Slashdot Mirror
How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft
An anonymous reader writes "The story behind the hacking of Mat Honan's multiple accounts has been revealed and points to massive failures in how Amazon and Apple handle password recovery. Accounts for both sites can be easily accessed with simple to find publicly available information. If you ask me, both companies should be liable for violating privacy laws."
"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."
All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
I would argue that the biggest benefit of using free services (like GMail) is they offer no or crap phone support! Thus making it very difficult for a hacker to social engineer their way into your account.
Every e-commerce company in the world that allows you to store your card info will display the last four digits of your card number, because what other option is there? What other unique determinant could you possibly display in order to allow people to select one card from a set? There's nothing at all insecure about that on its own, and it's silly to pretend as though everyone else becomes liable for Apple's crappy security policy. This is way more about a.) How one guy had a bad personal password policy, b.) poor security training for Apple support staff and poor security policies at Apple, and c.) How stupid it is to make any of your data deletable remotely. "There's this option to wipe all my data on Apple's site, and then these evil hax0rs totally did it, and I didn't have backups" does not translate into "Amazon has bad security policy".
The remote delete feature is the dumbest of dumb feature I ever heard of. That alone is a good reason not to use Apple products.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
As the author admits: anyone with access to your card number ( even the waiter at the restaurant ) and a phone book has enough information to satisfy Apple's "security" procedures.
From Wikipedia article (Data Protection Directive - Comparison with US data protection law):
"The United States prefers what it calls a 'sectoral' approach to data protection legislation, which relies on a combination of legislation, regulation, and self-regulation, rather than governmental regulation alone.[10] Former U.S. President Bill Clinton and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology." (emphasis added)
I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.
Nobody in their right minds would trust all of their data exclusively and only to a company (yes, you know, that "cloud" you like so much is operated by one or more companies with data protection and privacy policies changing by the weather). If you do so, something like the original article mentions can happen anytime.
I'm not saying you shouldn't use the "cloud" (how I hate that word, oh my), but you should never trust and rely on it completely without any (or weak and borderline useless) fallback. Remember, it's your data, it's your life, protect it as you would protect anything that you own and hold precious.
Thing is, since computing and PCs have become everyone's tools and don't require in-depth tech knowledge, it's pretty easy to get average users to use and rely on such services. It's simple, they don't really know what they are getting into. And it's for this reason that it's sad to see a more knowledgable person (i.e. article writer) fail so terribly.
Always remember, just because so many people are hooked to it and it's easy to use, that doesn't mean it's safe and reliable. It's not.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
This isn't a new problem... This guy was naive/careless at best for not using multifactor authentication. But hey, at least his new article is getting some traffic, not that anyone will ever take him seriously again.
Not backing up data, able to get Amazon account data with 2 phone calls, able to get an Apple/Google/whatever password reset with just a little bit of work. They could have also stolen his CC statement from his mailbox, as well as a Utility bill and got part of the way to getting a new credit pin or drivers license and after a bit of time a new passport. This sort of hacking is not new, just different. Once the security questions used to be the standard 3, your mums maiden name, your city of birth, and your first pet/car/whatever, now the answers are often on-line or traceable via Facebook. The blame should be shared amongst everyone, including the person who did the hacking. Excuse me, I have to backup my computers.
There was an unknown error in the submission.
Something I haven't seen through reporting of this is why Mat Honan was targeted, was it the Gizmodo / Wired connection or something more sinister directed at him?
Yes, the same Mat who did not back anything up locally or (shutter to think) redundantly, is an expert. If this sorry excuse is what passes an expert, I think my grandma has a good chance at a new career.
What an idiot.
This is a very good article, every /. nerd worth his honors should read it. It's pushed my paranoia levels almost up to normal again. That alone was worth the time. I've been dragging out that backup HDD for my MB Air far to long and will now change that.
I'm also going to solidly review my online presence and accounts, and how they could be linked. And fix any problems that pop up.
Bottom line: Read the article, it's a healthy wake-up call and if you're like me, you need that once in a while.
My 2 cents.
We suffer more in our imagination than in reality. - Seneca
that's why I generally just feed random data into these field (treat them like pw field except not saving the value)
Amazon allowed a bogus card to be added to the account because all they did was check the check-digit, rather than doing that as step one, and then doing an authorization hold/authorization release after requiring the security code from the back of the card as step 2. This would have correlated the billing address and card number in the credit card company database, which would have failed, flagging it as a bogus card.
After this, a second call to Amazon using the bogus card information plus the (already known) billing information got them a password reset, again without them issuing an authorization hold/authorization release. And THAT is where they got the last 4 digits of the (actual) non-bogus credit card number to give to Apple. Admittedly, it's possible that this would cost a web site (other than Amazon, who owns their own payment provider) a transaction fee to do, but they could always require a transaction fee billed to the card being used as identification as part of the recovery process. For example, it looks like Norton Antivirus allows the same thing (just do a quick search for the phrase "the credit card number ending in", you'll see a bunch of people wondering about charges to cards they never registered with various services).
Apple using the last 4 digits as an identity verification was screwed up, but it wasn't information the bad guys had without Amazon's help, in this case.
Moreover, if your computers arenâ(TM)t already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use iCloud. Googleâ(TM)s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system yet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms â" which can be cracked, reset, and socially engineered â" no longer suffice in the era of cloud computing.
Cloud services can be compromised without using your password, and the two big OS manufacturers are pushing people to entrust their most valuable information to the cloud. The problem with this, he observes, is that passwords are not sufficiently secure.
He writes for a technophile journal, making recommendations to people who trust his expertise, about how to use technology. He was just bitten, quite seriously, by the exact problem with trusting the cloud. He holds the specific role that is supposed to warn the humble masses about threats like this, and he blames password security.
I think Woz understated the threat.
Stop-Prism.org: Opt Out of Surveillance
At first I was aghast at how they could implicate Amazon for revealing the last 4 digits of your card, when they appear in every transaction receipt printed etc.
However, after reading TFA it is obvious that Amazon has a serious security flaw as well that they need to address as well. It seems that you can call Amazon support knowing only the name, email and billing address of a person and you can add a bogus credit card number to their file. Then you call back and tell them you can't access your account and they will let you add a new email address to reset your password and you use the credit card number you had just added as verification of your identity!
True, Amazon showing the last 4 digits of your CCs on your account is not a problem, but giving access to your account to a person armed only with knowledge of your name, address and email is a serious flaw.
The summary and even the article don't make it that clear what the problem is with Amazon, you have to read through TFA.
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
You're entrusting your entire digital life to these people.
If you want real security, get a blackberry. It's a device that you control, not the manufacturer.
Until recently, I wasn't even aware GMail offered 2-factor authentication. I think it was a little note on the login screen one day that it even existed.
I did set it up immediately, as my entire life runs through that account, but had been running for years without it.
Naw, I didn't miss that part, I just don't think it makes an argument for this being a failure of Amazon security policy. Given that you need to know someone's account email address (how hard is it to do foo+amazon@dingleberry.com, or some other not-easily-guessed email address?), billing address, etc, to even get an Amazon rep to talk to you, the protections on that front seem sufficient (maybe not best, but sufficient) to me. Running an auth/void doesn't really work either. Sure, Amazon has their own payment gateway, but that doesn't make it free, it just makes it cheaper for them. Given the volume of cards that they accept into their system every day, running two transactions on each would pretty quickly jack up costs considerably. For subscription services like Norton, that might make sense, because the overall transaction volume is fairly low, but for Amazon, that bill would get pretty big.
Now, compare Amazon's relatively reasonable, if not super awesome, procedures to Apple's, where all you need is the last four in order to get access to all data and devices, and tell me this is still an Amazon problem.
I must admit it does amuse me a little to see a smug Apple fanboy so crushed by the realisation that Apple doesn't really care about him or his security. The moral is not to daisy-chain all your accounts together so snugly.
Are you stupid? To get access to someone's Amazon account you need their email address and billing address. To get access to someones Apple account you need their email address, billing address, and last 4 of their CC. Both of these systems are stupidly insecure, but it is pretty goddamn obvious Amazon's is the worse.
From what I see here, the main problem was apple's security protocol, with amazon coming in a close second... All other things he could really have protected himself against... Using two factor authentication on google and so on. But you can't protect yourself from a company finding easily obtainable information good enough to just hand over control of your account with...
As far as I'm concerned Apple should be liable for damages in this case. They have acted as a gatekeeper, portrayed a sense of security, and then been blatantly lax in security.
What does the law say about a case where I hand over say my credit card information to a merchant and they act carelessly with it, thus allowing it to be intercepted by a criminal? Say I go to a restaurant and they take my card and then let it lay around on the counter for half an hour for anyone to see, scan, steal?
Well, at least Amazon has a support procedure 'Add a credit card to an account by phone call' that has no valid uses, since you can do that online. The only use cases seems to be to hack into Amazon accounts.
The problem here is that for the average Internet user, if you have someone's Amazon email address, you pretty much automatically have access to that person's Amazon account. Not everyone has multiple email accounts and the billing address and name can be gotten from agragators like http://www.spokeo.com./
At that point the person can gain access to the users Amazon account and simply go on a shopping spree at the users expense. Getting into an iTunes account with the same email is just a bonus.
I would argue Apple's security questions is no worse than most security questions from other vendors. Most info that is asked by companies to protect your data can be mined off the web via various methods.Unless you've lived in a hole and have no credit history,etc there is a trail and a clever person can find the answers.
That's why I make up my answers per account, there's no way to find the answers unless you have access to my physical system with encrypted docs.
But let's be real, normal people won't go this far or be this paranoid!!
Are you stupid? To get access to someone's Amazon account you need their email address and billing address. To get access to someones Apple account you need their email address, billing address, and last 4 of their CC. Both of these systems are stupidly insecure, but it is pretty goddamn obvious Amazon's is the worse.
But what is Amazon protecting?
1) The ability to order goods using my credit card to be delivered to my registered address
2) The ability to order virtual goods using my credit card (music, ebooks, gift certificates).
1) doesn't really help the fraudster. 2) might, but they're difficult to resell and Amazon probably don't care about refunding these purchases -- they're very low value
Now, what is Apple protecting?
1) Everything using that email address
2) All Apple equipment registered to the account, and all files on that equipment
You forgot
3) The ability to takeover your Apple account
So clearly, Amazon is worse than Apple because Amazon is Apple and more!
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
It's a fool who places their security in someone else's hands . Especially, in people whose education level is far below
the yoke of responsibility placed upon them for the task. I'm not trying to be offensive, but is anyone stupid enough to believe
that iApple would spend the thousands of dollars necessary to educate their cheap labor in these matters?
If you have a device that can be remotely controlled by a corporation like iApple, this will always happen. iApple has no
liability what-so-ever. None. Nada. Clear? People forget that these devices are nothing more than convenience toys .
Yes, they are toys. Useful sometimes, but toys.
This will always be the case until laws like the Fair Credit Reporting Act are passed to cover things like this. But, we know
those things won't happen in the post-Bush era we live in.
The most upsetting thing about this article is that he doesn't even understand his potential loss. He's an idiot, I'm sad to say.
He mentions it himself in his article, but he doesn't even realize the danger he's placed his most precious possession in.
Here's why - He claims that they were after his twitter account - this may be true; there aren't enough facts to determine this.
Suppose they/he were after a living entity? Is anyone stupid enough to believe this can't happen? With all of the personal info
people are exposing unprotected on their devices, a perp in a candy store would have a harder time taking a candy bar...
Tinfoil you say. It hasn't happened yet, it can - and a terrible tragedy and loss to the family that it happens to...
We're led to think this is all a game by marketing - we'll protect your life they say to us with their smugness as they take our money.
"I've got back ups - I'm protected." There are some things you can't backup. Honestly, I don't know how we've got to this point.
It's scary and sad - we're letting Corporations decide our personal safety. We're bullied into believing they have our best
interests in hand. We've accepted the lie and pay for it, too. This is absolutely insane.
I know this was a dark post; I wish people would realize the reckless stupidity they're engaged in...
CAPTCHA = conserve
the big thing, is credit card companies identify you by knowledge that is available across good research.
which is now much cheaper then 20 years ago.
the say
hacking cost must be bigger then profit of hacking pass security costs, are not true when it comes to recovery password.
wasn't sarah palin's email account hacked that same way?
And once they have complete access to your Amazon account, they can't just change the physical shipping address why?
Just because the question is "What's your mother's maiden name?" It doesn't preclude you answering with a 64character random hash.
My bottom line take-away from this is that the most fundamental level of security these days is your primary e-mail account. If you don't have two-factor authentication on it, you are asking for trouble. Relying on one-factor authentication for your primary e-mail seems to be almost as bad as failing to back up your data. (And if you have a credit card on file with Apple, it looks like their e-mail security approaches zero-factor security.)
And once they have complete access to your Amazon account, they can't just change the physical shipping address why?
If you try and do that (I did last week, to order something to be delivered to work) they ask for the CCV code from the back of the credit card (if you choose to pay with an existing card).
Free (ad-supported) and cheap internet services can be very good and useful, but they have to compromise between ease of use, security and cost. You want your data to be relatively safe? Compartmentalize (with different methods of access: cloud, local disk, non-erasable storage like DVDs), distribute (home, office, bank safe), switch off access when not needed.
And use different passwords for different sites, please!
Amazon had the exact same flaw as Apple. Allowing a password reset with last 4 digits and a billing address. The bigger flaw at Amazon was allowing the addition of a credit card with the same identification.
Once he had password reset Amazon, he can add other shipping addresses. Amazon does allow you to ship to other addresses, at which point it will be up to the credit card company to block the charge.
Anyone sufficiently clued up on IT would
A) Have backed up their data on a physical medium, eg USB stick
B) Would not daisy chain their accounts that would allow the hacking of one lead to the others.
This guy might considered himself and expert - personally I consider him an idiot who bought into the whole Cloud we'll-look-after-your-data-for-you-no-need-to-worry marketing hype aimed at the clueless.
In broad technical terms there is no difference between a modern cloud service and an ftp server from the 1980s - if someone gets your password you're scr3wed.
Oh look , chickens dropping out of the Cloud and coming home to roost.
Because Amazon won't allow you to without extra information the person would not be able to provide. (CCV code)
He may be able to add extra shipping addresses, but he won't be able to use any of the cards on the account to ship to them. Amazon requires the CCV code on all purchases made with existing cards on the account when shipping to a new address.
Thank you for sharing your sad tale of security woes.
In broad technical terms there is no difference between a modern cloud service and an ftp server from the 1980s - if someone gets your password you're scr3wed.
One might suggest that 25 years of minimal progress on security, in the face of a considerable expansion of the internet's hostile population, is a major failing... Especially since, unlike most ftp servers of the 80's, 'cloud' services are heavily marketed toward nontechnical users.
... is a better answer. Apple and amazon are far from the worst companies out there but even they have some issues okay so how to fix them. I would guess the first thing to do would be for the credit card industry to decide which quad is to be used for identifying cards. The first quad tells you the card issuer so that doesn't work if my personal and business cards are through the same company. Second, the companies ought to institute some card verification method that isn't a complete boondoggle. Maybe Amazon adds your card to your account then you go to your bank's site intentionally, no redirects, login and have to click approve. Or better the CC issuers need to eliminate static card numbers and go with one time use numbers, we can create cards that generate a new number each time and still fit in a wallet. Unfortunately the only thing I trust the CC issuers to do is screw that up so like some posters have said go back to cash for simple everyday transactions.
FWIW only online purchases (ie MP3s, Game downloads, etc) can really be bought that way from Amazon by a third party who has your password. From experience (not hacking! Just using) whenever you enter a new shipping address you have to re-enter your credit card information for the card you're using to make the purchase. You can't simply say "Oh, I'll use the one you have on file ending in 1234."
I'm sure it's a problem for many people, but at the same time it's not as bad as it could be if, say, someone bought a new overpriced Mac using your credit card, rather than a $1.29 MP3 or $50 game.
You are not alone. This is not normal. None of this is normal.
I've said it before, and I'll say it again -- managing identity is a quintessential government function, and should be handled by the government online as well. The basic problem here is that we should have a nationwide, and possibly global, single sign on system, with our rights protected by clear and unambiguous legislative features. Nobody thinks that the issuing of drivers' licenses should be done by private enterprise (or, if they do, they're idiots.) Why do we think online identity is less important?
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
The biggest flaw in any business is the human factor. Having worked at many call centers over the years it's clear that most our sensitive information is at the finger tips of kids right out high school with only 2 weeks of training. Holy run on sentence, Batman! I've seen many agents make the same mistakes outlined in this article, worse even, they just don't care, want to get off phone and avoid incident. In my agents' defense some people that call in can be very persuasive, threatening, flattering pretty much anything they need to be to get what they want.
I read this on emptyage, when he still thought he'd been brute-forced, and I still don't understand using the apple email (esp if you don't use the apple email) — that's tied to all your gadgets — as a backup for an insecure gmail account that you use publicly for everything (ie, it's posted on twitter).
Are people really this stupid?
Do they have absolutely zero sense of self-preservation?
This is such an extreme case, it reads like a hypothetical. "Suppose someone gave the keys of their house to Apple, then published everything on Craigslist that Apple needs to identity you..."
All this story needs to make it *really* extreme is if the hacker had stolen one of his gadgets so 2-step would fail. Ah yes, What. Then.
Eh, kudos to Wired for putting a fire under Amazon's and Apple's backsides, I suppose, but you can't fix stupid.
If someone gains access to my account they have access to my AWS account. Meaning they can take over my webserver and/or spin up extra servers which they can use to their heart's content, and bill me.
But what is Amazon protecting?
1) The ability to order goods using my credit card to be delivered to my registered address 2) The ability to order virtual goods using my credit card (music, ebooks, gift certificates).
1) doesn't really help the fraudster.
Unless he waits at your address and accepts delivery.
Of course news about a fake are Fake News.
FWIW only online purchases (ie MP3s, Game downloads, etc) can really be bought that way from Amazon by a third party who has your password. From experience (not hacking! Just using) whenever you enter a new shipping address you have to re-enter your credit card information for the card you're using to make the purchase. You can't simply say "Oh, I'll use the one you have on file ending in 1234."
I'm sure it's a problem for many people, but at the same time it's not as bad as it could be if, say, someone bought a new overpriced Mac using your credit card, rather than a $1.29 MP3 or $50 game.
Adobe CS6 Master Collection [Download] - mine for only $2,133.44 of your money - and you save $465.56.
Or how about a little Kindle ebook? Only $5,679.17
Of course news about a fake are Fake News.
He says, when talking about the hackers, that "...their ultimate goal was always to take over [his] Twitter account". Why, then, did they delete his Google Account, and then remotely erase his iPhone, iPad, and MacBook? I might get that they want to erase evidence that could be used to track them down, and to that extent, wiping the Google account, which they had apparently gotten access to, makes a modicum of sense. But unless they were using his iPhone, iPad, and MacBook as well, I'm not sure how erasing all of them was in any way helpful to them in any regard whatsoever. No... the bastards that did this to him definitely had some malicious intent involved.
I'm not saying that he wasn't hacked... nor am I saying that he wasn't hacked in this way, I'm suggesting that the allegation that the hackers were only after his twitter account seems extremely dubious... at least to me.
File under 'M' for 'Manic ranting'
Mat admitted himself that his account was hacked as the result of him using the same password on multiple sites. Hackers got into servers at one site where they got his password and were able to use that to gain access to his account elsewhere that allowed them to ultimately gain access to his email account. Once someone has access to your email account it takes no skill whatsoever to takeover every account a person has. Apple and Amazon did nothing wrong.
This is why rushing to embrace the cloud is not a good idea. Our security policies and practices are insufficient to prevent this level of digital pwnage.
Not really, I live in America, I haven't written a check in 7 years.
All my bills are paid through a service known as Billpay. All the banks and credits unions have something similar.
Time to stop making fun of us backward Americans and do some real research before writing your rants about us.
And this applies to most of my co-workers also. The only Americans that rely on checks anymore are over the age of 70 and that is what they grew up with so it is kind of hard to change.
Even better, Sallie Mae calls me about my daughter's loan, and before the call is connected I have to give Sallie Mae my last four of my SSN to authenticate who I am, no way to authenticate that it's Sallie Mae calling me but I have to authenticate that Sallie called the right number. Even better no way to talk to a real person if I don't authenticate.
Remember I said Sallie Mae initiated the call. I could call any number of random numbers claim to be Sallie Mae and get individuals last four, ridiculous.
FWIW, it need not be a bogus card. You can buy a VISA gift card (paying cash and showing no ID), then on the gift card website enter the name and address of your victim. It is now a perfectly legit card in that person's name. I use VISA gift cards on Amazon all the time (in my own name). You could probably do quite a bit of identity theft or creating false personas, using such a method.
If you ask me, both companies should be liable for violating privacy laws."
Nobody is asking you because nobody cares about what you think.
Mat Honan's mistake was trusting "The Cloud" in the first place. It is unfortunate that there will always be people who take advantage of those that are vulnerable, but if you want real security heed Wozniak. Stop putting your faith in companies and keep your own data. Never link your accounts, and keep the passwords offline.
This problem is well known, so there's no excuse:-
o http://catless.ncl.ac.uk/Risks/24.82.html#subj13
o http://catless.ncl.ac.uk/Risks/24.91.html#subj12.1