MatHonan
Latest
Amazon, Apple stop taking key account changes over the phone after identity breach
By now, you may have heard the story of the identity 'hack' perpetrated against Wired journalist Mat Honan. Using easily obtained data, an anonymous duo bluffed its way into changing his Amazon account, then his Apple iCloud account, then his Google account and ultimately the real target, Twitter. Both Amazon and Apple were docked for how easy it was to modify an account over the phone -- and, in close succession, have both put at least a momentary lockdown on the changes that led to Honan losing much of his digital presence and some irreplaceable photos. His own publication has reportedly confirmed a policy change at Amazon that prevents over-the-phone account changes. Apple hasn't been as direct about what's going on, but Wired believes there's been a 24-hour hold on phone-based Apple ID password resets while the company marshals its resources and decides how much extra strictness is required. Neither company has said much about the issue. Amazon has been silent, while Apple claims that some of its existing procedures weren't followed properly, regardless of any rules it might need to mend. However the companies address the problem, this is one of those moments where the lesson learned is more important than the outcome. Folks: if your accounts and your personal data matter to you, use truly secure passwords and back up your content. While Honan hints that he may have put at least some of the pieces back together, not everyone gets that second chance.
AppleCare freezes over-the-phone password resets in wake of hacking incident
The ripples from Mat Honan's weekend security incursion keep pushing outward. Earlier today Amazon shifted policy to prevent account details from being changed via a phone call, which blocks one avenue the hackers used to get the personal info used to compromise Honan's iCloud account. Now, according to Wired, the other shoe has dropped: Apple's phone support team is in a 24-hour freeze for account resets by phone. This change, which Wired confirmed with an internal Apple source and also tested directly by trying to perform a password reset in a call with AppleCare, might be a temporary holding action until Apple comes up with a more permanent adjustment to its security policies. As Honan's story unfolded late Friday night, it wasn't immediately clear how the hackers gained access to his iCloud account, but it turned out that with just an email address, mailing address and the last four digits of the account's credit card, AppleCare would provide a temporary account password over the phone. Apple could implement a two-factor authentication scheme similar to Google's approach, but that's confusing to set up for mobile devices and in situations where a separate challenge step doesn't work smoothly (calendar or email apps, for instance). Apple could also do a callback step to the phone that's on the account, although in the case of a stolen phone that might not help. Even a multiple-choice "which of these songs did you purchase on this date" account detail check might add some security to the process, but a perfect system hasn't been invented yet. Google's Tim Bray is working on the future of authentication, and he comments that one way to be safer online is to not be "the softest touch on the block" -- if you're a slightly harder nut to crack, security-wise, casual hackers will generally leave you alone in favor of easier targets. As risk guru Bruce Schneier points out (in the context of a far more tragic incident), "Novelty plus dread plus a good story equals overreaction." Human beings aren't particularly good at accurately assessing risk, and we focus on solving the last problem rather than the next one. Hopefully Apple will take this wake-up call on account security as an opportunity for a clear-eyed evaluation of some of the ongoing, high-incidence security issues it faces rather than focusing exclusively on the headline problem. [hat tip to MacRumors]
Amazon responds to iCloud account hacking
Amazon is taking action after learning of the inadvertent role it played in Wired writer Mat Honan's digital nightmare last week, when his iCloud account password was compromised and his Mac was wiped. Apple spokeswoman Natalie Kerris told Wired on Monday that processes were being reviewed, but Amazon has actually enacted a new security policy in light of what happened to Honan. As of today, Amazon will no longer allow users to change account settings, including credit card information and email addresses associated with the account, via phone. Wired confirmed this change while trying unsuccessfully to replicate the social engineering steps used to get into Honan's accounts. We've yet to see exactly what steps Apple is taking to rectify the security issues, but Wired's Robert McMillan has written a good piece on why Apple's secure password advice is no help against the sort of information phishing that caused the loss of Honan's data.
Mat Honan details the Amazon and Apple security flaws that let hackers wipe his MacBook
Late Friday, Wired writer Mat Honan ran into a digital buzzsaw as his iCloud, Gmail and Twitter accounts were compromised in rapid succession. The hackers did a tremendous amount of collateral damage along the way, spewing racist and homophobic tweets on Honan's account plus the Gizmodo Twitter account (linked to his). Worse, they proceeded to wipe all the data from his iPhone, iPad and his Mac laptop via Find My iPhone and Find My Mac. Honan has now posted the first in a series of articles on Wired detailing what happened, and how the hackers were able to take advantage of critical bits of exposed information on different services to get into his accounts. The target, apparently, was always his Twitter account -- the three-letter @mat handle was irresistible to the hackers, and they wanted to use it to wreak mayhem. The chain of calamity began with the hackers finding Honan's Gmail address via his linked personal webpage off the @mat Twitter account and assuming correctly that it was the email address for his Twitter account. With that detail, they could go to the account recovery page for Gmail and -- without actually attempting to break into his account -- see a partial email address "m....n@me.com" already configured for account recovery. It doesn't take a rocket scientist to guess what the missing letters are there, and once they knew Honan's Gmail password reset would be heading for iCloud, they knew they had an easy path ahead. Honan pinpoints this bit of personal info as the key to the entire attack. "If I had some other account aside from an Apple email address, or had used two factor authentication for Gmail, everything would have stopped here. But using the .Me email account as a backup told the hacker I had an AppleID account, which meant I was vulnerable to being hacked." In fact, the hackers needed only to collect a few readily (or nearly so) accessible bits of information in order to get Honan's iCloud password: Honan's home address (scraped from domain registration records; note that many registrars will now obscure your address for this reason) The .me email address (gleaned from Google account recovery page) The last four digits of the credit card on file for the iCloud account That last one is the killer. Through a series of simple social hacks of Amazon's account maintenance -- no more complex than a few phone calls and a fake but properly formatted credit card number -- it's possible to expose the last four digits of all the credit card numbers on an Amazon user account. Given that detail, AppleCare will apparently issue a temporary iCloud password for you, even if you cannot accurately answer the security questions on file. Temp password leads to password reset; password reset leads to owner getting locked out of the account; all leads to suffering. Needless to say, this is what some would call a balagan. If it's that simple, in theory, to get an iCloud password reset on the fly, then iTunes accounts and Find My Mac wipes are both in serious jeopardy -- to say nothing of email or location privacy. Apple spokesperson Natalie Kerris told Honan that some internal policies were not followed in his case, but Wired staffers were able to replicate the account access exploit twice over the weekend ... seems like a fairly common policy violation, no? I would think we'll hear more from Apple on how it plans to address this functional vulnerability in the next few days. Meanwhile, there are a few sensible steps you can take to help secure your account: Don't use your iCloud email account as a password recovery account for Gmail, Hotmail, Yahoo! Mail, etc. You can and probably should set up a "blind" account for password recovery on a service you don't use for any other purpose, with an address that is never publicized or used to sign into social media sites. Use different payment methods for iTunes/iCloud and for Amazon. Don't save credit cards on your Amazon account. Keeping your last four digits off of Amazon's servers means they can't be shared with bad guys. Turn ON two-factor authentication where possible. Google allows you to set your account to require a separate check via cellphone or the Google Authenticator app when you log in from a new machine or when you try to change security settings. (Counterpoint: Security expert Bruce Schneier did not think much of two-factor auth back in 2005.) Turn off Find My Mac. Until Apple closes this hole, the risk of someone hacking your iCloud account for kicks and wiping your hard drive in the process is unknowable -- but probably too high. Back up, back up, back up. Honan's regrets are many: that he did not have current backups of his laptop, and as a result might have lost irreplaceable photos of his family; that his Google and iCloud accounts were cross-linked for recovery; that he did not set up a separate recovery account. But he's mostly upset that he turned on Find My Mac. We invite your feedback and questions in the comments, but please keep it civil and constructive. Thanks.
Compromised iCloud password leads to nightmare (updated)
Updated. Former Gizmodo writer & current Wired Gadget Lab staffer Mat Honan is having a pretty bad day. As you can read on his Tumblr post (not to mention elsewhere), hackers compromised his iCloud account. They used that access to reset his iCloud password, reset his Gmail password, gain control of his Twitter account (which in turn gave them access to Gizmodo's Twitter feed and 400K followers) and generally wreak mayhem. Unfortunately, Honan's iCloud account was tied to his iPhone and iPad, which both had Find my iPhone/iPad turned on. In the attackers' hands, the FMI utility was turned against Honan and both devices were remotely wiped. It got worse: his MacBook Air had Find My Mac enabled, which meant the hackers could erase his SSD... and they did. Honan's iCloud password was unique to that service, but it was also only seven characters long and hadn't been changed in years. [This turns out not to be a key to the puzzle, see update #2 below.] Given the many points of exposure when iCloud accounts are compromised -- and the potential risk of serious consequences if remote wipe utilities like Find My Mac are controlled by malicious actors -- we recommend using a memorable but strong password for iCloud. (Strong and unique passwords are a good idea in general, but while Google's accounts have options for two-factor authentication with SMS or the Google Authenticator app, iCloud doesn't.) [Honan was targeted by a hacker group that had previously gone after high-profile Twitter users, which is an unlikely scenario for most of us. However, the risks of an unintended or malicious data wipe if you lose control of your iCloud password are real whether you're an Internet celebrity or not. –Ed.] The easiest way to come up with a strong password is to use a tool such as Diceware, but as our Twitter followers point out you do need to be able to enter your iCloud password quickly and easily on iOS devices if you plan to install or update App Store apps. It's not always simple to balance security and convenience, but it's important to consider the risks before you go with an easy-to-crack password. Unfortunately there's no easy way to segregate the Find My Mac feature from the other Mac iCloud features like Photo Stream, Documents in the Cloud and Back to My Mac; if there was, you could have a 'shadow' iCloud account used only for that, with no email or App Store exposure at all. You can, however, set up separate iCloud accounts for email, calendars and contacts and/or App Store purchases -- but that rapidly defeats the "all your data, anywhere" advantages of iCloud in the first place. A toggle switch to disable Find My Mac's remote wipe capability could also it a little more consumer-friendly, with a separate PIN code to turn the feature off or on; alternatively, with FileVault 2 Apple could replace the drive wipe with an encryption/lock pass to prevent thieves from accessing the data. But the odds of encountering a determined hacker clan set on wiping your computer remotely are arguably far lower than those of losing your MacBook to carelessness or theft; good backup strategy plus Find My Mac is a better choice for the latter risk. Our sympathies to Mat; we wish him luck in recovering his data and piecing his digital life back together. Update: Mat reports that he is working with Google to restore his account access (and, since his phone was linked to his Google Voice number, his ability to receive and send text messages) and has a Genius Bar appointment today to review his options for data recovery on his MacBook Air. Update 2: Mat has determined that the hackers did not brute-force his password or cobble together answers to his security questions; they apparently did some clever social engineering on Apple's support reps and managed to wrangle a password reset without those answers. Mat told his story on TWIT Sunday and will detail all the machinations in a story for Wired that comes out on Monday. He has contacted Apple corporate and PR to give them an opportunity to address the policy issues brought to light by this incident.
