It was the extent and the damage done to a private citizen – not some huge impersonal corporation – that has taken the world by surprise. If it can happen to a tech journalist who understands technology, it can happen to any one of us. That is the message.
Thanks to Honan’s openeness, security experts have been able to analyse exactly what happened. In a nutshell, bits and pieces of information from various sources enabled the hacker to gather all the information necessary to social engineer Apple support into handing over Honan’s AppleID password giving access to his iCloud account. From Twitter, the hacker found Honan’s personal website. From the website he got Honan’s Gmail address. From Google, the hacker learnt that Honan had an iCloud account. That would be the target.
AppleCare phone support required name, email, billing address, and the last four digits of the bank card they held on file. The hacker already had the first two. He did a WHOIS lookup on Honan’s web address, and got the billing address – just leaving the last four digits of Honan’s bank card. For this the hacker socially engineered Amazon. The bottom line here is that he got into Honan’s Amazon account which displays those last four digits.
With everything he needed, he contacted Apple support (name, email, billing address and the last four digits of Honan’s bank card) and asked for and received an AppleID password reset over the phone. Sophisticated and lengthy social engineering got him in – but then the very interlinked nature of the cloud enabled the extent of the damage inflicted.
Rob Sobers of Varonis explains what we need to learn. “Backup your data. No excuses. Have multiple backups,” he says. “Go enable two-factor authentication for your gmail account... now!” he adds. For online stores such as Amazon, he suggests deleting any stored bank card details. “Yes, it’s painful to have to enter your credit card information every time you place an order, but is it as painful as having your digital identity stolen?” he asks. (Note that this isn’t always possible since some companies – such as Apple – require you to store your details with them.)
But Sobers concludes with a general warning about the cloud. “So many systems are interconnected in the cloud making things more convenient than ever before, but we have to realize that this same interconnectedness makes security exponentially harder. Passwords are no longer good enough – not for the important stuff. If Apple, Amazon, and (too a much lesser extent) Google – companies with a combined market cap of 900B – can’t get security right, what are the lesser known providers doing?”
Honan believes that much of the damage was collateral, caused by this power of the cloud. "The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in.” Speaking after the penultimate performance of "The Agony and the Ecstasy of Steve Jobs" in Washington, Apple co-founder Steve Wozniak told the audience, “I really worry about everything going to the cloud. I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years.”
16 August 2012
This is kind of a sad story, but I hope it serves as a kick in the pants that some companies and individuals need kick this complacent attitude about authentication and passwords. It is easy to blame both of the big guys (A+A) who some would say screwed him over, but he still needs to blame himself for failing himself. One simple thing like activating the Gmail two-step authentication could have prevented a whole lot of this headache. If you don’t trust the site don’t use it. We have heard a million times don’t use the same passwords, back-up you info, then there is two-factor authentication. 2FA was an option that was made available to him and he did not see the need or want to take the time to set it, so it is his own fault. But the sad fact is there are millions of people just like him who are not taking this advice and are going to pay the same price or one even higher. An article I found posted on telesign.com mentioned some other good points about how we all need to be more proactive about our personal account security. Take a look: http://www.telesign.com/news-and-events/blog/5-easy-password-best-pratices-to-protect-yourself-from-a-hack
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.