The Hack That Kept Me Awake at Night

If I've seemed a little bleary-eyed and inattentive this week you can blame Jim Fallows. Late on Tuesday night I read his post about gmail, which linked to Mat Honan's piece for Wired about the destruction of his (Honan's) digital life. I was then up most of the night implementing Jim's advice about improving my computer security. This is by no means the first warning Jim has issued. (His wife's gmail was hacked a while back and he did a memorable article for the magazine about it.) For some reason this latest episode, unlike the others he's related, finally pierced my complacency and I resolved to do something about it.

I don't think I'm an easy person to shock but I was stunned by what happened to Honan--to be more precise, by how it happened. All his devices were remotely wiped and he lost his entire gmail archive. (In fact the hacker could have done much more damage than he evidently did. He seems not to have wanted Honan's money so much as his Twitter account, mainly for bragging purposes.) But the amazing thing was the hacking method. "Phobia" didn't have to steal or break a password. He didn't need to plant spyware. He started with a phone--as in an actual telephone, not a smartphone--and Honan's name, email address and billing address. Incredibly, that was enough to persuade Amazon to invite him into Honan's account. There the hacker found another piece of information (the last four digits of a credit-card number) which in turn was enough for Apple to extend its own welcome. What the hacker did was smart, all right--but it was grifting not code-work. And it was Amazon and Apple, for heaven's sake, that fell for it.

The key weakness was in both firms' password reset procedures--what happens, that is, when you tell them you've forgotten your password. The hacker persuaded Amazon to give him a password to Honan's account. Then he got Apple to do the same.

First, if I follow the tale correctly, the hacker found that by phone he could add a bogus credit-card number to Honan's Amazon account. To verify his ID for this purpose he was asked only for name, associated email address and billing address--easy to find. Second, he called Amazon again, this time using the credit card he had just given them for ID verification, and added a new email address to the account. Third, he went to the Amazon sign-in page and requested a password reset to be sent to the email address he'd just added to Honan's profile. With this, he was in. Among other things, he could now look at the last four digits of the real credit cards Honan had linked to his account. One of those four-digit numbers, it turned out, was the only ID verification in addition to name, address and email address that Apple required to let the hacker into Honan's Apple iCloud account. That, in turn, was connected to Honan's Google account...

One particular twist has scandalized many of the people commenting on this episode. When the hacker called to reset the Apple password, he apparently couldn't answer the verification questions tied to the account ("What was the name of your first pet?" and so forth). The Apple rep issued a temporary password anyway, because he had the credit-card digits. Honan and Wired replicated this failure after Honan's experience. Opening the account to somebody who couldn't answer the check-questions might not have been official policy, but it was apparently standard operating procedure.

Presented by

The Blacksmith: A Short Film About Art Forged From Metal

"I'm exploiting the maximum of what you can ask a piece of metal to do."

Join the Discussion

After you comment, click Post. If you’re not already logged in you will be asked to log in or register.

blog comments powered by Disqus

Video

Riding Unicycles in a Cave

"If you fall down and break your leg, there's no way out."

Video

Carrot: A Pitch-Perfect Satire of Tech

"It's not just a vegetable. It's what a vegetable should be."

Video

An Ingenious 360-Degree Time-Lapse

Watch the world become a cartoonishly small playground

Video

The Benefits of Living Alone on a Mountain

"You really have to love solitary time by yourself."

Video

The Rise of the Cat Tattoo

How a Brooklyn tattoo artist popularized the "cattoo"

More in Business

Just In