When Infosecurity Magazine originally wrote about the attack on Mat Honan, the focus was on Apple’s culpability, though it’s become clearer since that there’ve been a multitude of security sins committed here that weren’t all Apple’s (notably Amazon and Honan himself). But clearly there is an issue. Honan reports:
“In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.”
Apple’s initial (official) reaction has been to suspend its service for resetting passwords over the phone: hopefully, if it decides to reinstate the service, it will not only tighten up protocols for authenticating the user but also incorporate the lessons learned from this incident into training for support staff. It appears that all that was necessary for this breach was an email address, a billing address, and the last four digits of the credit card that was on file: enough to persuade an over-helpful staff member of the scammer’s bona fides.
Sadly, education is never a quick fix: it’s easy to tell people about a particular social engineering ploy – in fact, Kevin Mitnick’s “The Art of Deception” is basically a collection of anecdotes and scenarios. It’s much harder to teach all-round scepticism to counter the gullibility I described at the time as the wetware vulnerability for which there is no patch but education. Not that there’s a guaranteed defence against a clever social engineer when luck is on his side. In fact, there’s something very Mitnick about aggregating material from several sources in order to take the final step in the con: sometimes this type of combination is called a data aggregation attack.
Unfortunately, that’s a very difficult attack to defend against, where the whole (in terms of sounding convincing) is greater than the sum of the parts. If you can’t teach staff to be uncharitably reluctant to take a scammer’s entreaties at face value, your only recourse is to tighten authentication protocols to a point where it’s not possible to obtain any single data item from other sources. And in a market where convenience tends to be prioritised over security, that’s probably not very feasible, especially if you take into account the weakest link (the one between the keyboard and the office chair...)
But as we’ve seen all too often in recent months, it doesn’t matter how careful the end user is with his own data if the provider isn’t at least as diligent.