Gizmodo alumni Mat Honan got hacked this week. It was bad. But that's not the worst part. Worse is that Apple knows exactly how easy this is for months, and hasn't done a thing to stop it.
Honan has a chilling account of Apple and Amazon's security flaws over at Wired today. He's actually been in contact with his hacker, "Phobia," and using the information he got there, has been able to confirm that Apple has been aware of the security issue. Here's how it works:
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple and Amazon's. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number - that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
And perhaps more disturbing is how aware Apple's tech support is of this:
Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.
Today, Wired confirmed the technique works on different accounts. So in total actuality, if you use the same credit card on Amazon or PayPal as you do on Apple, you are exposed to the dead-simplest social hack in recent memory.
We already knew that Mat's account had been hacked without any brute force, but this level of negligence is totally nuts. For reasons passing understanding, Apple seems to have actually refused to enact simple policy changes to stop crippling, terrifying hacks from happening to its customers. [Wired]
Image by gualtiero boffi/Shutterstock