his digital life.
“I shouldnt have daisy-chained two such vital accountsmy Google and my iCloud accounttogether. I shouldnt have used the same email prefix across multiple accountsmhonan@gmail.com, mhonan@me.com, and mhonan@wired.com,” Honan wrote. “And I should have had a recovery address thats only used for recovery without being tied to core services.”