Amazon and Apple have taken serious steps today in responding to news of how Mat Honan was hacked, which was done not with brute-force but by using social engineering to trick Apple and Amazon support staff to give out various pieces of information and reset some passwords. Amazon reacted first and arguably more decisively by enacting a new security policy of no longer allowing users to change account settings (such as credit card information and email addresses) via the phone.
Apple has meanwhile enacted a 24-hour freeze on resetting account passwords over the phone whilst they review their security practices. When Wired then tried to reset an AppleID password through Apple support staff on the phone, the representative said “Right now, our system does not allow us to reset passwords. I don’t know why”.
An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.
Mat Honan: How Apple and Amazon Security Flaws Led to My Epic Hacking
You may have heard about Mat Honan (Wired writer) being hacked last week, with his Twitter account being compromised and the hackers using iCloud to remote wipe his iPhone, iPad and Mac. Today he’s written up a detailed article on Wired that goes through how exactly the hackers got access to it all. The scary thing is that it wasn’t done by brute force, but rather by using social engineering to trick Apple and Amazon support staff.
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
It’s undoubtedly a scary story about the perils of putting our entire lives in the hands of a cloud service – because more so than ever, physical access isn’t needed to wreak havoc. It’s also a friendly reminder to ensure you’re using strong passwords, isolating critical accounts and creating local backups wherever feasible as a last resort if indeed this or something similar does happen to you.
My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.