In my review of The Cuckoo’s Egg last week, I mentioned that the story helped dispel some of the myths surrounding hackers and the way hacks are carried out. Students are often keen to know how hacking works too. In reality, most computers are hacked because of simple flaws in computer system and in human behaviour. A story from Wired writer Mat Honan illustrates very clearly how hacking works: his Amazon, Apple, Gmail, and Twitter accounts were hacked last week, causing him a great deal of trouble and erasing a lot of important data from his devices.
Chron.com explains the story:
The hackers began by going to his personal website, which was linked from his Twitter account. Honan’s Gmail address was there, and they used to Google’s automated password-recovery setup to get a glimpse at his guessable alternative email address, which happened to be an Apple .me account.
Next he looked up the information on Honan’s web domain, which yielded his billing address.
The hacker then called Amazon and said he wanted to add a credit card number to Honan’s account, pretending to be him. Amazon only requires the account holder’s name, billing address and an email address associated with an account to make this change. And you can generate fake credit card numbers with online tools, which the hackers did. The hackers were then able to call back and add a new email address, because they could accurately give out associated credit card information. Once the new email was in place, they requested a password reset, which gave them access to Honan’s account details – including the last four digits of Honan’s credit card.
Next they called Apple tech support, where you can bypass security questions to access an account by giving out a customer billing address and the last four digits of an associated credit card. They now had control of Honan’s iCloud account, to which his iPhone, iPad and MacBook Pro were linked.
The hackers used Find My iPhone and Find My Mac to wipe his devices.
Once the hackers had control of Honan’s iCloud account, they also controlled his .me email address – which was the backup to Gmail. They were then able to enter his Gmail account and send a password reset request to Twitter, which then gave them access to his @mat Twitter feed.
Oh, and because Honan’s Twitter feed was still linked to Gizmodo’s main Twitter account – even though he’s no longer employed there – they were able to hijack @Gizmodo, too.
There are several worrying aspects to this story. Amazon and Apple both made clear mistakes, of course. Apple should never have allowed a password reset without the hacker being able to answer security questions designed to prevent exactly this type of attack. Amazon also share some of the blame.
But the story also highlights how even small pieces of information – an email address or a billing address – can be used to gradually gather more and more data, slowly building up to a devastating hack. This is an important point to remember when entering details like this into social network sites. Remember that in 2008 Sarah Palin’s email was hacked using information found openly on the web.
One strategy I use to avoid such problems is to never answer security questions such as “Who was your favourite teacher?” or “What is your mother’s maiden name?” truthfully. The real answers to these questions can easily be discovered, so I use them like additional password fields instead – entering long, alphanumeric strings of characters just as I would for any password. For example, my bank account asks me for the name of my eldest child as a login requirement! This is clearly not a secret answer (at the very least, any of my friends and colleagues would know this answer) – so I use a randomly generated string instead.
Another issue is the linking of accounts together. While it is convenient to have all emails and password reset mechanisms heading to one location, it also provides a gold mine for attackers, leading to cascading attacks (as it did for Mat Honan).
Finally, with more and more of our data stored in the cloud, we need to understand and accept that security is no longer entirely in our hands – we are dependent to a large extent on the service providers. For Mat Honan, an offline backup – under his own care rather than Amazon or Apple’s – could have reduced the attack from being a significant data loss to an annoying inconvenience.
Security lapse at Apple and Amazon lead to epic hack. This could be you (Chrom.com)