This guy’s cloud burst.

How Apple and Amazon Security Flaws Led to My Epic Hacking

Never put all your eggs in one basket cloud.

The sad story of what happened to Mat Honan has been big news for the past ten days or so. All of his devices and data were interconnected via Apple’s iCloud, and they all got wiped clean within minutes. Here’s his story, in his own words. Excerpts:

Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification . . .

It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.


GET OFF OF MY CLOUD
(M. Jagger/K. Richards)
Chorus

Hey! You! Get off of my cloud
Hey! You! Get off of my cloud
Hey! You! Get off of my cloud
Don’t hang around, baby, two’s a crowd

No technical skill was requs guy’s e-life. The hacker(s) just needed patience, knowledge of customer service procedures at each provider, a method, a couple lucky guesses, and convincing telephone presence. We worry about the security of 128-bit encryption, or the virtues of SHA-2 (secure hash algorithm) versus SHA-1, when the most vulnerable part of any system is the humans who use it.

The fact that the authentication value of a credit card’s last four digits is zero at Amazon and significant at Apple is worrying. Apple claimed that a service rep didn’t follow its password reset procedure. In fact, the procedure WAS followed; it was just a flawed procedure. Apple has reportedly changed their customer service procedure for authenticating an account owner over the phone.

Advertisements

One thought on “This guy’s cloud burst.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s