Tuesday, August 7, 2012

Security & Hacking Updated: Mat Honan Targeted

I posted about this story the other day, VOD interview/discussion at http://twit.tv/show/this-week-in-tech/365

Mat Honan also talks about it on his Blog at http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard

Since I wrote about this, Honan's has written an article How Apple and Amazon Security Flaws Led to My Epic Hacking, were he explains how the hack was done, and how this vulnerability still exists.

Strongly suggest reading the whole story, but the key aspects of the hack are as follows:

  1. "My [Honan's] Twitter account linked to my personal website, where they found my Gmail address."
  2. "Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot. "
  3. "Since he already had the e-mail, all he needed was my billing address and the last four digits of my credit card number to have Apple’s tech support issue him the keys to my account. "
  4.  "He got the billing address by doing a whois search on my personal web domain."
  5. Then Hacker calls Amazon & adds bogus Credit Card number to account, since they can do this with just Name, billing address, and email associated with the Amazon account.
  6. Call Amazon back & say can't get into account, Amazon will let you in with:  Name, Billing Address, Email, and Bogus Credit Card numbers Hacker just added.  Then you can add new email to account and see last four Credit Card numbers of every Card on that Account.  So you now have the keys to the Apple account.
This sounds a lot like certain types of games were you have to find small pieces of information and use those bits to build more.

Couple of things stand out to me, besides Apple's horrible policy, if at all possible, don't associate emails or Credit Cards between Apple and any other company that you do online or phone ordering with, because Apple considers the last four numbers of your credit card to be  more than a password, since you can reset valid passwords with that information!

Maybe only use a prepay Card with Apple?  Not sure how else to protect your Apple accounts from being hacked this way.

No comments:

Post a Comment