Companies know about it, but haven't done nothing.
Because of poor security policies at Amazon and Apple, hackers were able to fool customer service representatives to take accounts of Gizmodo and Wired writer Mat Honan.
Wired editor and senior Gizmodo reporter Mat Honan, was victim of a 'huge' hack because of the poor security procedures at Amazon and Apple.
Via the iCloud (*.mac) email account, the hackers gained access to his Gmail and Twitter via common password recovery interfaces. They also locked him out of his iCloud account, changing his password.
How? "[The hacker] got in via Apple tech support and some clever social engineering that let them bypass security questions", Honan said.
Here's exactly what happened:
Now, it looks like Apple's tech support is aware of this:But what happened to me exposes vital security flaws in several customer service systems, most notably Apple and Amazon's. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number - that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
So, this technique works on different accounts. If you use the same credit card on Amazon or PayPal as you do on Apple, "you are exposed to the dead-simplest social hack in recent memory".Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.
According to Gizmondo, the best way to protect yourself is to totally segregate all of your accounts...We did not originally correctly note the scope of Wired's confirmation on Amazon's end. It was able to, on multiple occasions, not only access the last four digits of an account's credit cards with very limited, widely available information, but the account as a whole. This means a troll could max out every single active card, financially devastating the user. You could not ship to a new address, since that requires the full card number to be re-entered, but that is still deeply chilling to think about.
While Apple's techs say it has been aware of its situation for months, it's unclear if Amazon was aware of this loophole previously. Amazon did not comment to Wired about the matter, but we have reached out asking for further clarification.
So, what do you think? You can check out the full Honan article in the link below!Don't send your password recovery emails to any other account you use. Don't use the same credit card on any two accounts. Don't use the same email address for multiple other services. Basically, strip the powerful interconnectivity out of your day-to-day internet existence. Oh, and turn off Find My Mac/Find My iPhone. And it is probably a good idea to remove all of your Amazon credit cards until we hear back.
After this hack, both Amazon and Apple did something to improve their security systems:
Following Mat Honan's online security fiasco last week, Amazon told its customer service employees that it would no longer accept account changes over the phone, according to Wired.NEWS SOURCE #1: Apple Amazon Mat Honan hacking (via) WiredAn anonymous Apple employee confirmed to Wired tonight that the company is putting a 24-hour freeze on over-the-phone password verification—a step in Apple ID security that cost Wired reporter Mat Honan an iPhone, iPad, MacBook, several e-mail accounts, and two Twitter accounts worth of information over the weekend.
NEWS SOURCE #2: Apple knows about a massive hack exploit and has done nothing (via) GizModo
Our thanks to 'Gauss' for this news item!