37 
Gizmodo alumnus Mat Honan got hacked this weekend. It was bad. But that’s not the worst part. Worse is that Apple knows exactly how easy this is, and hasn’t done a thing to stop it. And Amazon accounts are in just as much danger.
Honan has a chilling account of Apple and Amazon’s security flaws over at Wired today. He’s actually been in contact with his hacker, “Phobia,” and using the information he got there, has been able to confirm that Apple has been aware of the security issue. Here’s how it works:
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information – a partial credit card number – that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
To break that into a more digestible flow chart: Amazon or PayPal cough up the last four digits of your credit card. That gets you into an Apple account, and the .Me email account associated with it. That email account can be used to recover a Gmail account, and from there, you can probably access anything you want. It’s really pretty terrifying.
Perhaps more disturbing is how aware Apple’s tech support is of this:
Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated email address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. “That’s really all you have to have to verify something with us,” he said.
Today, Wired confirmed the technique works on different accounts. So in total actuality, if you use the same credit card on Amazon or PayPal as you do on Apple, you are exposed to the dead-simplest social hack in recent memory.
Apple refused comment to Wired on whether it is considering tightening its security protocol.
We already knew that Mat’s account had been hacked without any brute force, but this level of negligence is totally nuts. For reasons passing understanding, Apple seems to have actually refused to enact simple policy changes to stop crippling, terrifying hacks from happening to its customers.
On Amazon’s end, if a hacker was after you, he could, a Wired proved on multiple occasions, not only access the last four digits of an account’s credit cards with very limited, widely available information, but the account as a whole. This means a troll could max out every single active card, financially devastating the user. You could not ship to a new address, since that requires the full card number to be re-entered, but that is still deeply chilling to think about.
While Apple’s techs say it has been aware of its situation for months, it’s unclear if Amazon was aware of this loophole previously. Amazon did not comment to Wired about the matter, but we have reached out asking for further clarification.
In a vacuum, this is all absurd and awful. But here’s how it pertains to you: You’re at risk. You will, in all likelihood, not be targeted like Mat was, but that’s no reason to leave yourself exposed. At this point, all we know is that Wired has confirmed Phobia’s social hack. Our best guess for how to protect yourself is to totally segregate all of your accounts. Don’t send your password recovery emails to any other account you use. Don’t use the same credit card on any two accounts. Don’t use the same email address for multiple other services. Basically, strip the powerful interconnectivity out of your day-to-day internet existence. Oh, and turn off Find My Mac/Find My iPhone. And it is probably a good idea to remove all of your Amazon credit cards until we hear back.
From there, do all the normal security measures if you haven’t. Google two-factor authentication, backup your data to an external drive, don’t throw out any receipts with the last four digits of your credit card on them, and wait for an update to come.
We’ll update you with any new information from Apple, or from Mat at Wired. But for now, you can read the full rundown of how something this egregious can happen, and then just lock down your entire online life until further notice. [Wired]
Image credit: Hacker from Shutterstock
Amazon Says It Closed Its Glaring Authentication Hack Exploit
Apple Really Doesn't Know How to Fix Its Massive Security Exploit
Use This Massive Database of Call Centre Number Hacks to Get You Through to a Real Person
At the weekend–>”Famous man loses iPhone, should have had find my iphone on”
later that weekend–>”Journalist loses accounts, shouldn’t have had find my iphone on”
Mixed messages much?
No it’s a pretty clear message.. Don’t use Apple
Now there’s a message we can all get behind.
Indeed.
Kyle this does suck and could cause some medium level inconvienience but it in no way opens you to FINANCIAL RUIN… Lets tone down the hysteria and the audience will be more interested in discussing your topic rather than discussing your tone in the otherwise awesome scoop you reported on.
First of all, a troll could never send you a bunch of stuff on Amazon – he’d need the 3 digit security code on your CC for that. So that entire argument is simply wrong. However even if he did manage, you could just send it right back for full credit. It would suck but certainly wouldn’t be the end of the world.
Second, even if a troll maxed out your credit cards renting “When Harry Met Sally” 50,000 times from Amazon or iTunes, a quick call to Amazon or Apple and then your credit card company reporting the fraud should see your card credited back almost immediately. You are NOT responsible for fraud – ever – end of…
Also, I’ve said this before in other threads but it holds here as well. Anyone who regularly engages in online commerce has an obligation to take some basic precautions to keep themself safe on the internet. It’s not hard.
First, you should have ONE credit card or Paypal account that you use for all online commerce and online commerce only. NOTHING else. That way you have segregated accounts for online and offline transactions and if a fraud occurs you know immediately where to start looking. Using something like Paypal or Google Wallet is the best thing here as it requires double authentication and emails you EVERY TIME there is a transaction. Doesn’t matter if they have hacked your favorite E-Commerce service.
Second you call your offline credit and cash card companies and tell them that you will not accept any offline or telephone charges that did not include your 3 digit security code. That makes your offline cards pretty safe unless someone has physically stolen them (and that is beyond the scope of this post). It also prevents the kind of fraud where they type in the number without the swipe at a physical terminal.
Last be smart and NEVER use a debit card for any online transaction. Only a moron opens up his bank accounts to the internet in this way. It’s just stupid.
With this kind of setup your chances of being defrauded are remote and if you are defrauded you will detect it immediately. It also segregates and ring fences your online E-Commerce world from your offline finances and accounts.
My setup is a PayPal account with a strong password and a PayPal issued MasterCard Debit card. Paypal is great because they have a fair and straightforward process for handling disputes and EBay isn’t going anywhere as a company. The PayPal account is funded with a MasterCard credit card issued by my bank that is only used to fund the PayPal account. This secure PayPal setup is the ONLY thing I use for online transactions and PayPal card the only credit card I use to face the internet.
I have every confidence I will not be hacked and if I am – it will be pretty painless to fix. I also use the PayPal Debit card to fund my Google Wallet and E-Commerce sites that don’t accept PayPal directly.
The other great upside of this setup is that in the remote chance there WAS a fraud I have three or four levels of recourse – one to PayPay, one to Mastercard for the Paypal debit card, one to Mastercard for my bank credit card and one to my bank.
The vulnerabilities you listed suck because they are annoying – but the pitfalls are completely avoidable and the Apple pitfall (troll could rent 1000 movies) is easily reversable. It is silly to recommend that people take their lives offline. You should just explaine to them how to stay online safely….
He’s a journalist, where’s the sensationalism in telling people “use a single credit card, sorted”. Far better to write”Argggh, panic and run for the hills.
I’ve been using the same card since before I was old enough to actually have a credit card. This is why i’ve got multiple uncarded accounts, and never actually leave money on my debit card. I can get it transferred in an emergency by phoning my bank or online, and unlike a credit card, there’s no possibility of them having thousands of pounds to spend in the first place, because there simply isn’t any money there, and no overdraft is set to that account. Safer, Simpler.
And to those immediately blaming Apple, yeah, this is pretty much there fault, but realistically speaking, the last four digits of your bank card should really be as secure as the rest of them. That’s Amazon’s issue. you’d be amazed how many places i’ve known who use those numbers to verify my identity over the phone.
“First of all, a troll could never send you a bunch of stuff on Amazon – he’d need the 3 digit security code on your CC for that.”
Funny, I’ve just bought a ‘bunch of stuff’ on Amazon right now without entering ANY card details using One-click ordering.
Nor did I have to enter any card details when enabling One-click ordering, so yes this is extremely possible.
Yes but when you setup and turned on One-Click the very first time you had to enter in the code for the first credit card you chose as a One-Click billing option for that address the first time you purchased something with that address/card combo.
By turning on One Click you made a conscious choice to turn off a security feature and Amazon required the physical presence of one of your cards to allow you to do it. If you decide to consciously leave the window open it is not the lock maker’s fault that a thief was able to rip off the screen and climb in.
But regardless – exactly 3 seconds after you purchased “that stuff” you got an email in your Inbox informing you of the purchase and giving you ample time and an obvious path to cancel the order if it wasn’t valid.
Still, maybe you are the type of person that “buys a bunch of stuff” but can’t be bothered to follow his email or is too busy to notice when the Amazon Purchase receipt arrives in his inbox, then you still have the option of declining or returning the packages when they arrive for a full refund and reporting the fraud.
Still – in reality – this should never happen if you have any reasonable grip on your email or finances…
The point was that thanks to the Apple account hack, the GMail account was then compromised. It’s a small matter to then set a filter that diverts everything from Amazon to the bin and mark it as seen.
It’s perfectly feasible that people could be unable to access their personal e-mail for hours on end while at work, even through their phones, which means that even without the above redirect this is still a realistic problem.
Wait – just how did you get into my gmail account from the apple hack?
In Mat’s example his .me account was the password recovery e-mail for his Gmail account.
Amazon ‘handed over’ the last 4 digits of his AppleID billing card, which is one of the security fences protecting an AppleID recovery.
Having already determined that the .me account was the password reset target for Gmail, which was what they needed to get access to his 3 chr Twitter account, it was a small matter to get into Amazon, then Apple, then GMail.
I have two step verification turned on in Gmail and all my password resets goto my wife’s Gmail account or my work (which is secure). For me they couldn’t get anything.
I am surprised Matt, as an IT professional, was this sloppy with his setup.
Probably a case of being so close to the action that you get complacent.
Still I agree that Amazon and Apple’s policies are a joke. There would be a lawsuit there if anyone could prove real damage. However the advise to close down you e-commerce persona was a bit overboard and that is what I was responding to…
At what point does Amazon reveal the last four digits of my card number?
Natwest has me enter 3 characters from my password every time so unless they have that they wont be able to spend any of my money.
This is very remote – but some websites are able to bypass VISA and Mastercard’s SecureCode and Verified by Visa’s requirements if you have used and verified that card on that site before or if the purchase is under a certain undisclosed value based on your purchasing history.
Do you work with online transactions at all, you’re very knowledgeable about these things?
No – I just notice things and ask a lot of questions…
I have a Mastercard D/D and i I tried to buy an article on a Major site,but it was stopped. I disagree with you saying some websites are able to bypass SecureCode requirement`s.
I received a letter from my bank very early on the morning.
I was alarmed when i read it ,because it had the word Fraud in it.
I was told to go down the bank straight away with the letter.
In short the girl showed me a computer screen with my purchases on it.
The girl said can you confirm these purchase`s. I said yes. It was stopped for the very reason you said. The girl said there was a problem when you tried to buy this article,and we are only looking after your money. The girl added we had to confirm this purchase,because it all has to be cleared by your bank. The girl told me the reason,but i am not saying what it was.