It was the extent and the damage done to a private citizen – not some huge impersonal corporation – that has taken the world by surprise. If it can happen to a tech journalist who understands technology, it can happen to any one of us. That is the message.
Thanks to Honan’s openeness, security experts have been able to analyse exactly what happened. In a nutshell, bits and pieces of information from various sources enabled the hacker to gather all the information necessary to social engineer Apple support into handing over Honan’s AppleID password giving access to his iCloud account. From Twitter, the hacker found Honan’s personal website. From the website he got Honan’s Gmail address. From Google, the hacker learnt that Honan had an iCloud account. That would be the target.
AppleCare phone support required name, email, billing address, and the last four digits of the bank card they held on file. The hacker already had the first two. He did a WHOIS lookup on Honan’s web address, and got the billing address – just leaving the last four digits of Honan’s bank card. For this the hacker socially engineered Amazon. The bottom line here is that he got into Honan’s Amazon account which displays those last four digits.
With everything he needed, he contacted Apple support (name, email, billing address and the last four digits of Honan’s bank card) and asked for and received an AppleID password reset over the phone. Sophisticated and lengthy social engineering got him in – but then the very interlinked nature of the cloud enabled the extent of the damage inflicted.
Rob Sobers of Varonis explains what we need to learn. “Backup your data. No excuses. Have multiple backups,” he says. “Go enable two-factor authentication for your gmail account... now!” he adds. For online stores such as Amazon, he suggests deleting any stored bank card details. “Yes, it’s painful to have to enter your credit card information every time you place an order, but is it as painful as having your digital identity stolen?” he asks. (Note that this isn’t always possible since some companies – such as Apple – require you to store your details with them.)
But Sobers concludes with a general warning about the cloud. “So many systems are interconnected in the cloud making things more convenient than ever before, but we have to realize that this same interconnectedness makes security exponentially harder. Passwords are no longer good enough – not for the important stuff. If Apple, Amazon, and (too a much lesser extent) Google – companies with a combined market cap of 900B – can’t get security right, what are the lesser known providers doing?”
Honan believes that much of the damage was collateral, caused by this power of the cloud. "The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in.” Speaking after the penultimate performance of "The Agony and the Ecstasy of Steve Jobs" in Washington, Apple co-founder Steve Wozniak told the audience, “I really worry about everything going to the cloud. I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years.”