Amazon, Apple tighten security following devastating Mat Honan attack

By Lee Kaelin on August 8, 2012, 12:00 PM

Mat Honan, a senior writer for Wired had his digital life turned upside-down on Friday after a cybercriminal gained access to his Amazon, Apple ID and Google accounts in a bid to target his three-letter long @mat Twitter account. The chain-reaction of events resulted in all three of his Apple devices being wiped as well as his Google account being terminated.

Honan reached out to his attacker, who calls himself “Phobia,” offering the person immunity from prosecution in return for revealing how he did it. What unraveled is a lesson for everybody and exposes fundamental flaws in the security management at both Amazon and Apple.

Phobia used social engineering to reach his milestone; nothing was “hacked” using brute force. Phobia saw Honan’s Twitter was linked to his personal website, which in return listed his email address for Gmail. 

At this point he guessed the same email was used for Twitter, and went ahead and tried Google’s account recovery page. Because two-step authentication was disabled, it revealed his backup email address was from an Apple .me account. Several characters were hidden, but enough was revealed to make it an easy guess, since Honan used the same characters for several of his email accounts with other providers.

“You honestly can get into any email associated with Apple,” Phobia proclaimed, pointing out that either two-step verification on Gmail or using a provider other than Apple would have likely stopped him in his tracks. 

Phobia then did a whois search on Honan's personal domain, which revealed his full postal address. The same information was available from Spokeo, WhitePages and PeopleSmart so getting a hold of it isn't as hard as you'd think. With this information in hand the attacker was able to take advantage of flaws in Amazon’s security practices. He phoned Amazon pretending to be Honan and added a fake credit card to his account. Amazon only asks for the account name, billing address and an associated email address as proof.

He then called back and stated he had lost access to his account. After using the same pieces of information plus the last four digits of the fake credit card number, he was able to pass security, and add a new email address to the account. Phobia visited the Amazon website, entered the new email address and reset the password, then logged in and retrieved the last four digits of Honan’s real credit card.

At this point Phobia was able to call AppleCare and use the last four digits of Honan’s real credit card to 'verify' his identity. He was issued a temporary password to log into Honan’s Apple ID account, resetting the password in the process. Once in, Phobia’s partner wiped Honan’s Macbook, iPhone and iPad just minutes apart, courtesy of Apple’s iCloud “Find my” feature, which enables owners to remotely wipe devices if lost or stolen.

Honan had absolutely no idea any of this was going on until his iPhone suddenly stopped working. He was unable to enter the PIN to reverse the wipe process because the attacker created the PIN when scheduling it.

Phobia then reset Gmail’s password via the compromised Apple email account, and from there the password on Twitter to gain access, announcing “Clan Vv3 and Phobia hacked this twitter.” Honan's Google account was subsequently terminated by his attackers.

Ultimately, he was able to restore access to his Apple ID account, but a lack of backups resulted in him losing many irreplaceable files, such as his entire photo collection of his young daughter. Similarly, the termination of his Google account resulted in the loss of thousands of emails.

Amazon has since plugged the “social engineering” flaws and no longer allows customers to change account settings over the phone.

Interestingly, Apple for its part places the blame on its customer advisers. “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password […] we found that our own internal policies were not followed completely,” they said in a statement. Apple has since reported that it has frozen over-the-phone password resets while it evaluates a better long-term solution.

There are several lessons everyone can learn from this. Firstly, additional security layers such as two-step authentication offered by Google and others drastically reduces the risk of social engineering attacks. Performing regular backups would have prevented Honan losing all his precious data, and using multiple email addresses with the same handle puts you at increased risk by making guessing additional accounts easier. 




User Comments: 22

Got something to say? Post a comment
Guest said:

Ultimately, he was able to restore access to his Apple ID account, but a lack of backups resulted in him losing many irreplaceable files, such as his entire photo collection of his young daughter. Similarly, the termination of his Google account resulted in the loss of thousands of emails.

I wonder if these "permanent losses" are no more than "permanent hidings". I'm sure everything (or most of it) is still there, just unavailable to see.

Leeky Leeky said:

It's possible he could enlist the help of a specialist recovery firm -- which assuming the disk hasn't been overwritten -- could recover the data erased, assuming it hasn't been scrubbed.

Kibaruk Kibaruk, TechSpot Paladin, said:

People still want to get into cloud computing and one access to everything, they have a single mail and a single password for all their services and make it very easy for others to find a weak link in the chain to exploit without much work.

Guest said:

It's possible he could enlist the help of a specialist recovery firm -- which assuming the disk hasn't been overwritten -- could recover the data erased, assuming it hasn't been scrubbed.

I was suggesting that the data is never really deleted. There's just this "isVisible" flag somewhere. Both to content (hide) and to accounts (disabled).

So he could request formally to have everything reinstated, I suppose. Going directly to the HDDs of the cloud services' provider seems highly unlikely.

h4expo said:

iDont Cloud

3DCGMODELER 3DCGMODELER said:

Opppsssss

use a differant email and password for all accounts

I do

7 email and 7 passwords, change passwords once a month..

15 minutes a month can save you allot of headache

me safe..

Me safe for now...

Zilpha Zilpha said:

use a differant email and password for all accounts

I do

7 email and 7 passwords, change passwords once a month..

15 minutes a month can save you allot of headache

me safe..

Did you read the article? He didn't need to hack any passwords - he used social engineering to add himself to the accounts and reset the passwords. Your methods won't save you from a hacker like this. This was a process failure - but what sucks is that now it's going to be harder for legitimate users to manage their accounts.

Still, it's better than being hacked.

gwailo247, TechSpot Chancellor, said:

use a differant email and password for all accounts

I do

7 email and 7 passwords, change passwords once a month..

15 minutes a month can save you allot of headache

me safe..

Challenge accepted. Just kidding. =)

I guess the one good thing is that these stories make me change my passwords, and go back and change some of the simpler answers to my password reset questions.

The other thing this illustrates is that people who are somewhat public need to take extra steps to insure their cyber security.

Was it Romney who got hacked because his reset question was the name of his dog, and the name of his dog was very well known due to it being covered by the media.

From what I've read on Wired, the commenters tend to get into it with some of the article authors, I could see someone getting pissed off and trying to do stuff like this.

Tygerstrike said:

I personally hope that the hacker gets his accounts hacked. I think ppl like this hacker needs to have a hand cut off or a few fingers removed. It may SEEM a bit extreme, but given that the hacker has caused this much trouble and cost this guy so much. Those pictures are invaluable. This hacker didnt even do this for revenge. He did it because he wanted the twitter name. Talk about petty and stupid.

Guest said:

No matter what security methods we put in place the hackers will find the weakest link, be it brute force, social, malware, etc.

One thing is on those reset questions, they are usually just a string field, that is you can put any data in there as long as it matches. So What is your pets name? answer could be "1600 Amphitheatre Parkway" for example, as long as you remember you used that. Someone trying to guess that might have a challening time.

miska_man said:

I personally hope that the hacker gets his accounts hacked. I think ppl like this hacker needs to have a hand cut off or a few fingers removed. It may SEEM a bit extreme, but given that the hacker has caused this much trouble and cost this guy so much. Those pictures are invaluable. This hacker didnt even do this for revenge. He did it because he wanted the twitter name. Talk about petty and stupid.

I wrote a huge reply earlier, but it didn't go through. Basically what I said was that instead of revenge of wanting the twitter account (which he never would have gotten as Honan would have got on the horn with twitter and said "Block that account! Im the real one!" only after having a double-layer verification)... but what I really think is that Phobia was actually just creating a little bit of havoc to make people a little afraid of these security flaws. This in turn would probably make companies fix these security issues.. and they did. So really I believe Phobia just did this to prove a point, because if he really wanted to I'm sure he could have had Amazon ship a $1000 LED TV to a "new" address.

dividebyzero dividebyzero, trainee n00b, said:

A red letter day for Amazon...or it's customers

[link] . That's some pretty mean added value....yeah, and I checked, the "TV" offer shipping criteria are "Currently, item can be shipped only within the U.S."

/Waits for non-U.S. loony tune psychotics to bring restraint of trade suit against Amazon

1 person liked this | Leeky Leeky said:

I believe that was his aim as well @miska_man. When Honan spoke to him he did actually express regret for the wiping of his Apple devices, saying a partner in crime did it without his knowledge, and had he known, he wouldn't have allowed it. His sole aim was to take over his Twitter account whilst exposing Amazon and more alarmingly, Apple's security policies during the process.

Still, his actions exposed loopholes that many people have likely succumbed to, it just took a high-profile attack in order for it to reach front page news. It is a lesson for everybody, myself included and whilst I feel for the writer, even he acknowledged his reputation could have been dealt considerably more serious blows than losing emails and having his Twitter account hacked.

As a father with a young child myself, I do deeply sympathise with his loss of pictures however. If anything, the one thing I'm continually paranoid about myself is losing the thousands of pictures I have of mine -- above everything else. You simply can't replace those memories.

Guest said:

Gmail has problems to rely on it as your only email. Why do these people seem to always reinvent the wheel? It had script errors for the longest time, and now you're telling me that at a whim all saved emails can be gone in a flash? Aren't there legal requirements? AOL and Yahoo keep your email for 6 months after terminating the account. For the thousands of resumes Google gets per day, why are they all amateurs? I'm going back to POP email.

amstech amstech, TechSpot Enthusiast, said:

All computer code is transparent. Software cannot secure other software, period. If you don't want your data to be compromised put it on a device that will never see connectivity to anything.

Darth Shiv Darth Shiv said:

use a differant email and password for all accounts

I do

7 email and 7 passwords, change passwords once a month..

15 minutes a month can save you allot of headache

me safe..

Challenge accepted. Just kidding. =)

I guess the one good thing is that these stories make me change my passwords, and go back and change some of the simpler answers to my password reset questions.

The other thing this illustrates is that people who are somewhat public need to take extra steps to insure their cyber security.

Was it Romney who got hacked because his reset question was the name of his dog, and the name of his dog was very well known due to it being covered by the media.

From what I've read on Wired, the commenters tend to get into it with some of the article authors, I could see someone getting pissed off and trying to do stuff like this.

Seriously reset questions are retarded. It doesn't take a rocket surgeon to work out this info in the information age. When government websites etc require me to put in reset questions, I mash the keyboard because stuff like "Mothers maiden name", "first school" are so easy for any 15 year old googler nowadays.

Det Det said:

When government websites etc require me to put in reset questions, I mash the keyboard because stuff like "Mothers maiden name", "first school" are so easy for any 15 year old googler nowadays.

But if you just mashed your keyboard every time that happened, wouldn't that mean your keys started falling off?

Rasta211 said:

He didn't hack into his Facebook account?

wiyosaya said:

With the cost of hard disks in the TB range and with SSD prices dropping like flies, I cannot understand why anyone would trust irreplaceable data to the "cloud". It is a relatively trivial matter to set up a PC/MAC/whatever at home and place several TB of storage on it.

So the hacker exposed a hole that will be or has been plugged; however, that still does not make cloud storage safe. Personally, I will never trust irreplaceable files to live in the cloud. I'll put TBs of storage on my PCs instead.

Zilpha Zilpha said:

I will never trust irreplaceable files to live in the cloud. I'll put TBs of storage on my PCs instead.

Tech people aren't fooled by the *buzzwords*, but the average joe thinks that "the cloud" is actually something special and not a server-client relationship that has existed since almost the dawn of computing.

Guest said:

I applaud the efforts of phobia and crew, we need the occasional 'phreaker' to give people a check... the whole cloud sounds good as far as accessing your own items from anywhere, but as long as YOU are in control of said cloud and not an outside service. Like the Woz said this cloud deal wont be so hot in 5 years. I agree seeing if things go south like this more. aside from that I hope he can atleast recover his personal items, like the photos of his daughter.

Darth Shiv Darth Shiv said:

But if you just mashed your keyboard every time that happened, wouldn't that mean your keys started falling off?

Got a heavy duty keyboard

That and been eying off a new one for a while. Nothing like a forced upgrade...

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.