The hack into a Gizmodo writers Amazon and Apple accounts over the weekend is being used as a cautionary tale for consumers, a call to action for cloud providers regarding security policies and a sounding board for concerns about the rush to the cloud.
In a lengthy first-person account in Wired magazine, writer Mat Honan outlines how an attacker quickly found his way into Honans iCloud account and wiped everything from his Mac, iPhone and iPad, all of which were linked to Apples cloud service. The attacker also hacked into his Twitter and Gmail accounts. In the story, Honan admonishes himself for failing to follow basic security protocolhis online accounts were linked together, and he had failed to back up his data, for example.
However, the larger concern was how quickly and easily the attackerwho called himself Phobiawas able to get gain control of Honans Apple iCloud account through just a couple of phones calls to Amazon and Apple, convincing customer service representatives at both places that he was Honan. The attack was less about hacking into the accounts via a computer and more about social engineering gleans the necessary personal information from Amazon and Apple.
According to Honan, the hacker was able to get a hold of his email address, and used that and the billing address to convince Amazon customer service representatives that he was Honan to talk his way into seeing Honans account. With that access, Phobia was able to see the last four digits of Honans credit card number. With that in hand, he called Apple tech support andarmed with the last four credit card numbers, email address and billing addressconvinced them that he was Honan and to reset the iCloud login. The hacker now had access to all the accounts and the devices Honan owned.
Amazon tech support gave them the ability to see a piece of informationa partial credit card numberthat Apple used to release information, Honan wrote. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
He wrote that since his experience Aug. 3, hes learned of others who have been attacked in the same way. It also backs up comments made by Apple founder Steve Wozniak, who after a recent performance of The Agony and the Ecstasy of Steve Jobs in Washington, told the audience in a discussion that he saw bad times coming as the world embraced cloud computing.
“I really worry about everything going to the cloud,” Wozniak said, according to reports. “I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years. ¦ I want to feel that I own things. A lot of people feel, ‘Oh, everything is really on my computer,’ but I say the more we transfer everything onto the Web, onto the cloud, the less we’re going to have control over it.”
In the wake of Honans article, computer security experts have talked about steps consumers need to take to retain as much control as possible over the data they are putting into the cloud. And it goes beyond passwords, according to Lisa Myers, a blogger on the Mac Security Blog site for Apple security software vendor Intego.
As much as we like to trumpet the use of good passwords, this is one instance in which this would not have made a difference, Myers said. You can use the best password in the world, but if someone can socially engineer you or someone from the site or service itself to reveal your password, it will make no difference. That isnt to say that strong passwords are not important; having a strong password will protect you against the majority of common attacks. But you should definitely not bet the farm on a password.
There are steps consumers should take, she and others said. That includes encrypting as much of the online data as possible, making it more difficult for hackers to use data they gain access to. Reconsider linking accountstrading in convenience for securityand using two-factor authentication when possible. Also, for such accounts, use an email that is unknown to others. In addition, according to Paul Ducklin, head of technology for Asia-Pacific for security software vendor Sophos Lab, consumers should make and keep backups outside of the cloud, and use an independent remote wipe service rather than one that is part of the cloud service.
As much as consumers have to take steps to protect themselves, vendors like Apple and Amazon, which hold so much personal information of their users, need to bulk up their policies. An Apple spokesperson told Honan that in his case, the companys internal policies were not followed. In addition, Wired reported that Amazon Aug. 6 changed its customer privacy policies, including no longer allowing people to call in and change account settings in their user accounts.
Neither Apple nor Amazon have commented publicly about Honans case.
Sophos Ducklin said in an Aug. 6 post on his companys Naked Security blog that Apple recently bolstered its security policies by asking users to provide a number of security questions for further authentication. However, he said that in Honans case, because the hacker used social engineering and talked an Apple representative into giving him the information, the tighter security policies wouldnt have mattered.
Apple, Amazon and others are in a difficult spot, Ducklin said. Companies can enforce utterly inflexible procedures for password reset, he said, but that is done more to save money by reducing the workforce rather than security. It also leads to situations where legitimate consumers cant solve password reset issues.
Or you can keep humans in the loop, and run the risk that their occasional helpfulness will occasionally be off the mark, he wrote. That’s what happened with Honan.