If I've seemed a little bleary-eyed and inattentive this week you can blame Jim Fallows. Late on Tuesday night I read his post about gmail, which linked to Mat Honan's piece for Wired about the destruction of his (Honan's) digital life. I was then up most of the night implementing Jim's advice about improving my computer security. This is by no means the first warning Jim has issued. (His wife's gmail was hacked a while back and he did a memorable article for the magazine about it.) For some reason this latest episode, unlike the others he's related, finally pierced my complacency and I resolved to do something about it.
I don't think I'm an easy person to shock but I was stunned by what happened to Honan--to be more precise, by how it happened. All his devices were remotely wiped and he lost his entire gmail archive. (In fact the hacker could have done much more damage than he evidently did. He seems not to have wanted Honan's money so much as his Twitter account, mainly for bragging purposes.) But the amazing thing was the hacking method. "Phobia" didn't have to steal or break a password. He didn't need to plant spyware. He started with a phone--as in an actual telephone, not a smartphone--and Honan's name, email address and billing address. Incredibly, that was enough to persuade Amazon to invite him into Honan's account. There the hacker found another piece of information (the last four digits of a credit-card number) which in turn was enough for Apple to extend its own welcome. What the hacker did was smart, all right--but it was grifting not code-work. And it was Amazon and Apple, for heaven's sake, that fell for it.
The key weakness was in both firms' password reset procedures--what happens, that is, when you tell them you've forgotten your password. The hacker persuaded Amazon to give him a password to Honan's account. Then he got Apple to do the same.
First, if I follow the tale correctly, the hacker found that by phone he could add a bogus credit-card number to Honan's Amazon account. To verify his ID for this purpose he was asked only for name, associated email address and billing address--easy to find. Second, he called Amazon again, this time using the credit card he had just given them for ID verification, and added a new email address to the account. Third, he went to the Amazon sign-in page and requested a password reset to be sent to the email address he'd just added to Honan's profile. With this, he was in. Among other things, he could now look at the last four digits of the real credit cards Honan had linked to his account. One of those four-digit numbers, it turned out, was the only ID verification in addition to name, address and email address that Apple required to let the hacker into Honan's Apple iCloud account. That, in turn, was connected to Honan's Google account...
One particular twist has scandalized many of the people commenting on this episode. When the hacker called to reset the Apple password, he apparently couldn't answer the verification questions tied to the account ("What was the name of your first pet?" and so forth). The Apple rep issued a temporary password anyway, because he had the credit-card digits. Honan and Wired replicated this failure after Honan's experience. Opening the account to somebody who couldn't answer the check-questions might not have been official policy, but it was apparently standard operating procedure.