Gizmodo alumnus Mat Honan got hacked this weekend. It was bad. But that's not the worst part. Worse is that Apple knows exactly how easy this is, and hasn't done a thing to stop it. And Amazon accounts are in just as much danger.
How It Happened
Honan has a chilling account of Apple and Amazon's security flaws over at Wired today. He's actually been in contact with his hacker, "Phobia," and using the information he got there, has been able to confirm that Apple has been aware of the security issue. Here's how it works:
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple and Amazon's. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number - that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
To break that into a more digestible flow chart: Amazon or PayPal cough up the last four digits of your credit card. That gets you into an Apple account, and the .Me email account associated with it. That email account can be used to recover a Gmail account, and from there, you can probably access anything you want. It's really pretty terrifying.
Perhaps more disturbing is how aware Apple's tech support is of this:
Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.
Today, Wired confirmed the technique works on different accounts. So in total actuality, if you use the same credit card on Amazon or PayPal as you do on Apple, you are exposed to the dead-simplest social hack in recent memory.
Apple refused comment to Wired on whether it is considering tightening its security protocol.
We already knew that Mat's account had been hacked without any brute force, but this level of negligence is totally nuts. For reasons passing understanding, Apple seems to have actually refused to enact simple policy changes to stop crippling, terrifying hacks from happening to its customers.
Update: We did not originally correctly note the scope of Wired's confirmation on Amazon's end. It was able to, on multiple occasions, not only access the last four digits of an account's credit cards with very limited, widely available information, but the account as a whole. This means a troll could max out every single active card, financially devastating the user. You could not ship to a new address, since that requires the full card number to be re-entered, but that is still deeply chilling to think about.
While Apple's techs say it has been aware of its situation for months, it's unclear if Amazon was aware of this loophole previously. Amazon did not comment to Wired about the matter, but we have reached out asking for further clarification.
How You Can Protect Yourself
In a vacuum, this is all absurd and awful. But here's how it pertains to you: You're at risk. You will, in all likelihood, not be targeted like Mat was, but that's no reason to leave yourself exposed. At this point, all we know is that Wired has confirmed that Phobia's social hack. Our best guess for how to protect yourself is to totally segregate all of your accounts. Don't send your password recovery emails to any other account you use. Don't use the same credit card on any two accounts. Don't use the same email address for multiple other services. Basically, strip the powerful interconnectivity out of your day-to-day internet existence. Oh, and turn off Find My Mac/Find My iPhone. And it is probably a good idea to remove all of your Amazon credit cards until we hear back.
From there, do all the normal security measures if you haven't. Google two-factor authentication, backup your data to an external drive, don't throw out any receipts with the last four digits of your credit card on them, and wait for an update to come.
We'll update you with any new information from Apple, or from Mat at Wired. But for now, you can read the full rundown of how something this egregious can happen, and then just lock down your entire online life until further notice. [Wired]
Image by gualtiero boffi/Shutterstock