|Account Hack, User Speaks Out: Lessons To Learn|
A lesson worth reading to understand what happened, and why.
Account Hack, User Speaks Out: Lessons To Learn [wired.com]
|In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook. |
In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.
Whoa, scary read.
|It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. |
Identity theft 101 - Getting a billing address and the last 4 digits of a credit card are child's play.
|Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. |
The problem isn't iCloud, it's iSupport which is apparently powererd by iDiots. All of the security flaws involved are HUMANS running TECH SUPPORT that have shoddy verification practices or based on what I just read, none whatsoever.
This is exactly what happens when you let too much of your digital life become entangled in a 3rd party.
|At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. |
This is why I don't have my devices set to be remotely wiped, it's too dangerous.
Besides, how stupid do you have to be to lose your iPhone, iPad or Macbook that you actually worry about wiping it in the event you lose them?
If they're stolen, that's another issue, but that also assumes you were stupid enough to leave them unattended in most of the cases of those devices being stolen.
Seriously, seriously, stupid.
Man without backups and using same / similar passwords for multiple daisy chained accounts loses data when someone talks apple "helpdesk" staff into giving them access to his account..which allows an avalanche of data wipes..
|But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, |
the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.
Everywhere I use , requires that I give the last 6 digits ( and or a 4 digit PIN )( not merely the last 4 digits of the credit card number ) to "authenticate"..
Because many, many places " including the "receipts" you are when you use some credit cards, print the last 4 digits on the "receipt" ( which many people then discard or leave behind ..for an "identity thief")...Amazon will show the last 4 in your account, only once you are "in"..
The initial fault here was Amazon's..for letting someone have access to his account where the last 4 digits are shown,( whether or not that could have been used to take over his "online" ID elsewhere ) and his for being a "so called" tech writer,( being paid to write about IT and "tech and security etc and thus his readers and employers would hope he would actually know some of the most basic stuff that he is being paid to write about ) and for not having a clue about security ( never "daisy chain" what you want secure, because one point of access breached, is all it takes to access it all ) and backups..
His time lines are off too..
|First my Google account was taken over |
except it wasn't the first thing , it was the third..
|Next my Twitter account was compromised |
that was the 4th on the time line, the time line he tell us in the next paragraph..
|Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. |
thus, the "timeline" actually was..
in that order..
So Amazon are sloppy,and their helpdesk are easily manipulated into allowing outsiders to access confidential personal accounts..
Apple helpdesk are fools, and are sloppy,and their helpdesk are easily manipulated into allowing outsiders to access confidential personal accounts..
Mr Honan used a password for his gmail account which resembled very closely or was the same as that of his apple account..or left his gmail password in his apple account..so we know what he is ..
His apple account was used to remote erase all his apple kit, iPhone, iPad, and MacBook...
Did you know that Apple , or a hacker, or anyone with "access" could do this ? ..those of us who did ;-) have it amongst our many reasons for not using Apple :)
Oh and he had no "backups" ..so we know what he is ..
( and "cloudy" backups, which are not accessible to you unless the "cloudy" service lets you access them, if they haven't deleted them too, or gone out of business etc.. are not as good as your own backups, to your own disc drives, or optical media, or tape, ( not a drive in the same machine or another partition on the same drive, nor even in the same building )..off site regular backups, in two different places, this is our businesses we are talking about after all ;-)
Oh ..and his twitter account got hacked ..meh
As regards his repeated insistence that if he had two factor authentication in set up in Google's Gmail ( via a phone number ) ..they had already wiped his iphone by the time G would have been trying to "authenticate"..( which reading his article and deducing how his mind works, he would have given G his iphone number to authenticate to..after all the guy does like "daisy chains" ) ..it wouldn't have saved him..
Because he'd still have been relying on other people or their systems, looking out for him, thinking for him..
Which is why he used Apple..because they say it is safe, they infer it is "safer"..
Safer ( there is no true "safe" ) ..is..never "daisy chain your ID, your data, or your online or offline life..
Make regular backups, of every thing, sites, emails,photos etc etc, "image" your machines and their software, ..if you haven't ..begin ..now..
Never let some one else hold nor give to them, the vital information or data that can break your online or offline life or your business or your family life..
Think it is all too hard..to complex, too time consuming ?..
Here, we are all ( supposedly ) "pro webmasters"..looking after and securing our data is part of that job ..
ps ..I agree with everything incredibill posted whilst I was writing and speelchucking this post.. :)
Yes the guy was amazingly stupid , especially for someone who writes about, and probably well paid to write about, "tech"..
His time lines are off too: "First my Google account was taken over"
except it wasn't the first thing , it was the third..
"Next my Twitter account was compromised". That was the 4th on the time line, the time line he tell us in the next paragraph...
Nice finding!. I feel sorry for the guy but after 15 years working around newsreporters and journalists I know for sure they always have diff versions of the story and they-are-always-the-victims. I don't fall for that anymore, specially for what you found, the irregularities on the story........
Still this is a red flag for everyone regarding security. Me? I don't trust the "cloud". And... it seems the safest phone is that ugly one that one you need to smash in order to erase all data at once :)
|the irregularities on the story. |
There are others,( my post was long enough as it was ;-) but the guy is looking to make lemonade from really sour lemons that he grew and chose himself..and trying to get your sympathy and buck passing all at the same time..
Embroidering the facts and inventing/ adjusting hacker dialogue ( most erudite AIM conversation I ever saw ;-) etc into 4 page "link bait" ( he did the "link bait" part well ;-)...Amazon, Apple, Google, Twitter, a list of ithings...the shiny "product placement/mentions" ( even in the overall negative context about the customer service of apple ID ) will hook many..
( I 'm being served ads for "backups" and "online security" , and "shiny things from fruity company" and "accessories for same", etc on the articles pages , "high EPC" linkbait* ;-)
The push to "use two part authentication with Google and be safe in your on line life" ( give G your phone number ) merits a large cheque from Larry at least..
The vital part that twitter plays ( or apparently should ) in the lives of many did not go unnoticed..
facebook did not get a mention..either he doesn't use it, ( hard to believe ) or the "hacker" didn't care about it ( easier to beleive ) or facebook wouldn't spring for pizzas to the gizmodo or wired offices ( easier to believe, they have much less money than they did at the beginning of the article / saga / week ) ..so no mentions for them..
* fear and trepidation makes for clicks and purchases if the ads are well targeted towards the content and if the visitors are engaged and ready to spend for protection..
Let's not just tear apart the story, there are serious security implications here, and I said at the start, there are lessons to learn.
How many people do you know that fail to use even the most basic of security. Use two-factor authentication where you can.
I gave up on two-factor authentication when I couldn't get Chrome to sync properly across my devices. It was a pain.
Meanwhile, I tried logging in to my Windows Live account today and was told they no longer accepted passwords longer than 16 characters. To be able to log in I had to enter the first 16 characters and leave out the rest (4 characters, in this case). Thought that was... unusual.
|Use two-factor authentication where you can. |
I think you missed the larger point that it doesn't matter what you use for security when some iDiots at Apple let just anyone reset your passwords to your email account. Their methodologies and procedures for validating the owner of the account were 100% flawed.
The email account is the critical lynchpin to this whole story because once it's breached the whole security system, two-factor authentication or not, crumbles like a house of cards because you can simply reset it all from scratch.
One way to keep hackers out of your account, assuming they haven't also stolen your phone, is to see if the caller ID being used matches what's on file for the account. If the caller ID doesn't match, support should go: "Sir, we'll call you back on the phone # currently on file with your account to verify a password reset.". They could even have sent an SMS to the phone that requires a response before resetting the password. That simple act of validating the caller ID or calling back to the owners last known valid phone number of record would've stopped this hacker dead in their tracks.
It doesn't take much to thwart fraud except common sense and due diligence.
SIDE NOTE: If credit card companies simply used SMS verification for all MAJOR purchases for anyone with a cell phone registered to their account then credit card fraud for SMS enabled cell phone owners would cease immediately. Implementing it has ZERO impact on any existing CC transaction system or website and only requires implementation at the credit card processing centers. Simple solution to a billion dollar problem but we'll never see it happen in our lifetime because it's too easy.
Again agree entirely with incredibill..:)
|SIDE NOTE: If credit card companies simply used SMS verification for all major purchases for anyone with a cell phone registered to their account ALL credit card fraud would cease immediately. Has ZERO impact on any existing CC transaction system or website, online requires implementation at the credit card processing centers. Simple solution to a billion dollar problem but we'll never see it happen in our lifetime because it's too easy. |
Already in place here France, works that way on both my business and personal account cards and with both our banks , wife's and mine..and many places in the UK, and some banks there use it..
It's called 3D..been around for a few years in Europe :)
Even works when buying from sites in the USA etc..
a one time SMS is sent to a mobile phone that I use only for the 3D system ..( I got another mobile phone just for G's and other net companies two factor system after finally succumbing to their "nagging" ) each phone number costs only €2.oo per month ..uses candy bar SMS capable mobile phones @around $25.oo each or cheap smart phones..
Keep another for customers incoming calls..another "smartphone" for business..and another "smartphone" for personal, family, friends and general surfing etc..
All together they weigh much much less than an old early days portable car phone ( here they were Radiocom 2000 ) and take up less space..and all together even weigh even less and take up less space than my first motorola portable handset..
If you are going to use two factor authentication ..don't use your every day mobile phone number for it..and keep it ( or them ) as safe as you would your bank cards..
|His time lines are off too.. |
|when some iDiots at Apple |
Apple products are marketed to idiots and they almost always have been. It's foolish to use any of their services.
This is definitely a good example of how NOT to connect online accounts.
Good story, you had me believing it until "lulz".
|my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook |
Remote deleting shouldn't be possible, if it is disable it or use another service regardless of what service/device you are using.
|Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened. |
Had you used two-factor authentication you may have protected your Google account and, subsequently, your twitter account but that would mean waiving yet a little more privacy to Google. Has anyone considered that Gmail and twitter accounts are in fact throw-away and you're better off protecting your phone number and home address from everyone INCLUDING Google as long as possible?
If you set up your accounts using different passwords and different dedicated email addresses known only to you(they are a dime a thousand) you can easily pinpoint the leak and close the accounts down quickly while using the others to alert your group to the NEW accounts you just created.
What I'm saying is protect your real name, phone number and address above all else(even from services and companies) and treat "online profiles" as the throw-away tools they really are(new ones are easy to come by).
Progress. Holes being plugged.
Amazon Closes Security Gap [wired.com]
|Amazon changed its customer privacy policies on Monday, closing security gaps that were exploited in the identity hacking of Wired reporter Mat Honan on Friday. |
Previously, Amazon allowed people to call in and change the email address associated with an Amazon account or add a credit card number to an Amazon account as long as the caller could identify him or herself by name, email address and mailing address — three bits of personal information that are easily found online.
On Tuesday, Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.
Apple Freezes Over-The-Phone Apple ID Password Reset [wired.com]
|Apple on Tuesday ordered its support staff to immediately stop processing AppleID password changes requested over the phone, following the identity hacking of Wired reporter Mat Honan over the weekend, according to Apple employees. |
An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.
|An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any. |
As an Apple user I find the final two words very alarming, because;
1) A trusted Apple employees could even think such a plainly stupid thought.
2) Apple Executives put stupid people in authority.
3) Apple haven't yet realised how stupid its customers can be. Even me.
4) Some people are still not accustomed to excellence.