How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft

An anonymous reader writes "The story behind the hacking of Mat Honan's multiple accounts has been revealed and points to massive failures in how Amazon and Apple handle password recovery. Accounts for both sites can be easily accessed with simple to find publicly available information. If you ask me, both companies should be liable for violating privacy laws."

the 4 last digit of CC are unsecure

[aepervius]

"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.

Re:the 4 last digit of CC are unsecure

[pnot]

"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

  All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.

Indeed, the article itself makes this point: And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life..

Till receipts also commonly show this information.

Re:the 4 last digit of CC are unsecure

[mcvos]

I don't give credit card numbers to pizza boys. I give them cash. Or I pay with iDeal, a Dutch internet payment system that's actually secure, unlike all that credit card crap.

Really, rest of the world, you guys need to implement iDeal so I can use it for international payments. The only reason I have a credit card at all is because it's the only way to buy stuff online from non-Dutch sites. Steam uses iDeal. Once everybody else does too, we can finally get rid of those stupid credit cards.

Re:the 4 last digit of CC are unsecure

[Rei]

I don't know about iDeal, but I'm always appalled at how much trouble Americans have with securing their identity. It's not that hard:

Step 1) Have a *public* identifier for you. None of this "if you know the social security number" or "if you know all or part of a credit card number" or such nonsense.
Step 2) Have one or more *private* passcodes or other authentication schemes (really, everyone should have those rotating-passcode keychain devices like the banks give out here for use with important stuff). Because the key is public, nobody is dumb enough to use it as a password.
Step 3) Have a single national database which stores information about you, with at a minimum, your name, public ID, and address. This is your *official* contact information.
Step 4) Any major transactions done using your identity, including changing your contact information, involve you being contacted using your official contact information in the database.

This is basically the system we use here in Iceland, and it works very well. Doesn't help us with foreign firms that don't grasp security, however.

Also, what's up with Americans and writing personal checks? Geez, it's the 21st century here...

Re:the 4 last digit of CC are unsecure

[flimflammer]

Privacy issues for most of your post. People in general do not like the idea of a national ID system. This isn't just a US thing, either. A lot of countries try to fight this sort of system when it comes knocking.

As for personal checks, they are not used that frequently anymore. Most places I go to don't even accept them. I haven't encountered one personally in several years. They're used little more than promissory notes between people nowadays. Short of going to an ATM or bank, there's no easy way to give people cash. Personal checks still fill that role. Nothing wrong with that.

Re:the 4 last digit of CC are unsecure

[berberine]

I hate writing checks. I wish they would go away, but I have two issues as to why I can't stop writing them yet.

First, there is no way for me to pay my rent, electric bill, water bill, and garbage bill if I did it electronically. The electric company has sent out a notice that sometime next year they will start taking payments online, but that's next year.

Second, I do not trust the security of my bank, or any bank, in the small town that I live in. A friend also banks at this bank and it only took me a short time to be able to get into her bank account. To log into your personal checking account, you need a password, PIN, and identify a photo that you uploaded. You can get the PIN wrong 5 times before you're locked out of the account and have to go in person to fix things.

I already knew that the bank won't reset your PIN. They mail you a new one or you have to go in personally to get it reset. That was the only hard part. Of course, just chatting with my friend, I discovered she used her mom's birthday as the PIN. I didn't need to talk to her for anything else. She leaves her cell phone on her desk with her email and Facebook accounts logged in. So, I just clicked on the "forgot my password" button on the bank website and reset it. Then I logged in. The photo part is a photo that you upload. It was completely obvious that it was her dogs.

Now, I did all this while sitting next to her because she didn't see the big deal in using the same passwords everywhere or leaving her accounts logged in on her phone all the time. I kind of freaked her out a bit, but she was thankful that I showed her how easy it would be for anyone who just knew a little bit about her could get into her account. We spent the next Saturday changing passwords everywhere she was online and actually securing her accounts. I also got her to go into her bank and set it up so that, if the password to her bank account needs to be reset, she has to do it in person now. She still keeps her Facebook and email open on her phone, but at least they have different passwords now. To me, it's not 100% secure, but it's better than it was.

I live in a very small town and have limited banking options. The banks here are all the same when it comes to online banking. I really don't want to put all my hard earned money into a system that I don't believe is safe or secure. If any of the banks in town ever does that, they will get my business. Until then, I'm stuck writing checks for all my bills.

Lastly, I have three credit cards. I use one online exclusively. They have been excellent at fraud detection. I call once a week to check my balance and transactions. This takes about 3 minutes, but I can know immediately if something has happened. Twice the credit card company has called me and asked if I just tried to make a transaction because it threw up red flags with them. Once was me and it was a merchant I had never used before. The other time, there was a breach wherever they store their numbers. They just changed my account number and issued me new cards. It'd be nice if the banks could get their act together.

I like the idea of the way Iceland does it. I have several Dutch friends and I like their system of online banking. I just don't think the US takes it as seriously as other countries. When they do, I'll jump at the chance to get rid of checks and bank online.

Re:the 4 last digit of CC are unsecure

[Lord_Jeremy]

What?!! Apple requests the CVV2 code of your credit card for verification, not the last 4 digits of the number. The CVV2 code is never shown on a statement or invoice anywhere, and since they're processing credit card transactions they can only store it hashed.

Re:the 4 last digit of CC are unsecure

Go back to your cave fanboi, if you RTFA they tried themselves calling Apple and the last 4 digits was all they asked. Also, vendors don't normally store the CVV code, because its purpose is exactly that - let the user verify the transaction by entering it themselves. So Apple storing it and letting their CSRs view it would be quite against established CC security practices.

Re:the 4 last digit of CC are unsecure

[cvtan]

One glaring difference between US and Euro money dealing is that in the US bank-to-bank transfers are expensive. In Germany, they are free (by law, I believe). So if you are buying a $60 item in the US, you can't afford to spend $40 to do a bank transfer so you write a check. This situation is even worse if you are trying to buy something in Europe. Bank transfers are too expensive, individuals do not take credit cards, Paypal is not popular (because euro bank transfers are ~free), you can't send a personal check and mailing cash is problematic. It's the 21st century somewhere, but not at a US bank.

Re:the 4 last digit of CC are unsecure

[neonKow]

How exactly do you propose to implement any of this in Mat Honan's situation? Give Apple, Google, and Twitter access to Iceland's national database with contact information for everyone in the country? Make the database public? Have Apple, Google, and Twitter send you keyfobs?

How is any of this scalable in way that doesn't lead to a single point of weakness where a compromise there will compromise all your accounts at once?

Re:the 4 last digit of CC are unsecure

[w_dragon]

People in general do not like the idea of a national ID system

Just what do you consider a SSN to be?

Re:the 4 last digit of CC are unsecure

In Brazil, ALL bills share a common system. This means you can pay them anywhere: at drugstores, banks, ATMs, online, wherever. I just pay through my bank's online banking. The bank use two factor authentication, with a 8-digit PIN that's used exclusively to login at the online banking plus a 6-digit token whose value changes every minute, used for every sensitive operation. Any banking operation on the account (bills, investments, withdrawals, transfers, debit/credit card usage, etc) is immediately communicated via SMS and e-mail. If anything unexpected happens, I call my manager and the damage is contained (and my funds restored, if necessary) within minutes. If they detect some movimentation that raises flags, I'm called to confirm, in the same way you've said (this happened to me only once, my wife bought lots of things from various online stores in about 30 minutes). All of our major banks have a similar level of security.

By the way, transfers within the same bank chain happen immediately; to any other bank, it takes about a day. The way I see it, the American banking system is absurdly obsolete. The fact that people pay bills by mailing checks sounds bizarre (we've had this unified system for as long as I can remember). The resistence to online banking (caused, as you said, by the track records of the banks) makes no sense here. And we are the 3rd world country, we'd expect your systems to be more modern than ours!

Re:the 4 last digit of CC are unsecure

[Rei]

I'm saying that you should have your own system similar to ours, and that the reason you (and your companies) are so vulnerable to identity theft is because you don't.

Re:the 4 last digit of CC are unsecure

[Rei]

Our system here in Iceland is like yours in Brazil. I just don't get how America can be so backwards in so many regards. And people there by and large don't even realize it.

Re:the 4 last digit of CC are unsecure

[Rei]

In America, someone sends you a bill... how do you pay it? You write them a check.

Here, someone sends you a bill. You log on to netbanking (for example) with a password and rotating-code keyfob, go to the payments page, punch in the ID and account number information of who you're looking to pay, the bill pops up, you confirm the amount you want to pay and enter your netbanking pin... and that's that. No check ordering, no postal service, no stamps, no handwriting, no interpreting of handwriting, no fraudulent checks, no bounced checks... you know, an actual "modern" system.

The only reason your ridiculous system makes sense to you is because it's the only system you have experience with. It's totally antiquated and broken.

Re:the 4 last digit of CC are unsecure

[Rei]

Exactly. An ID number is just a unique representation of an individual - think of it as an alternative name, guaranteed to be unique. The difference is, the SSN is supposed to be "semi-secret", kind of secret, kind of not. It's your ID and password all bundled into one! Aka, idiotic. And not linked at all in a consistent, queryable manner with your contact information. Doubly idiotic. And while it functions as a kind-of password, it's semi-predictable. A triple-play of Fail.

Re:the 4 last digit of CC are unsecure

[Cyberax]

xUSSR countries use similar systems. I.e. you receive a bill, and then go online and pay it.

If you don't use computers then you can go to any bank and pay your bills there (essentially by doing a wire transfer), commercial banks might take a small fee for that and state-owned Sberbank is required to do this for free. I never understood the checks - you're writing a document authorizing somebody else to withdraw money from your account. Why not just do this directly?

Re:the 4 last digit of CC are unsecure

[Shados]

Only certain types of transfers cost money. Generally to the same banks they're free, and to pay bills and whatsnot, they're also free (at least to the payer).

I pay my rent via transfer, and it doesn't cost anything (and I doubt the owners are paying the fee for me, because they charge a stupid fee for credit card payments).

International transfers are another story.

Re:the 4 last digit of CC are unsecure

[Shados]

Such systems do exist in the US, they're just not totally universal, depending on who you deal with.

But i totally can pay all my bills, rent, utilities, everything, via a unified system. Its not accessible from "anywhere" like the parent talked about, but it is accessible from ATMs everywhere and from my bank's website. I'm from Canada where the system is a bit more universal, but now that I live in the US, at least anything I actually need to deal with works through that system. Good enough. Everything at the end of the pipeline hits my credit card and I get 1-2% cashback on that (which adds up quickly if all my purchases not done at small chinatown restaurants go through it).

At first glance the problem in the US isn't that such systems don't exist. Its that there are -too many of them- so it took longer for standards to get accepted.

Re:the 4 last digit of CC are unsecure

[Rei]

One, it's not like Iceland is so unusually forwards in this; it's that America is so unusually backwards in this. Countries much poorer than America, more corrupt, and still with large populations and land area have done it. Two, it's *harder* for small countries. Where are small countries supposed to get the resources to write new systems if something is so difficult? So much here has to be is imported. To give you a sense of what it's like, there's only a couple TV channels here that are even subtitled in Icelandic. If I watch, say, Mythbusters on Discovery Channel, the Mythbusters are speaking American English, the in-show announcers British English, the between-show announcements Norwegian. That is, Britain imported from the American Discovery channel, Norway imported the British Discovery Channel, and then Iceland imported the Norwegian Discovery channel.

What's inconvenient about *not* having to write checks and being able to do everything online?

Re:the 4 last digit of CC are unsecure

[Rei]

And? It's not like the database contains secret information. It simply contains *authoritative* information about people's contact info. "Leaking" its contents would just be a glamorous publication of a phone book. Are you saying that your biggest concern would be people breaking into the national database to secretly change everyone's addresses, and nobody's going to notice, and there's not going to be any restoring from backups? Is that your scenario here?

Re:the 4 last digit of CC are unsecure

[neonKow]

I'm saying that you should have your own system similar to ours, and that the reason you (and your companies) are so vulnerable to identity theft is because you don't.

My point is that this statement is completely untrue; implementing your country's system might be good for many reasons, but it won't really help most forms of identity theft. Where on earth do you see an opportunity to use your system to make the situation better for companies from any nation, much less for multi-national companies like Apple, Google, and Twitter that much authenticate users from countries all over the world.

Your idea stops scaling as soon as you realize you're dealing with 200+ nations' worth of databases and tens of thousands of major legitimate companies that need to authenticate people.

The reason credit cards are used is because it is an existing system of authentication that spans nations.

Re:the 4 last digit of CC are unsecure

[flimflammer]

...what?

Re:the 4 last digit of CC are unsecure

[damiangerous]

False. The checksumming method used with credit cards is called the Luhn algorithm, the last digit is the checksum. The first six are the issuer and the rest, save the last, are the account number.

Re:the 4 last digit of CC are unsecure

[thetoadwarrior]

I've been asked for those numbers to verify who I am from numerous companies over the years including a bank. If you provide 3 pieces of information (name, address and the last 4 digits) then a lot of people will just assume that you're legit.

Re:the 4 last digit of CC are unsecure

[VortexCortex]

Bitcoin.

Re:the 4 last digit of CC are unsecure

[prezkennedy.org]

Well for one thing, Iceland has about 340,000 people. I live in a relatively small state... Maryland that has ~5,800,000 people in it. Our largest city alone has twice the population of your country. I would imagine the 17x more population, just for this state alone, would make a single unified system far more complicated. The GDP of Maryland is over $300 billion and the GDP of Iceland is roughly $14 billion. Again, the level of economic activity is considerably higher, just for this single state.

Is it antiquated? Yes. There's a lot of other things here that are old as well, like the roads and infrastructure. You know why? Because many of them were built 60 years ago. For such a massive system, in either case, an overhaul every few years would be tremendously expensive in time, money and effort. This is why Brazil's system is so far ahead of ours. They built it up considerably later. We're getting there, it's just going to take time.

Re:the 4 last digit of CC are unsecure

[flimflammer]

Really, mods? Troll?

Re:the 4 last digit of CC are unsecure

[lsatenstein]

Being a former banker, having worked in security and secure file transfer, and cyberfraud,
a) I do not have a credit card number on line
b) I do no on-line banking.
c) I do not use pay-pal. If I need to purchase via the web, I do it via another special credit card account that allows no more than $50.00 balance. I preload it with money in order to make the purchase.
The account header stipulates to refuse all requests to up the credit limit. Absolutely all.
d) I physically walk to the bank branch to do most transactions (atm cash retrieval).
e) No pay by debit or credit card, except for big box chains such as supermarket, MacDonalds, Burger King, and no small store.
f) Don't want on-line banking.
g) I do not let credit card out of my hands at any store. (No walking away to swipe it at a terminal).
h) Some places (government) only allow payment by cheque or Credit card. Wow-- I tried to pay a bill to government with cash and it was refused. Something to do with germs...
etc. etc.

Re:the 4 last digit of CC are unsecure

[blippo]

OK.

Some statistics from the European Union, a union of 27 states with ~500,000,000 people.

Quoting from the European Central Bank's statistics from 2010.

"The total number of non-cash payments in the EU, using all types of instruments [1], increased by 4.4% to 86.4 billion in 2010 compared with the previous year. Card payments accounted for 39% of all transactions, while credit transfers accounted for 28% and direct debits for 25%."

Cheques are not mentioned specifically in the text, but according to the graph on the page, it seems to account to about 5 % of all transactions.

In the table for "Retail transactions" - which includes "bills", it can be found that cheques are mainly used in France. (As well as on Cyprus, and Malta, not exactly large countries.)

The EU is both much more politically complex and is having a much larger population.
The banking systems of the individual countries are much older. The 20 oldest banks still in operation is all European. (JP Morgan Chase, or rather the merged Bank of the Manhattan Company founded in 1799, is on place 23). The first central bank (ever) was founded in Sweden in 1668.

So I don't think that Your arguments are valid.

However, the EU bureaucrats and politicians have the benefit of a totally opaque political system which enables them to implement whatever they like, and they usually like to implement grand plans for integration and standardisation.

Re:the 4 last digit of CC are unsecure

[LordLimecat]

Countries much poorer than America, more corrupt, and still with large populations and land area have done it.

Maybe the reason is because they are much poorer and more corrupt. Its kind of hard to make this a pressing issue here, given that checks and credit cards arent generally a problem; Ill agree that the system with credit cards is retarded but we just dont have a large scale problem of pizza guys lifting cc numbers. If that happens, that will probably provide the impetus for change.

As with most things, unless there is a huge problem, people tend to not want to change what "works".

Benefits of free services

[akamad]

I would argue that the biggest benefit of using free services (like GMail) is they offer no or crap phone support! Thus making it very difficult for a hacker to social engineer their way into your account.

Re:Benefits of free services

[Theophany]

Unless you have your backup email address set as an iCloud address somebody already got access to...

Re:Benefits of free services

[akamad]

Indeed. As always, it's the weakest link that will screw you over.

Re:Benefits of free services

[rvw]

I would argue that the biggest benefit of using free services (like GMail) is they offer no or crap phone support! Thus making it very difficult for a hacker to social engineer their way into your account.

We were hacked several months ago, and our Amazon EC2 account was hijacked. How did they do this? We host our domain names at a local provider, and somehow they got control over that account. Then they changed the DNS for the mail to their own service. We had two-factor logins at Amazon (normal login + generated key). They tricked Amazon into believing that the key was broken, that they were the rightful owner (with control over the mail), and Amazon removed it. We still wonder how they did all this.

Re:Benefits of free services

[Celexi]

If you pay for Google apps they do offer phone support. However you would need to have the support pins which you can only get by logging in your account. There is no way to access support without those pins at all.

Re:Benefits of free services

[sh00z]

Unless you have your backup email address set as an iCloud address somebody already got access to...

Exactly. the biggest fail here is Honan's--using the same e-mail address with both social media and companies that know his credit card number.

Apple's Failure, Not Amazon's

[StealthyRoid]

Every e-commerce company in the world that allows you to store your card info will display the last four digits of your card number, because what other option is there? What other unique determinant could you possibly display in order to allow people to select one card from a set? There's nothing at all insecure about that on its own, and it's silly to pretend as though everyone else becomes liable for Apple's crappy security policy. This is way more about a.) How one guy had a bad personal password policy, b.) poor security training for Apple support staff and poor security policies at Apple, and c.) How stupid it is to make any of your data deletable remotely. "There's this option to wipe all my data on Apple's site, and then these evil hax0rs totally did it, and I didn't have backups" does not translate into "Amazon has bad security policy".

Re:Apple's Failure, Not Amazon's

[mimicoctopus]

Every e-commerce company in the world that allows you to store your card info will display the last four digits of your card number, because what other option is there? What other unique determinant could you possibly display in order to allow people to select one card from a set?

Card issuer.

Re:Apple's Failure, Not Amazon's

[profplump]

Which is great if you only have one card per brand-name issuer and completely useless in any case where that isn't true -- and it's certainly not true for me. Whereas the chances of the last few digits of your account number matching any other account for the same customer are exceedingly small. It may still be a bad idea, but "card issuer" is certainly not a reasonable replacement.

Re:Apple's Failure, Not Amazon's

[mimicoctopus]

I've never heard of anyone having more than one card from the same issuer before. Usually, a bank won't offer you a second card if you already have one with them. Why do you have multiple cards from the same bank?

In the case where you have two cards with the same issuer one digit could be used, provided it is different. In the event it's not different, two digits and so on until a noticeable difference exists.

Re:Apple's Failure, Not Amazon's

[viperidaenz]

Please think before you press submit
A bank may offer you a credit card and a debit card. Both from the same issuer.
You might have accounts at different banks, with credit cards from each bank, but they're all from Visa
You might have a company credit card and a personal card.
Unless you register all of your cards with a particular website, how does that website know how many digits it will take to make a difference?

Re:Apple's Failure, Not Amazon's

[mimicoctopus]

You might have accounts at different banks, with credit cards from each bank, but they're all from Visa

Visa is not the card issuer, the bank is.

Re:Apple's Failure, Not Amazon's

[jawtheshark]

I have five cards with the samer issuer. A debit and a credit card for the common account with my wife, and a debit and two credit cards for my personal account with the same bank. (Before anyone asks: these cards have different "functions" for accounting reasons and I have no credit card debt whatsoever. )

Re:Apple's Failure, Not Amazon's

[Plumpaquatsch]

I've never heard of anyone having more than one card from the same issuer before. Usually, a bank won't offer you a second card if you already have one with them. Why do you have multiple cards from the same bank?

Because of a bank merger. Because you got one from your employer. Because you use one for business expenses, and the other for private use.

Re:Apple's Failure, Not Amazon's

[kaws]

I can see the possibility of not being able to add a card over the internet for whatever reason.

Re:Apple's Failure, Not Amazon's

[White+Flame]

Every e-commerce company in the world that allows you to store your card info will display the last four digits of your card number, because what other option is there? What other unique determinant could you possibly display in order to allow people to select one card from a set?

User-defined label when entering card details.

Online banking typically does this, so even though you see (some of) your account digits while online, it's really the name you gave it that's meaningful.

Re:Apple's Failure, Not Amazon's

[oobayly]

I can see the possibility of not being able to add a card over the internet for whatever reason.

Typo, or can you tell us what reasons you can think of?

Re:Apple's Failure, Not Amazon's

[BlackCreek]

I've never heard of anyone having more than one card from the same issuer before. Usually, a bank won't offer you a second card if you already have one with them. Why do you have multiple cards from the same bank?

Because some people are married and have one for their own account and another for the joint account with their partner?

Re:Apple's Failure, Not Amazon's

[drkstr1]

How does it know which account to use when you use that card?

Re:Apple's Failure, Not Amazon's

[jawtheshark]

So, if you use a debit card, it knows automagically to debit from which account you want the money to be taken? I mean, if I buy food it should come from the common account, if I buy and electronic gizmo, it should come from my personal account. You card can guess that, right? Mine can't, and so I have two different debit cards.

Re:Apple's Failure, Not Amazon's

[thePowerOfGrayskull]

I've never heard of anyone having more than one card from the same issuer before. Usually, a bank won't offer you a second card if you already have one with them. Why do you have multiple cards from the same bank?

1) If your answer is "your valid use case is wrong, you need to re-think how you're doing things", you're doing it wrong and need to re-think how you're doing things.
2) Multiple cards from the same bank can occur pretty easily. Nearly all airline cards are issued by the major banks (Chase, Citi, etc) - even though the branding may be Southwest Air, the actual issuer is Chase. So if you have an airline/hotel/retail-branded card and a card from a major bank, chances are good that they'll be from the same issuer.

Re:Why remote wipe?

[juventasone]

If your device is lost or stolen.

Trying to tar Amazon at the same time

As the author admits: anyone with access to your card number ( even the waiter at the restaurant ) and a phone book has enough information to satisfy Apple's "security" procedures.

Re:Trying to tar Amazon at the same time

[mcvos]

Credit cards themselves are of course woefully insecure. We need a better payment system.

Re:Trying to tar Amazon at the same time

[mark-t]

Cash can be physically taken, and is useful to the thief. Try again.

not privacy, data protection

[l3v1]

From Wikipedia article (Data Protection Directive - Comparison with US data protection law):

"The United States prefers what it calls a 'sectoral' approach to data protection legislation, which relies on a combination of legislation, regulation, and self-regulation, rather than governmental regulation alone.[10] Former U.S. President Bill Clinton and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology." (emphasis added)

I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.

Nobody in their right minds would trust all of their data exclusively and only to a company (yes, you know, that "cloud" you like so much is operated by one or more companies with data protection and privacy policies changing by the weather). If you do so, something like the original article mentions can happen anytime.

I'm not saying you shouldn't use the "cloud" (how I hate that word, oh my), but you should never trust and rely on it completely without any (or weak and borderline useless) fallback. Remember, it's your data, it's your life, protect it as you would protect anything that you own and hold precious.

Thing is, since computing and PCs have become everyone's tools and don't require in-depth tech knowledge, it's pretty easy to get average users to use and rely on such services. It's simple, they don't really know what they are getting into. And it's for this reason that it's sad to see a more knowledgable person (i.e. article writer) fail so terribly.

Always remember, just because so many people are hooked to it and it's easy to use, that doesn't mean it's safe and reliable. It's not.

Re:not privacy, data protection

[AHuxley]

The US had 2 options, set a weak gov standard and get lol at when its is broken and noted to be weak from day one (DES).
This breaks the trust feeling with generation of young US crypto experts who so want to feel the US gov is not allowing weak crypto for good intentions.
Self-regulation allows the US gov to sit down and have a nice chat to .com commerce interests and ensure when you buy anything "Middle East" related they can database you without too much effort.
Self regulation also protects eg CIA front companies http://cryptome.org/2012/08/cia-proprietaries-1975.pdf
"IRS personnel would be notified that thev had begun to audit an Agency proprietary, and the audit would be discontinued "
If the CIA wants to fund freedom fighters (now the "good guys") in Syria - nice to have quality encryption options that dont seem out of place.
What two big brand names are doing with such weak security seems very strange. What two big US brand names where asked to do for US national security seems ....

Re:not privacy, data protection

[lindi]

Hmm, isn't DES actually quite strong? It resisted both differential and linear cryptanalysis. The key size is not enough today but it certainly was in 1977.

Re:not privacy, data protection

[V+for+Vendetta]

Everytime you read the equivalent of "self-regulating" in a law, you know that lobbyists have again won a battle against citizens and democracy and that this regulation isn't worth the paper it's printed on.

Re:not privacy, data protection

[White+Flame]

I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.

I think the intent is that there'd be industry standards, with their own best practices, standards body, and compliance testing. Things like movie ratings and OpenGL compliance are self-regulated.

Re:not privacy, data protection

[RabidReindeer]

I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.

I think the intent is that there'd be industry standards, with their own best practices, standards body, and compliance testing. Things like movie ratings and OpenGL compliance are self-regulated.

But. But. But. The Free Market!!!!

Re:not privacy, data protection

[garyebickford]

There are really two choices, that have (over time) an exactly equal minimum error rate (= probability of being hacked, etc.) - one is to have multiple independent, dynamically changing methods of securing things; the other is to have one central authority. I repeat - from first principles in information theory - these both have the exact same optimum. Let's say, for the purposes of argument, that the optimal probability of error is 5%. The difference between the two options is the distribution of errors. If one has a single authority, then that 5% chance means that in the event the system is hacked, _everyone_ (100% of the people) is simultaneously vulnerable -> a potential national/global catastrophe. If one has a variety of authentication methods, then at any given time, about 5% of the people are vulnerable, 100% of the time - a potential continuing problem.

Now, of course, it is unlikely that either system will actually reach that optimum, but again the probable 'miss' ratio is likely to be the same on average so that makes no difference.

I'm probably not explaining this well but it's closely related to the reason why (according to some/most biologists) sexual reproduction exists - it increases diversity among the species, making it more difficult for a disease to wipe out the whole species. It's also very (very, very) broadly why most folks don't bet all their chips on one roll of the dice.

So, while all these muddled different methods, none of which work perfectly, makes life more complicated and increases the hassle of maintaining one's own security, it is better (more adaptive) for the society as a whole. It also tends to lead to a smarter population overall (or it would, if financial success had any correlation to evolutionary success - which is not true in a civilized society.)

Re:not privacy, data protection

[White+Flame]

That *is* the free market. Trust is also a market feature that comes & goes, even though government demands blind trust in its own devices. If the market decides adhering to some standard is necessary (which takes education, marketing, and precedent in some combination), then providers adhere and ideally organize. If the market decides some standard doesn't bring anything of value, it falls out of use.

The issue is that these sorts of security problems are not a deciding factor for individuals or even many businesses, which leaves them vulnerable to these same sorts of attacks. The "invisible hand of the market" moves with stories like this, because it provides said education and precedent that people use to evaluate standard practices.

Multifactor Authentication

[Heretic2]

This isn't a new problem... This guy was naive/careless at best for not using multifactor authentication. But hey, at least his new article is getting some traffic, not that anyone will ever take him seriously again.

Re:Multifactor Authentication

[thmsdrew]

I won't take my security advice from him, but there's no need to discredit his entire body of work because of this. Surely he deals in other topics.

a lot of mistakes here

[pbjones]

Not backing up data, able to get Amazon account data with 2 phone calls, able to get an Apple/Google/whatever password reset with just a little bit of work. They could have also stolen his CC statement from his mailbox, as well as a Utility bill and got part of the way to getting a new credit pin or drivers license and after a bit of time a new passport. This sort of hacking is not new, just different. Once the security questions used to be the standard 3, your mums maiden name, your city of birth, and your first pet/car/whatever, now the answers are often on-line or traceable via Facebook. The blame should be shared amongst everyone, including the person who did the hacking. Excuse me, I have to backup my computers.

Re:a lot of mistakes here

[l3v1]

Once the security questions used to be the standard 3, your mums maiden name, your city of birth, and your first pet/car/whatever, now the answers are often on-line or traceable via Facebook

Well, it's not the biggest and most effective way, but what I used to do (and still do if required) in such cases was that I picked randomly from the questions and gave totally unrelated random words as answers, which I recorded in a protected file. Unless someone could get to the file and crack it, there's no way to get through that with social engineering or public profile data collection.

Re:a lot of mistakes here

[pbjones]

I do similar, but a few years ago there was no choice, it was only 3 questions. ... as your Facebook email contains you FB ID, so you can also get a head start on cracking FB accounts, thanks to Facebook.

Re:a lot of mistakes here

[Havenwar]

Of course that makes your password exactly as safe as if you had the password itself stored in a protected file, which would mean you'd theoretically never need your security question answers since you would never forget your password. Unless of course you lose the file, in which case... I really hope you keep those files in two different places.

Re:a lot of mistakes here

[BlackCreek]

Of course that makes your password exactly as safe as if you had the password itself stored in a protected file, which would mean you'd theoretically never need your security question answers since you would never forget your password. Unless of course you lose the file, in which case... I really hope you keep those files in two different places.

Reasons to add random trash to these recovery questions is that:
-- it keeps *you* from actually adding your first pet's name;
-- ** it keeps the website from nagging you to add recovery questions **
-- my bank for instance requests a security recovery question to be added, I told them my mother's maiden name was something like "kj63h546*3@"

I do the same as the grand-parent. My passwords are different for every account and are created using (pwgen or apg, I can't never bother to check if one is better than the other). I really don't remember any of my passwords, I only really remember the browser password that protects these, the SSH passphrase and the GPG passphrase to decrypt the password file.

On a side note, I never add my Facebook password to the browser, as that makes it so cumbersome to login to Facebook that I really only login every 3 months for friendship request maintenance.

Re:a lot of mistakes here

[jjo]

Some of the standard data can be secure. For example, I have never revealed my first pet's name online, so you could search for it in vain for the rest of your life. At first it just never came up in discussion, but as soon as I realized the security implications, I decided that there were some trivial, obscure data that no one else needed to know.

Re:a lot of mistakes here

[Gilmoure]

I just made up a name of a pet to use.

No, it's not the name of the first girl who dumped me. Or even the tenth or twentieth.

Re:a lot of mistakes here

[jaymemaurice]

On a side note, I never add my Facebook password to the browser, as that makes it so cumbersome to login to Facebook that I really only login every 3 months for friendship request maintenance.

With such password policies, do you sometimes wonder if these facebook "friends" are really enemies out to get you? :)

Why Mat?

[stx23]

Something I haven't seen through reporting of this is why Mat Honan was targeted, was it the Gizmodo / Wired connection or something more sinister directed at him?

Re:Why Mat?

[mogness]

I read in his original article that he had a three character twitter username (@mat), and that was why the hackers targeted him

Re:Why remote wipe?

[mwvdlee]

If your device is lost or stolen, data should not be permanently deleted, just locked away until the owner personally comes round to identify herself with a passport or other legal ID of some sort. You can more to permanent delete after some time has passed without a "restore" request.
I don't see why this should be any problem at all; Apple, Google and all their competitors claim to keep backups, which is effectively the same but with a user-"controlled" restore procedure.

Re:Why remote wipe?

[pnot]

If your device is lost or stolen.

Why not just encrypt the drive? Seems more secure to me -- remote wipe presumably won't work if the target machine doesn't have net access.

(Of course, the drive will be unlocked if your machine is stolen while switched on and logged in, but the solution to that is to lock the screen whenever you're not at the computer.)

But he's and IT Expert!

[retech]

Yes, the same Mat who did not back anything up locally or (shutter to think) redundantly, is an expert. If this sorry excuse is what passes an expert, I think my grandma has a good chance at a new career.

What an idiot.

Re:But he's and IT Expert!

[Chewbacon]

Exactly why I don't like the cloud. I hate the idea of some guy reading knowledge base and misinterpreting policy and procedure standing between some stranger and my data. I use an iPhone, but backup to my computer at home and NOT the iCloud. I backup my computer quite often to my home server, which I can tunnel into should I need it. I make my own security policies, support my own stuff, and I'm the only one who needs to login to it. In fact, that's the basic policy: I am the only one who is allowed to get it, no security questions, last-4 digits of some damn number. Just me. Once a week, I plugin a portable drive and it adds another layer of redundancy to my backups. So even if all hell breaks loose and someone kills my server and desktop, I have minimal losses compared to everything. But this does make me want to take a look at how I manage the facets of security that I am responsible for on accounts that I do not have control over.

Re:But he's and IT Expert!

[quetwo]

Which is great, until you have a house fire, or your gear at home gets stolen.

Re:But he's and IT Expert!

[thmsdrew]

Maybe he thought that if you ignore it long enough, eventually the problem just goes away.

Re:But he's and IT Expert!

[garyebickford]

It's probably related to the fact (according to a survey I read some years ago) that most accountants never balance their checkbooks. I would be willing to bet that 70+% of geeks don't backup their personal data regularly, and have less-than-ideal password policies for their own web accounts.

Re:But he's and IT Expert!

[billtom]

I think you're missing the important point of this incident.

Yes, you're right that there are several things that Mat could have done to limit the damage that the crackers did to his systems. Such as local backups, two-factor authentication on his gmail, etc.

However, there is nothing that he (or any iCloud user) could have reasonably done to prevent his iCloud account from being compromised. The fault for that lies solely with Apple and Amazon's terrible telephone account security policies.

For people who didn't RTFA, you can take over anyone's iCloud account over the phone with just the user's: name, email address, billing address, and last four digits of their credit card number. (At least, until Apple changes their policies.)

Re:But he's and IT Expert!

[mimicoctopus]

If this sorry excuse is what passes an expert, I think my grandma has a good chance at a new career.

His Barack Obama Is Your New Bicycle website is particularly telling. Looks like something a (gifted) seven-year-old could have made in an intro to HTML class.

A very good article. Read it!

[Qbertino]

This is a very good article, every /. nerd worth his honors should read it. It's pushed my paranoia levels almost up to normal again. That alone was worth the time. I've been dragging out that backup HDD for my MB Air far to long and will now change that.

  I'm also going to solidly review my online presence and accounts, and how they could be linked. And fix any problems that pop up.

Bottom line: Read the article, it's a healthy wake-up call and if you're like me, you need that once in a while.

My 2 cents.

Re:A very good article. Read it!

[Spottywot]

This is a very good article, every /. nerd worth his honors should read it. It's pushed my paranoia levels almost up to normal again. That alone was worth the time. I've been dragging out that backup HDD for my MB Air far to long and will now change that.

I'm also going to solidly review my online presence and accounts, and how they could be linked. And fix any problems that pop up.

Bottom line: Read the article, it's a healthy wake-up call and if you're like me, you need that once in a while.

My 2 cents.

Yes indeed, we may not be making the same mistakes as Mr Honan, but this should be treated as a wake up call to review your own security policies. Mine are better that most, as I guess is the norm on Slashdot, but our time would be better spent looking for the chinks in our own online armour, rather than mocking Mr Honan for not backing up his Mac. It was stupid though.

Re:A very good article. Read it!

[jo_ham]

I'm not sure I trust a guy who doesn't back up. So much for a so-called "tech expert".

His story is also precisely why I don't cross link accounts like that so that if you lose one, you lose them all.

tream 'em like passwords

[trptrp]

that's why I generally just feed random data into these field (treat them like pw field except not saving the value)

You missed the part about Amazons password reset

[tlambert]

Amazon allowed a bogus card to be added to the account because all they did was check the check-digit, rather than doing that as step one, and then doing an authorization hold/authorization release after requiring the security code from the back of the card as step 2. This would have correlated the billing address and card number in the credit card company database, which would have failed, flagging it as a bogus card.

After this, a second call to Amazon using the bogus card information plus the (already known) billing information got them a password reset, again without them issuing an authorization hold/authorization release. And THAT is where they got the last 4 digits of the (actual) non-bogus credit card number to give to Apple. Admittedly, it's possible that this would cost a web site (other than Amazon, who owns their own payment provider) a transaction fee to do, but they could always require a transaction fee billed to the card being used as identification as part of the recovery process. For example, it looks like Norton Antivirus allows the same thing (just do a quick search for the phrase "the credit card number ending in", you'll see a bunch of people wondering about charges to cards they never registered with various services).

Apple using the last 4 digits as an identity verification was screwed up, but it wasn't information the bad guys had without Amazon's help, in this case.

Re:Why remote wipe?

[retchdog]

the article says that the remote wipe is reversible with a four-digit pin made up at the time of deletion.

which leads me to wonder why apple couldn't just reverse it for the guy once he apprised a real human being of the situation. given the lack of sophistication everywhere else in this scheme, i seriously doubt that the four-digit pin is really used to encrypt your data. it must just be for authentication, so why couldn't this guy get apple to unwipe his drive?

Blindness

[Bob9113]

Moreover, if your computers arenâ(TM)t already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use iCloud. Googleâ(TM)s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system yet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms â" which can be cracked, reset, and socially engineered â" no longer suffice in the era of cloud computing.

Cloud services can be compromised without using your password, and the two big OS manufacturers are pushing people to entrust their most valuable information to the cloud. The problem with this, he observes, is that passwords are not sufficiently secure.

He writes for a technophile journal, making recommendations to people who trust his expertise, about how to use technology. He was just bitten, quite seriously, by the exact problem with trusting the cloud. He holds the specific role that is supposed to warn the humble masses about threats like this, and he blames password security.

I think Woz understated the threat.

That is not the problem with Amazon

[Ecuador]

At first I was aghast at how they could implicate Amazon for revealing the last 4 digits of your card, when they appear in every transaction receipt printed etc.
However, after reading TFA it is obvious that Amazon has a serious security flaw as well that they need to address as well. It seems that you can call Amazon support knowing only the name, email and billing address of a person and you can add a bogus credit card number to their file. Then you call back and tell them you can't access your account and they will let you add a new email address to reset your password and you use the credit card number you had just added as verification of your identity!
True, Amazon showing the last 4 digits of your CCs on your account is not a problem, but giving access to your account to a person armed only with knowledge of your name, address and email is a serious flaw.
The summary and even the article don't make it that clear what the problem is with Amazon, you have to read through TFA.

Re:That is not the problem with Amazon

[mtmra70]

My mortgage company has a similar jacked up login process.

Like a lot of places, they have you answer some pretty mind numbing security questions after typing in your user name and password. If you don't remember the security answer you can hit the "I forgot" button. What then happens is shocking - it takes you to a screen to reset the answers. Why in the world do you ask security questions after a user/pass auth if the same info lets you reset them?!!?

And the real kicker. When you want to make a PAYMENT they ask you the last four of your SSN. Who on earth asks for info like that when handing them money???? I could understand withdrawing money....but depositing money?? O_o

Gmail should make 2-factor more prominent

[sirwired]

Until recently, I wasn't even aware GMail offered 2-factor authentication. I think it was a little note on the login screen one day that it even existed.

I did set it up immediately, as my entire life runs through that account, but had been running for years without it.

Re:You missed the part about Amazons password rese

[StealthyRoid]

Naw, I didn't miss that part, I just don't think it makes an argument for this being a failure of Amazon security policy. Given that you need to know someone's account email address (how hard is it to do foo+amazon@dingleberry.com, or some other not-easily-guessed email address?), billing address, etc, to even get an Amazon rep to talk to you, the protections on that front seem sufficient (maybe not best, but sufficient) to me. Running an auth/void doesn't really work either. Sure, Amazon has their own payment gateway, but that doesn't make it free, it just makes it cheaper for them. Given the volume of cards that they accept into their system every day, running two transactions on each would pretty quickly jack up costs considerably. For subscription services like Norton, that might make sense, because the overall transaction volume is fairly low, but for Amazon, that bill would get pretty big.
Now, compare Amazon's relatively reasonable, if not super awesome, procedures to Apple's, where all you need is the last four in order to get access to all data and devices, and tell me this is still an Amazon problem.

Re:Why remote wipe?

Remote wipe only makes sense if the drive is encrypted. Actually wiping an entire hard drive takes too long. Devices with a remote wipe feature (usually) actually keep the entire drive encrypted and the remote wipe erases encryption key (which itself is usually password protected). Without the encryption key, the encrypted information left on the hard drive is essentially random noise.

Apple fanboy gets a reality check

[TheMathemagician]

I must admit it does amuse me a little to see a smug Apple fanboy so crushed by the realisation that Apple doesn't really care about him or his security. The moral is not to daisy-chain all your accounts together so snugly.

Well, that didn't cause me any problems...

[Havenwar]

From what I see here, the main problem was apple's security protocol, with amazon coming in a close second... All other things he could really have protected himself against... Using two factor authentication on google and so on. But you can't protect yourself from a company finding easily obtainable information good enough to just hand over control of your account with...

As far as I'm concerned Apple should be liable for damages in this case. They have acted as a gatekeeper, portrayed a sense of security, and then been blatantly lax in security.

What does the law say about a case where I hand over say my credit card information to a merchant and they act carelessly with it, thus allowing it to be intercepted by a criminal? Say I go to a restaurant and they take my card and then let it lay around on the counter for half an hour for anyone to see, scan, steal?

Re:Well, that didn't cause me any problems...

[viperidaenz]

The law doesn't really need to say anything. The company wouldn't appreciate the loss of business because they can no longer accept credit cards because they violated the contracts with their providers. Those contracts probably make the company liable for any losses too.

Re:Look, Apple doesn't get security...

[profplump]

Except for the you-must-give-RIM-your-email-password-to-get-email bit, sure. And that's ignoring all the limitations of their email system.

I really did like my BlackBerry in terms of the control provided to the subscriber -- as opposed to the retarded model on Android/iOS where the app developer decides what permissions are necessary -- but I don't see how trusting RIM is more secure than trusting Apple/Google/etc.

Re:Why remote wipe?

[Tony2Heads]

proper lawns are Festuca rubra

Re:You missed the part about Amazons password rese

[mkraft]

The problem here is that for the average Internet user, if you have someone's Amazon email address, you pretty much automatically have access to that person's Amazon account. Not everyone has multiple email accounts and the billing address and name can be gotten from agragators like http://www.spokeo.com./

At that point the person can gain access to the users Amazon account and simply go on a shopping spree at the users expense. Getting into an iTunes account with the same email is just a bonus.

Re:Why remote wipe?

[asdf7890]

If your device is lost or stolen, data should not be permanently deleted, just locked away until the owner personally comes round to identify herself with a passport or other legal ID of some sort. You can more to permanent delete after some time has passed without a "restore" request.

From an enterprise security point of view, once the device is out of your hands you want the data off it, full stop. If it isn't there then there is no chance that someone can read it. If everything on the device were properly encrypted, then you could just delete any keys and the restore would simply mean putting the keys back on.

I don't see why this should be any problem at all; Apple, Google and all their competitors claim to keep backups, which is effectively the same but with a user-"controlled" restore procedure.

That is the solution, not "not deleting". The off-device backups are your restore point either if you get a new device or that one is returned to you. As long, of course, as the backup account is not compromised at the same time as the device. No matter how securely you store you keys/tokens most phones are unlocked by a four digit pin so you've got not more than two days before someone brute forces that and gets in if they are determined and start when they first get hold of the device (so make sure if you lose the device that all the authentication credentials for the backups are changed ASAP).

Of course most stolen phones just get factory wiped before being fenced anyway, as most thefts of such devices are opportunistic rather than planned, so this is only a concern if someone might specifically target you (such as if others in your company's industry might want to have a peak at some significant trade secret) or if you have something really objectionable on the device (at which point if the thief notices it that can blackmail you)- most people like you or I are unlikely to be targeted in that way.

So what should security questions be?

[justcauseisjustthat]

I would argue Apple's security questions is no worse than most security questions from other vendors. Most info that is asked by companies to protect your data can be mined off the web via various methods.Unless you've lived in a hole and have no credit history,etc there is a trail and a clever person can find the answers.

That's why I make up my answers per account, there's no way to find the answers unless you have access to my physical system with encrypted docs.
But let's be real, normal people won't go this far or be this paranoid!!

Re:So what should security questions be?

[justcauseisjustthat]

That doesn't answer the question, if people think Apple use of the last 4 digits of a credit is a bad idea, what is the solution?

"Listen to the people who are talking about how to fix what's wrong,
not the ones who just work people into a snit over the problems.
Listen to the people who have ideas about how to fix things,
not the ones who just blame others."
M. Ivins

Re:So what should security questions be?

[GryMor]

Which is great, but in this case Apple allowed the hackers to completely bypass the normal security questions by answering a question that you can't 'make up', and in fact, that they didn't let you know was a security question.

That said, now that we know about it, there is a way of getting around it: Have a different credit card number for each site!

Though I hope Amazon's CS customer authentication and authorization procedures will get overhauled to eliminate these escalation attacks.

Re:So what should security questions be?

[neonKow]

How about using those security questions everybody is talking so much about?

Re:You missed the part about Amazons password rese

[xaxa]

Are you stupid? To get access to someone's Amazon account you need their email address and billing address. To get access to someones Apple account you need their email address, billing address, and last 4 of their CC. Both of these systems are stupidly insecure, but it is pretty goddamn obvious Amazon's is the worse.

But what is Amazon protecting?

1) The ability to order goods using my credit card to be delivered to my registered address
2) The ability to order virtual goods using my credit card (music, ebooks, gift certificates).

1) doesn't really help the fraudster. 2) might, but they're difficult to resell and Amazon probably don't care about refunding these purchases -- they're very low value

Now, what is Apple protecting?

1) Everything using that email address
2) All Apple equipment registered to the account, and all files on that equipment

Re:You missed the part about Amazons password rese

[TCM]

But what is Amazon protecting?

1) The ability to order goods using my credit card to be delivered to my registered address
2) The ability to order virtual goods using my credit card (music, ebooks, gift certificates).

You forgot

3) The ability to takeover your Apple account

So clearly, Amazon is worse than Apple because Amazon is Apple and more!

Re:Why remote wipe?

Devices with a remote wipe feature (usually) actually keep the entire drive encrypted and the remote wipe erases encryption key

Not with blackberry. Remote wipe overwrites everything.

Re:Why remote wipe?

[Plumpaquatsch]

The remote delete feature is the dumbest of dumb feature I ever heard of. That alone is a good reason not to use Apple products.

While Android phones are perfectly fine with you?

Re:Why remote wipe?

[kaws]

Just like what asdf7890 said, some people want the security option of wiping the data. I suppose that an option could be to remotely encrypt a drive. Btw, there is the option in apple's icloud to remotely lock a device with a passcode of your choice. Wiping it is just another option.

Secure your e-mail!

[jjo]

My bottom line take-away from this is that the most fundamental level of security these days is your primary e-mail account. If you don't have two-factor authentication on it, you are asking for trouble. Relying on one-factor authentication for your primary e-mail seems to be almost as bad as failing to back up your data. (And if you have a credit card on file with Apple, it looks like their e-mail security approaches zero-factor security.)

Re:You missed the part about Amazons password rese

[xaxa]

And once they have complete access to your Amazon account, they can't just change the physical shipping address why?

If you try and do that (I did last week, to order something to be delivered to work) they ask for the CCV code from the back of the credit card (if you choose to pay with an existing card).

You get what you pay for

[Novogrudok]

Free (ad-supported) and cheap internet services can be very good and useful, but they have to compromise between ease of use, security and cost. You want your data to be relatively safe? Compartmentalize (with different methods of access: cloud, local disk, non-erasable storage like DVDs), distribute (home, office, bank safe), switch off access when not needed.

And use different passwords for different sites, please!

Re:You missed the part about Amazons password rese

[OCedHrt]

Amazon had the exact same flaw as Apple. Allowing a password reset with last 4 digits and a billing address. The bigger flaw at Amazon was allowing the addition of a credit card with the same identification.

Re:You missed the part about Amazons password rese

[OCedHrt]

Once he had password reset Amazon, he can add other shipping addresses. Amazon does allow you to ship to other addresses, at which point it will be up to the credit card company to block the charge.

If you're a nerd you don't need the wake up call

[Viol8]

Anyone sufficiently clued up on IT would

A) Have backed up their data on a physical medium, eg USB stick

B) Would not daisy chain their accounts that would allow the hacking of one lead to the others.

This guy might considered himself and expert - personally I consider him an idiot who bought into the whole Cloud we'll-look-after-your-data-for-you-no-need-to-worry marketing hype aimed at the clueless.

In broad technical terms there is no difference between a modern cloud service and an ftp server from the 1980s - if someone gets your password you're scr3wed.

Whats that clucking I can hear?

[Viol8]

Oh look , chickens dropping out of the Cloud and coming home to roost.

Re:You missed the part about Amazons password rese

[flimflammer]

Because Amazon won't allow you to without extra information the person would not be able to provide. (CCV code)

Re:You missed the part about Amazons password rese

[flimflammer]

He may be able to add extra shipping addresses, but he won't be able to use any of the cards on the account to ship to them. Amazon requires the CCV code on all purchases made with existing cards on the account when shipping to a new address.

Re:Why remote wipe?

[AmiMoJo]

But why irreversibly wipe it? Arne't iOS devices encrypted by default, in which case you could keep a backup of the encryption key somewhere safe and just erase it off the device.

Re:If you're a nerd you don't need the wake up cal

[fuzzyfuzzyfungus]

In broad technical terms there is no difference between a modern cloud service and an ftp server from the 1980s - if someone gets your password you're scr3wed.

One might suggest that 25 years of minimal progress on security, in the face of a considerable expansion of the internet's hostile population, is a major failing... Especially since, unlike most ftp servers of the 80's, 'cloud' services are heavily marketed toward nontechnical users.

Re:You missed the part about Amazons password rese

[squiggleslash]

FWIW only online purchases (ie MP3s, Game downloads, etc) can really be bought that way from Amazon by a third party who has your password. From experience (not hacking! Just using) whenever you enter a new shipping address you have to re-enter your credit card information for the card you're using to make the purchase. You can't simply say "Oh, I'll use the one you have on file ending in 1234."

I'm sure it's a problem for many people, but at the same time it's not as bad as it could be if, say, someone bought a new overpriced Mac using your credit card, rather than a $1.29 MP3 or $50 game.

Re:Why remote wipe?

[jo_ham]

Why didn't he keep backups?

I fail to see how Apple's remote wipe capability, designed to ensure that your data doesn't fall into the wrong hands rather than the "safety" of data on the device (ie, ease of deletion) is a problem.

If you accidentally remote wipe, or your friend pranks you because you were logged in and went to get a soda and he's a dick, or someone hacks your account and wipes your phone and computer, then you should just restore from backup.

No need to design the remote wipe system to be reversible to solve a problem that already has a solution.

There are two types of data: backed up data and lost data.

Identity is a GOVERNMENT FUNCTION

[Fished]

I've said it before, and I'll say it again -- managing identity is a quintessential government function, and should be handled by the government online as well. The basic problem here is that we should have a nationwide, and possibly global, single sign on system, with our rights protected by clear and unambiguous legislative features. Nobody thinks that the issuing of drivers' licenses should be done by private enterprise (or, if they do, they're idiots.) Why do we think online identity is less important?

Re:Identity is a GOVERNMENT FUNCTION

[Urza9814]

It's not strictly about trust though, it's about if you want a single point of failure, or compartmentalized data. My father's hotmail was hacked (most likely phished I'd guess) not too long ago and he wasn't able to get it back. So he lost his hotmail. It's been a pain in the ass, but he got everything that he uses switched over to a new email within a week or two. If the government provides all authentication, what happens if someone hacks that? Or gets your credentials some other way? You lose absolutely everything.

Re:Identity is a GOVERNMENT FUNCTION

[0123456]

I've said it before, and I'll say it again -- managing identity is a quintessential government function, and should be handled by the government online as well.

Oh, yes. Let's let a gang of psychopaths with guns own our online lives. They would never think of creating fake identities for themselves, selling our identity to others, or simply deleting or blocking our ID and preventing us from accessing anything.

Re:Why remote wipe?

[BlackCreek]

Why didn't he keep backups?

Because he is an Apple fan-boy and turned off any and all technology knowledge of his decision process because of the emotional assurance he got from the Apple brand?

Call Centers...

[Hermit+Squirrel]

The biggest flaw in any business is the human factor. Having worked at many call centers over the years it's clear that most our sensitive information is at the finger tips of kids right out high school with only 2 weeks of training. Holy run on sentence, Batman! I've seen many agents make the same mistakes outlined in this article, worse even, they just don't care, want to get off phone and avoid incident. In my agents' defense some people that call in can be very persuasive, threatening, flattering pretty much anything they need to be to get what they want.

I Cringe

[tkprit]

I read this on emptyage, when he still thought he'd been brute-forced, and I still don't understand using the apple email (esp if you don't use the apple email) — that's tied to all your gadgets — as a backup for an insecure gmail account that you use publicly for everything (ie, it's posted on twitter).

Are people really this stupid?

Do they have absolutely zero sense of self-preservation?

This is such an extreme case, it reads like a hypothetical. "Suppose someone gave the keys of their house to Apple, then published everything on Craigslist that Apple needs to identity you..."

All this story needs to make it *really* extreme is if the hacker had stolen one of his gadgets so 2-step would fail. Ah yes, What. Then.

Eh, kudos to Wired for putting a fire under Amazon's and Apple's backsides, I suppose, but you can't fix stupid.

Re:You missed the part about Amazons password rese

[Plumpaquatsch]

But what is Amazon protecting?

1) The ability to order goods using my credit card to be delivered to my registered address 2) The ability to order virtual goods using my credit card (music, ebooks, gift certificates).

1) doesn't really help the fraudster.

Unless he waits at your address and accepts delivery.

Re:Why remote wipe?

[jo_ham]

Why didn't he keep backups?

Because he is an Apple fan-boy and turned off any and all technology knowledge of his decision process because of the emotional assurance he got from the Apple brand?

So by your logic, all Windows and Linux users keep backups then? That will really help me next time my parents' computer messes up, now that I know that they definitely keep backups because they don't have a Mac.

Re:You missed the part about Amazons password rese

[Plumpaquatsch]

FWIW only online purchases (ie MP3s, Game downloads, etc) can really be bought that way from Amazon by a third party who has your password. From experience (not hacking! Just using) whenever you enter a new shipping address you have to re-enter your credit card information for the card you're using to make the purchase. You can't simply say "Oh, I'll use the one you have on file ending in 1234."

I'm sure it's a problem for many people, but at the same time it's not as bad as it could be if, say, someone bought a new overpriced Mac using your credit card, rather than a $1.29 MP3 or $50 game.

Adobe CS6 Master Collection [Download] - mine for only $2,133.44 of your money - and you save $465.56.

Or how about a little Kindle ebook? Only $5,679.17

I smell some B.S here.

[mark-t]

He says, when talking about the hackers, that "...their ultimate goal was always to take over [his] Twitter account". Why, then, did they delete his Google Account, and then remotely erase his iPhone, iPad, and MacBook? I might get that they want to erase evidence that could be used to track them down, and to that extent, wiping the Google account, which they had apparently gotten access to, makes a modicum of sense. But unless they were using his iPhone, iPad, and MacBook as well, I'm not sure how erasing all of them was in any way helpful to them in any regard whatsoever. No... the bastards that did this to him definitely had some malicious intent involved.

I'm not saying that he wasn't hacked... nor am I saying that he wasn't hacked in this way, I'm suggesting that the allegation that the hackers were only after his twitter account seems extremely dubious... at least to me.

Re:I smell some B.S here.

[mark-t]

Yes... "according to them".

As far as I can tell, this was nothing less than wanton collateral damage for its own sake. Regaining control of accounts would be unlikely to have been easier with access to those devices than it would have been with them. In fact, by doing such things, they alerted the owner to a problem even sooner than would have otherwise likely to have been noticed, and the effort could have easily backfired upon them.

Which tells me something else about them. Not only are they cowardly and immature, they are also highly inept... since a more competent hacker would have realized the potential problems that could come with wiping those devices.

Re:Why remote wipe?

[BlackCreek]

Why didn't he keep backups?

Because he is an Apple fan-boy and turned off any and all technology knowledge of his decision process because of the emotional assurance he got from the Apple brand?

So by your logic, all Windows and Linux users keep backups then? That will really help me next time my parents' computer messes up, now that I know that they definitely keep backups because they don't have a Mac.

By my logic I expect that anyone that makes a living writing about technology at a professional venue such as Wired as senior writer is: 1. well informed about the need and value of backups; 2. capable of making sure the data is actually backed up to a safe place.

Quit being such a dork, I said this one guy is fan-boy and that that made /he/ turn off his very well informed brain about how he was handling his data, not that any and everyone that buys Apple is a fan-boy, or is as well informed as he is, or makes the same mistakes he did. The generalization is yours only.

Does any of your parents is a senior writer at Wired (or something equivalent)?

Re:Why remote wipe?

[mark-t]

Fair enough.... are there *ANY* other remotely legitimate reasons for that?

Because if not, then *any* attempt to remote wipe a device should have an accompanying police report that can be correlated with the police report filed by the victim, and which would supplement it with all the evidence relevant to the wiping that can be obtained, including the reported IP address of the wiper, and the reported geographical location of the device at the time it was wiped.

Re:Why remote wipe?

[robogun]

There are differences. One is Google is not goading people into using its cloud with a walled ecosystem. And in Android:

"A remote wipe removes all device-based data like mail, calendar, and contacts from the device, but it may not delete data stored on the device's SD card."

Checks? What are those?

[AF_Cheddar_Head]

Not really, I live in America, I haven't written a check in 7 years.

All my bills are paid through a service known as Billpay. All the banks and credits unions have something similar.

Time to stop making fun of us backward Americans and do some real research before writing your rants about us.

And this applies to most of my co-workers also. The only Americans that rely on checks anymore are over the age of 70 and that is what they grew up with so it is kind of hard to change.

Re:Checks? What are those?

[whoever57]

All my bills are paid through a service known as Billpay. All the banks and credits unions have something similar.

I use a billpay system also, but:
The billpay system has been unable to get my home mortgage billing details (I think the mortgage company would prefer that I use their own system to pay the mortgage, but I refuse to hand control of when my mortgage gets paid over to the biller)
There were some changes recently which meant that some bills stopped being available through the billpay system for about a month, and then I had to sign up again.

In summary, checks still needed.

Oh, and when my employer made some changes to the payroll system, they required voided checks to set up the direct deposit of pay. At least one employee had to get his first ever book of checks so that he could hand in a voided check.

Re:Checks? What are those?

[Rei]

Then you're exceedingly unusual. A quick Google Search turns up this:

* Americans write 42.5 billion checks per year - that's one check per person every three days.
* In the United States checks are among the most popular form of payment, above credit cards.
* People write roughly 450 million "bad checks" or checks that bounce every year - that's 1.5 per person per year.
* 60 percent of all transactions not paid for with cash are paid by check.
* Consumers are 65 percent more likely to use checks than other forms of electronic payments.
* The number of checks used by Americans is increasing. In recent years check use rose 54 percent alone.
* More than 39 trillion dollars in payments are made every year with checks, compared to just 7 trillion for other forms of payment.

Mind you, I have no way to validate those numbers, but it matches my experience with the American check culture. A lot of places in America don't have options for online bill paying. You just happen to have lucked into being in a place that does. Americans typically write each other checks to send each other money as well - such as a "birthday check" from a parent or whatnot.

Re:Checks? What are those?

[Troed]

I'm a 38 year old Swede. I've never written a check. I vaguely remember my parents did when I was really young.

7 years you say?

Re:Checks? What are those?

[AF_Cheddar_Head]

Would be longer but got back from Australia in 2003 and had to pay my rent deposit with a check. That was the last one.

Re:Checks? What are those?

[AF_Cheddar_Head]

Ok a sample of one but it is possible to survive in America without a check book. The GP implied that it wasn 't.

Re:Checks? What are those?

[AF_Cheddar_Head]

What is the reason for writing a check that Billpay, plastic or cash doesn't meet?

Canceled Check -- You have the equivalent with Billpay confirmation numbers
Payment History -- Billpay provides
Roadside Farmer -- Cash
Doesn't take bank transfer -- Billpay sends the check and you get a photocopy of canceled check, same as if you write it.

Rent Deposit -- I guess gotta be a check or cash and cash for this would suck.

Re:Checks? What are those?

[AF_Cheddar_Head]

Yeah the mortgage thing sucks but Billpay sends a check to them, not me. Funny how the big banks and Credit Card companies are the ones that resist taking Billpay direct transfers. Guess they don't like giving up the hefty bank-to-bank transfer fees.

On the voided check thing, my credit actually will custom print me a check with all the details on it and then I void it for my employer to use when setting up the direct pay.

Re:Checks? What are those?

[lonecrow]

These are personal cheque correct? Cause payrolls etc use lots of cheques. Myself the only time I write a cheque is if someone needs a post-dated payment or deposit.

All my bill paying is online and I have easily gone a year or more between writing cheques and I have a family of 4.

Re:Checks? What are those?

[mcvos]

Exactly. I remember my parents used them in my youth, back in the '80s. I think checks died at the start of the '90s.

Re:Checks? What are those?

[shec0002]

That page has a date of 2006, and I bet the survey is older. A lot has changed in 6 years. Many people still write checks in the US, now. Back in 2006 most banks charged for online payments, now most encourage it.

Sallie Mae

[AF_Cheddar_Head]

Even better, Sallie Mae calls me about my daughter's loan, and before the call is connected I have to give Sallie Mae my last four of my SSN to authenticate who I am, no way to authenticate that it's Sallie Mae calling me but I have to authenticate that Sallie called the right number. Even better no way to talk to a real person if I don't authenticate.

Remember I said Sallie Mae initiated the call. I could call any number of random numbers claim to be Sallie Mae and get individuals last four, ridiculous.

Re:Sallie Mae

[jaymemaurice]

My bank in the UAE used to call me to sell me products, and would try to confirm my identity... In which case I described the problem with their protocol, which usually resulted in a complete waste of time. They no longer call to sell me services.

Re:You missed the part about Amazons password rese

[Al+Al+Cool+J]

FWIW, it need not be a bogus card. You can buy a VISA gift card (paying cash and showing no ID), then on the gift card website enter the name and address of your victim. It is now a perfectly legit card in that person's name. I use VISA gift cards on Amazon all the time (in my own name). You could probably do quite a bit of identity theft or creating false personas, using such a method.

Nobody is asking you

[kyrio]

If you ask me, both companies should be liable for violating privacy laws."

Nobody is asking you because nobody cares about what you think.

Re:Why remote wipe?

[retchdog]

well, that's still no excuse to not use time machine.

Re:Why remote wipe?

[Bryansix]

You do realize that Android phones have remote wipe as well right?

Re:Mat Honan is the only one to blame

[Bryansix]

Amazon and Apple had glaring problems in their security specifically when people get involved in the process. It was the social engineering in this case which caused the problem.

Re:Why remote wipe?

[Plumpaquatsch]

"A remote wipe removes all device-based data like mail, calendar, and contacts from the device, but it may not delete data stored on the device's SD card."

Wait, you are counting the fact that any data you store on the SD is completely unprotected in case of theft or loss as a plus?

Probably because many Android apps can't write to the SD anyways, right?

Re:Why remote wipe?

[Plumpaquatsch]

Why didn't he keep backups?

Because he is an Apple fan-boy and turned off any and all technology knowledge of his decision process because of the emotional assurance he got from the Apple brand?

Yeah, because Apple doesn't tell you to keep backups using Time Machine. Oh, no, wait - they do. Apple 1 - BlackCreek 0

Re:Why remote wipe?

[Plumpaquatsch]

But why irreversibly wipe it? Arne't iOS devices encrypted by default, in which case you could keep a backup of the encryption key somewhere safe and just erase it off the device.

That's why you have the choice between "Remote Lock" and "Remote Wipe". Only use wipe if you don't want anyone to gain sensitive information on your device.

Re:Why remote wipe?

[BlackCreek]

Why didn't he keep backups?

Because he is an Apple fan-boy and turned off any and all technology knowledge of his decision process because of the emotional assurance he got from the Apple brand?

Yeah, because Apple doesn't tell you to keep backups using Time Machine. Oh, no, wait - they do. Apple 1 - BlackCreek 0

Because your reading comprehension sucks?

http://slashdot.org/comments.pl?sid=3030691&cid=40905063

Re:Why remote wipe?

[Plumpaquatsch]

Why didn't he keep backups?

Because he is an Apple fan-boy and turned off any and all technology knowledge of his decision process because of the emotional assurance he got from the Apple brand?

Yeah, because Apple doesn't tell you to keep backups using Time Machine. Oh, no, wait - they do. Apple 1 - BlackCreek 0

Because your reading comprehension sucks?

http://slashdot.org/comments.pl?sid=3030691&cid=40905063

Ahh, so anybody not doing what Apple tells them is a "fan.-boy". So you are a fan-boy - why should I listen to your clueless babble?

Re:

This problem is well known, so there's no excuse:-

o http://catless.ncl.ac.uk/Risks/24.82.html#subj13
o http://catless.ncl.ac.uk/Risks/24.91.html#subj12.1

Re:Why remote wipe?

[jaymemaurice]

Also with blackberry, it can't be brute forced and the files (including media card files) can be stored with full encryption...

But lets not talk about the good things of a platform that is hated for being boring and working.