Following this weekends news of how Mat Honan’s iCloud account (and thereby many of his other accounts) were compromised by a clever hacker, Honan has now updated his original post explaining exactly how the hacker was able to gain access to his accounts.
Honan previously noted that the hackers were somehow able to convince Apple support to issue a temporary password providing access to the account – but the way the hacker was able to gain access is particularly horrifying:
At Honan’s website he found his gmail address. Using gmail’s password recovery page he was shown enough of his @me.com address to decipher the full username. Then Honan’s billing address was found via a whois of his website’s domain. The hacker then contacted Amazon and added a fake credit card to Honan’s account. Next the hacker contacted Amazon again and added a new email address to the account using the fake credit card as authorization. Using the new email account he requested a password reset and gained access to see the last four digits of all cards on file. Finally, the hacker called Apple with the email address, billing address, and last four digits of the credit card to have Apple support reset the password.
While this may seem a bit lengthy of a procedure, a delivery person could do the same without going through any of those hoops.
Apparently all you need to access someone else’s iCloud account ia an email address, a billing address and the last four digits of a credit card linked to the account. And unfortunately, neither of those are difficult to obtain - a piece of mail and a store receipt could enable anyone to hijack your digital life! Apple even confirmed this to Honan multiple times.
Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. “That’s really all you have to have to verify something with us,” he said.
Apparently all you need to access someone else’s iCloud account ia an email address, a billing address and the last four digits of a credit card linked to the account. And unfortunately, neither of those are difficult to obtain – a piece of mail and a store receipt could enable anyone to hijack your digital life!
On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. We were successful. This means, ultimately, all you need in addition to someone’s email address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of how the hackers got them.
While the Apple spokesperson stated that protocol was not followed completely, it’s unclear what part of the protocol wasn’t followed – and the fact that Honan was repeatedly told that an email, mailing address, and the last four digits of a credit card are all that is required is concerning, to say the least. Apple’s official response is as follows:
Apple spokesperson Natalie Kerris told Wired, “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.:
Worse, Wired confirmed this themselves, and was able to successfully gain access to another person’s account using only a billing address and some easy to obtain bits from a credit card (which the hacker obtained from Amazon by taking advantage of a security hole). Yikes!
It seems tat the only way to protect yourself is to use separate Apple IDs – one for iTunes and App Store purchases, and a second one for iCloud which you keep secret. And of course, that sort of defeats the purpose of the Apple ID as a simple, singular way to make purchases and access your data.
Mat’s full account is fairly interesting, and definitely worth a read. Check it out over at Wired.