Gizmodo alumnus Mat Honan got hacked this weekend. It was bad. But that's not the worst part. Worse is that Apple knows exactly how easy this is, and hasn't done a thing to stop it. And Amazon accounts are in just as much danger.
How It Happened
Honan has a chilling account of Apple and Amazon's security flaws over at Wired today. He's actually been in contact with his hacker, "Phobia," and using the information he got there, has been able to confirm that Apple has been aware of the security issue. Here's how it works:
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple and Amazon's. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number - that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
To break that into a more digestible flow chart: Amazon or PayPal cough up the last four digits of your credit card. That gets you into an Apple account, and the .Me email account associated with it. That email account can be used to recover a Gmail account, and from there, you can probably access anything you want. It's really pretty terrifying.
Perhaps more disturbing is how aware Apple's tech support is of this:
Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.
Today, Wired confirmed the technique works on different accounts. So in total actuality, if you use the same credit card on Amazon or PayPal as you do on Apple, you are exposed to the dead-simplest social hack in recent memory.
Apple refused comment to Wired on whether it is considering tightening its security protocol.
We already knew that Mat's account had been hacked without any brute force, but this level of negligence is totally nuts. For reasons passing understanding, Apple seems to have actually refused to enact simple policy changes to stop crippling, terrifying hacks from happening to its customers.