(Updates new 5th paragraph with Apple stopping password resets via phone.)
If you use the Internet, then you may have heard that Mat Honan, a technology reporter at Wired, had his digital personality manhandled by some hackers. They infiltrated his Twitter, Gmail (GOOG), Amazon.com, and Apple iCloud accounts, and took over his Mac laptop, iPhone, and iPad, wiping data remotely from all of the devices, while Honan looked on in astonishment.
Most of the dirty work wasn’t high-tech at all. It was done via that trusty tool of the hacker, social engineering. The perpetrators used a couple of tricks to talk their way into altering Honan’s Amazon account. From there, they could see the last four digits of one of his credit cards and used that information to gain access to Honan’s Apple e-mail account and so on and so forth until years of Honan’s e-mails and family photos disappeared and his Twitter account began blasting racist messages. The whole process took about an hour.
Honan made the same mistakes we all do by interlinking his accounts and using similar formats for e-mail addresses, passwords, and the like. In that sense, he was to blame. But, dear oh dear, this looks so much worse for Apple (AAPL) and Amazon (AMZN), which appear to have had flimsy policies and flimsy employees. In a story he wrote for Wired, Honan details how the attack took place and notes that he was able to replicate it.
An Amazon spokesman tells me, “We have investigated the reported exploit, and can confirm that the exploit has been closed as of yesterday afternoon.” Natalie Kerris, an Apple spokeswoman, says, “In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
On Wednesday, Apple stopped allowing people to reset their passwords over the telephone. “When we resume over the phone password resets, customers will be required to provide even stronger identify verification to reset their password,” the company said in a statement.
It appears Apple can easily plug the holes that allowed for the shredding of Honan’s digital life. That said, the incident seems to stand as a not-so-gentle reminder about the perils of the cloud era and new issues we may all face. “The passwords which are this traditional mechanism we have used may not be the right approach to security in the cloud,” Honan says. He’s appalled that the same password you use “to buy a Skrillex ringtone” can be used to wipe all the data from your computer, using something like iCloud’s “Find My” tool. “That needs to change,” Honan says. “There should be a second password or a second level of authentication.”
Another surprising thing about this incident: There’s one company often mentioned in stories about people getting hacked and it’s nowhere to be seen this time: Microsoft (MSFT). I’m sure the folks in Redmond deeply regret that Apple, for now at least, is the Hottest Company to Hack.
The hackers actually reached out to Honan and claimed to be 19-year-olds looking to have some fun and mess with his Twitter account. I’m not sure of their exact age or intentions, since they haven’t earned much trust, but it’s clear enough these were youngsters who had hit on a clever way to best Amazon and Apple and were happy to spend their weekend refining their skills. Years ago, this type of behavior would have been directed at Microsoft. And now Apple has earned the undivided attention of the script kiddies.
Apple has helped Honan a bit by trying to reenact what happened to his account, but the company has only managed a mini mea culpa. As one of my colleagues at Bloomberg News put it, Apple was basically pretexted and getting pretexted is the epitome of uncool.
This follows a widely panned talk by Apple in July at the Black Hat security conference, in which Dallas De Atley, the manager of Apple’s platform security team, delivered a clinical and anodyne presentation instead of the mind-blowing affair the audience desired. He basically rehashed a white paper that had been released earlier in the year.
As for Honan, well, he made plenty of mistakes, too. “I have been ashamed every time my wife asks me if they will be able to get the pictures back,” he says. “I feel like I let everyone down.” In an unusual move, Honan opted to give the hackers immunity in exchange for information about how they committed their deeds. It’s the sort of deal a reporter makes to earn a bit of fame from an embarrassing moment.