Hack Exposes Gap in Amazon, Apple Security

CNNMoney.com

August 8, 2012

The recent hacking of Mat Honan was doubly shocking: He’s a writer for tech Bible Wired, and hackers were able to crack his accounts with non-technical ease. Here’s the scariest part: Anyone with an Amazon account and an Apple ID is potentially vulnerable to the same attack.

The two companies say they’re working to close the security gaps exposed by Honan’s hack, but they were tight-lipped Tuesday about the details of what changes they’re making.

Honan’s harrowing tale, which he chronicled in a detailed story for Wired late Monday, explains how a Friday night hack quickly snowballed and took down many of his digital accounts: Amazon, Apple iCloud, Gmail and Twitter, plus the data on his three Apple devices. At the heart of his story is a dangerous blind spot between the identity verification systems used by Amazon and Apple, two of the tech industry’s most popular vendors.

Like many people, Honan has a variety of email addresses. Several of them can be easily tracked down by anyone hunting around online. The hacker who went after Honan found his @me.com address—a tip-off that Honan had an AppleID account. The attacker then used Amazon’s systems to break into Apple’s.

Gaming the system

The trick worked like this: Call Amazon, and tell them you want to add a credit-card number to your account. The company will ask for your name, billing address and an associated email address. That’s it. Wired tested the method using a fake credit-card number, and it worked—twice.

Then hang up, call back, and tell the next Amazon representative you’ve lost access to your account. They’ll ask for your name, billing address and a credit card associated with the account—like the one you added just moments earlier. With that information, Amazon will allow you to add a new email address to the account.

Go to Amazon’s website, and send a password reset to the new email address. Now, you have access to your target’s Amazon account and can see all the credit cards on file for the account. Amazon masks most of the credit card numbers, displaying only the last four digits. But here’s the catch: That’s enough to go and game Apple’s systems.

“The very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” Honan wrote in his Wired article.

The hacker—who later contacted Honan and agreed to share details about the technique if he didn’t press charges—called Apple tech support and requested a password reset on Honan’s @me.com email account. The hacker couldn’t answer any of the account’s security questions, but Apple offers another option.

“It turns out, a billing address and the last four digits of a credit-card number are the only two pieces of information anyone needs to get into your iCloud account,” Honan wrote. “Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.”

Apple said in an emailed statement, “We found that our own internal policies were not followed completely.” The company would not comment further on what policies went awry.

Common approach

As far as Honan could determine, using credit-card numbers to verify identity is a standard method. “Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated email address, a credit-card number, the billing address and the last four digits of a credit card on file,” he wrote. “I was very clear about this.”

Amazon said it is working to plug holes on its end: “We have investigated the reported exploit and can confirm that the exploit has been closed as of yesterday afternoon.” But what, exactly, has changed? Amazon declined to comment or answer further questions.

A separate Wired article posted Tuesday said Amazon’s customer-service representatives will no longer change account settings such as credit cards or email addresses by phone.

That change came too late for Honan, though. After the hacker had access to Honan’s Apple account, the damage was swift and devastating. He used Apple’s remote wipe tool to delete all the data on Honan’s phone, then did the same to Honan’s iPad and MacBook. The hacker also nuked Honan’s Google account, and began posting racist and homophobic messages on his Twitter page.

In his article, Honan seemed to cast little blame on the hackers; instead, he said it was his fault for not backing up his data and for “daisy-chaining” his various accounts together.

Honan thinks the biggest culprits are Apple and Amazon for making systems that can so easily be gamed, especially when they’re targeted together. That’s the part that has the tech industry spooked. Millions of people have accounts with Amazon and Apple, which means Honan isn’t the first victim of this attack method.

“You hear about it if it’s a celeb or a writer because they have the medium to tell their story,” one commenter wrote in response to a Forbes article about the hacking. “Something similar happened to one of the members of my Rotary Club. Why haven’t you heard about it? Because he’s a retired dentist living eight miles in from the south coast of England.”