Apple, Amazon security questioned after hack
Published Wednesday, August 8, 2012 9:04AM EDT
Last Updated Wednesday, August 8, 2012 1:13PM EDT
The vulnerability of living a digital life "in the cloud" is in focus, after hackers proved the vulnerability of some popular online accounts that Internet users rely on everyday.
Wired reporter Mat Honan's AppleID was hijacked by hackers last week, enabling the identity thieves to take control of his iCloud account and remotely wipe the data from his Apple iPhone, iPad and Mac devices.
"In the space of one hour, my entire digital life was destroyed," Honan wrote in a blog post detailing his experience.
Honan says hackers intent on taking over his @mat Twitter were able wreak so much havoc because of the way his various online identities were woven together.
They started by following the link from his Twitter account to the Gmail address posted on his personal website. From there, the hacker went to his Gmail's Google account recovery page.
Honan concedes that his own failure to enable Google's two-factor login procedure – under which users must provide a code sent to their smartphone in addition to their user ID and password -- meant the hacker could easily view the alternate e-mail he'd set for emergencies.
"Google partially obscures that information, starring out many characters, but there were enough characters available, m••••firstname.lastname@example.org," Honan wrote. "Jackpot."
From there, the unravelling continued when someone called Apple tech support claiming to be him and complaining of e-mail access issues. The caller was issued a temporary password, despite not answering his pre-arranged security questions, Honan said.
"(Apple) did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover," Honan explained, highlighting that one of those pieces was a partial credit card number visible in his Amazon account.
The hackers had access to that, according to Honan's account, because under Amazon's security policy at the time, customers could change their password by telephone using their name, email address and mailing address as proof of identity.
Wired reports that, despite not yet issuing an official statement, Amazon has banned callers from making changes to their accounts over the phone.
In its own statement on the matter, Apple said it has temporarily suspended its customers' ability to reset their AppleID passwords by telephone.
"We're asking customers who need to reset their password to continue to use our online iForgot system," Apple spokesperson Natalie Kerris said in a statement to CTVNews.ca.
When Apple resumes its over-the-phone passwords resets, "customers will be required to provide even stronger identify verification to reset their password."
Honan said he was contacted online by a 19-year-old hacker “Phobia” he believes was involved. In exchange for a full account of how the hack went down, Honan agreed not to press charges.
"The hackers just wanted to embarrass me, have some fun at my expense, and enrage my followers on Twitter by trolling," he said.
Although the data lost may never be recovered, including photos of his young daughter he had never backed up, Honan's taking his experience as a cautionary tale for others who started out with an account to buy 99-cent songs on Apple's iTunes music store years ago, and have since seen that ID turn into the foundation of an expanding digital lifestyle.
Keys to avoiding having your digital identity hijacked include:
- Enable two-factor authentication whenever possible. It’ll mean an extra step as you input the code from your phone, but it’s much less likely to be hacked. If that seems too much hassle everytime you log on, accounts can be set up to “remember” you on a specific device for a specific length of time, which is fine so long as your machine isn’t stolen or lost.
- Maintain unique passwords for your different online accounts. Memory challenges aside, it would make it harder for someone who gains access to one account to romp through the rest. They should also be at least 8 characters long, with a combination of upper- and lower-letters, numbers and even symbols.
- Don't use one ID to access all your accounts, either. Tempting as it is to use your Twitter credentials to log in to other online haunts, that makes it very easy for someone once they've cracked your security too.
- And beware of your security settings, particularly when accessing public WiFi hotspots. Using secure https login pages will keep others from sneaking a peak at your online activity.