|Home » Security
Honan Hack and Apple Naïvety
'Am I getting through yet?' By AlphaMack.
There is a lot to dig through in here.
How Apple and Amazon Security Flaws Led to My Epic Hacking
While I think that Honan is an idiot for being an 'expert', I cannot believe how awesomely stupid Apple is.
It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.
Emphasis mine. If you swipe a credit card and take a look at your receipt, guess what's on there? Yup, the last four digits of your credit card number. As for the billing address, all you need is Intelius, Zabasearch, Spokeo, etc.
We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, 'Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected'.
More like sleeping through Social Engineering 101.
As of Monday, both of these exploits used by the hackers were still functioning. Wired was able to duplicate them. Apple says its internal tech support processes weren't followed, and this is how my account was compromised. However, this contradicts what AppleCare told me twice that weekend. If that is, in fact, the case - that I was the victim of Apple not following its own internal processes - then the problem is widespread.
- Don't trust the cloud. Ever.
- Don't buy into Apple's Kool-Aid.
- Back your shit up. Always.
- Back your shit up. Always. Especially when it comes to baby photos or other things of importance.
- Back your... Am I getting through yet?
The very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.
- Mat Honan