The recent hacking of Mat Honan was doubly shocking: he's a writer for tech Bible Wired, and hackers were able to crack his accounts with non-technical ease.
Here's the scariest part: Anyone with both an Amazon account and an Apple ID is potentially vulnerable to the same attack.
The two companies say they're working to close the security gaps exposed by Honan's hack, but they were tight-lipped on Tuesday about the details of what changes they're making.
Honan's harrowing tale, which he chronicled in a detailed story for Wired late Monday, explains how a Friday-night hack quickly snowballed and took down many of his digital accounts: Amazon, Apple iCloud, Gmail and Twitter, plus the data on his three Apple devices.
At the heart of his story is a dangerous blind spot between the identity verification systems used by Amazon and Apple, two of the tech industry's most popular vendors.
Like many people, Honan has a variety of email addresses. Several of them can be easily tracked down by anyone hunting around online. The hacker who went after Honan found his @me.com address -- a tip-off that Honan had an AppleID account.
The attacker then used Amazon's systems to break into Apple's.
The trick worked like this: Call Amazon and tell them you want to add a credit card number to your account. The company will ask for your name, billing address, and an associated email address. That's it. (Wired tested the method using a fake credit card number. It worked -- twice.)
Then hang up, call back, and tell the next Amazon representative that you've lost access to your account. They'll ask for your name, billing address, and a credit card associated with the account -- like the one you added just moments earlier. With that information, Amazon will allow you to add a new email address to the account.
Go to Amazon's website and send a password reset to the new email address. Now you've got access to your target's Amazon account and can see all the credit cards on file for the account.
Amazon (AMZN, Fortune 500) masks most of the credit card numbers, displaying only the last four digits.
But here's the catch: That's enough to go and game Apple's systems.
"The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification," Honan wrote in his Wired account.
No comments:
Post a Comment