An Epic Hack Performed With a Few Simple Tricks
Lax security practices by Apple and Amazon cost one journalist a year’s worth of photos and other data last Friday, in a chilling tale that’s a reminder that keeping data secure is far from a solved problem.
Mat Honan of Wired laid out what happened yesterday, explaining how he had all of his data wiped from his iPhone, iPad and MacBook using Apple’s remote wipe feature, which is intended to protect the data on a gadget if it is lost or stolen. Attackers got control of Honan’s Apple account by first taking advantage of a flaw in one of Amazon’s systems that gave them the last four digits of his credit card number. That and an email address was all that was needed to convince Apple to hand over control of his account. As Honan put it:
[T]he very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
Amazon changed its customer service policies today to prevent the trick that compromised Honan’s account, Wired reports. Apple has so far said little, apart from denying the existence of the loophole that got Honan hacked, which he claims he was able to replicate several times.
Honan’s Gmail account was also compromised as part of the attack, the goal of which was simply to wrest control of his three letter twitter account, @mat. Many people have blogged and tweeted today to say that Honan – and everybody else – should use Google’s two factor authentication, which is a more secure alternative to the traditional username and password. It involves using both a regular password and a one-time code generated by a phone app every time you log in.
Two factor authentication could have helped protect Honan, and could boost the security of many other services, too. But despite Google’s best efforts, it still feels clunky to use. The debut of NFC chips in phones might reduce the burden, though, and Intel showed off laptops at CES back in January that processed online payments by having a person tap their phone on a computer to authenticate. However, companies will still need ways to help people that forget their password to get back into their accounts. That means that we will remain at the mercy of various combinations of security questions and systems, like those that let Honan down, for a while yet.
In general, the best advice available is to understand how the services you use protect your account, and adjust your security questions, passwords and back up emails accordingly. Also, to avoid losing data irretrievably as Honan did, to frequently back up your data in multiple places.
The inside story of how ChatGPT was built from the people who made it
Exclusive conversations that take us behind the scenes of a cultural phenomenon.
How Rust went from a side project to the world’s most-loved programming language
For decades, coders wrote critical systems in C and C++. Now they turn to Rust.
Design thinking was supposed to fix the world. Where did it go wrong?
An approach that promised to democratize design may have done the opposite.
Sam Altman invested $180 million into a company trying to delay death
Can anti-aging breakthroughs add 10 healthy years to the human life span? The CEO of OpenAI is paying to find out.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.