The Hack That Kept Me Awake at Night

If I've seemed a little bleary-eyed and inattentive this week you can blame Jim Fallows. Late on Tuesday night I read his post about gmail, which linked to Mat Honan's piece for Wired about the destruction of his (Honan's) digital life. I was then up most of the night implementing Jim's advice about improving my computer security. This is by no means the first warning Jim has issued. (His wife's gmail was hacked a while back and he did a memorable article for the magazine about it.) For some reason this latest episode, unlike the others he's related, finally pierced my complacency and I resolved to do something about it.

I don't think I'm an easy person to shock but I was stunned by what happened to Honan--to be more precise, by how it happened. All his devices were remotely wiped and he lost his entire gmail archive. (In fact the hacker could have done much more damage than he evidently did. He seems not to have wanted Honan's money so much as his Twitter account, mainly for bragging purposes.) But the amazing thing was the hacking method. "Phobia" didn't have to steal or break a password. He didn't need to plant spyware. He started with a phone--as in an actual telephone, not a smartphone--and Honan's name, email address and billing address. Incredibly, that was enough to persuade Amazon to invite him into Honan's account. There the hacker found another piece of information (the last four digits of a credit-card number) which in turn was enough for Apple to extend its own welcome. What the hacker did was smart, all right--but it was grifting not code-work. And it was Amazon and Apple, for heaven's sake, that fell for it.

The key weakness was in both firms' password reset procedures--what happens, that is, when you tell them you've forgotten your password. The hacker persuaded Amazon to give him a password to Honan's account. Then he got Apple to do the same.

First, if I follow the tale correctly, the hacker found that by phone he could add a bogus credit-card number to Honan's Amazon account. To verify his ID for this purpose he was asked only for name, associated email address and billing address--easy to find. Second, he called Amazon again, this time using the credit card he had just given them for ID verification, and added a new email address to the account. Third, he went to the Amazon sign-in page and requested a password reset to be sent to the email address he'd just added to Honan's profile. With this, he was in. Among other things, he could now look at the last four digits of the real credit cards Honan had linked to his account. One of those four-digit numbers, it turned out, was the only ID verification in addition to name, address and email address that Apple required to let the hacker into Honan's Apple iCloud account. That, in turn, was connected to Honan's Google account...

One particular twist has scandalized many of the people commenting on this episode. When the hacker called to reset the Apple password, he apparently couldn't answer the verification questions tied to the account ("What was the name of your first pet?" and so forth). The Apple rep issued a temporary password anyway, because he had the credit-card digits. Honan and Wired replicated this failure after Honan's experience. Opening the account to somebody who couldn't answer the check-questions might not have been official policy, but it was apparently standard operating procedure.

I agree with many others, that's bad. But let's not forget that the first crucial breach was at Amazon. Getting round their defenses, if that's the right word, required a bit more ingenuity than getting round Apple's, but less information. Suffice to to say, both firms got the most basic security measures wrong. Here are you and I, worrying about keeping our passwords secret, mixing letters and digits, upper case and lower case, and all that, while Amazon and Apple hand out temporary passwords with next to no verification. When you consider the volume of business they do, the expertise they have at their disposal, and how much they have at stake in all this, such easily avoidable lapses are just remarkable.

Both holes have now been plugged, I read in Wired. But one lesson in all this is surely to take nothing for granted, and to take some sensible precautions. Honan couldn't have done anything about Amazon's and Apple's weak procedures but, as he says, better security on his part would have made things harder for the hacker and helped to limit the damage.

Jim's recommended measures took me a bit longer to apply than I'd expected. So many passwords to reset, and they should be (1) different one from another, (2) not previously used for any of your accounts, and (3) reasonably "strong". (Though as Jim points out, (3) is actually less important than (1) and (2). I hadn't thought much about that.) I also followed his advice to turn on gmail's two-step verification--which didn't go quite as smoothly as it should have, because it did something bad to one of my other connected email accounts, and that took me a while to sort out. Then I did some overdue backing up, online and offline.

Then I spent another hour or two unlinking various cloud services that make everything work seamlessly together across services and devices. That, as you might expect, caused further knock-on disruptions--and some are still cropping up. Why even try to do that? Effortless integration is the point, isn't it? Absolutely, and I'm messing this up with a heavy heart. But the problem with having everything work seamlessly together--as Honan found--is that a single weak point can then leave your entire system seamlessly...compromised. I'd say this is something cloud evangelists need to think about more carefully.

Speaking of cloud evangelists, who'd have thought that Amazon and Apple would have let this happen? That's what I find so disturbing. If you can't trust them to get this stuff right, who can you trust?