How a Hacker Gained Access to a Reporter's iCloud Account

[alent1234]

This

I was shocked that Amazon would allow a change of CC via phone. Especially since they are web-based I think they should require any change like this to be made via their website.

But Apple using the last 4 digits of a CC is also bad. That information is floating around all over the place. And most of the time it's displayed on your account, and I mean any account that stores your CC. That's the reason I don't store my CC info anyplace except - Amazon and Apple, oops.

And using the full CC number is even worse because you don't want any company's customer service staff to have access to that info.

I understand that a company needs to have procedures to aid folks who forget their passwords. But any company that stores CC info should go to further lengths to verify identify for password resets. In my mind, an email account doesn't rise to the same level as an account that actually involves money (or in this case data). I don't care if it is a bit of an inconvience, people should remember/store their passwords.

I've been using an ewallet since 2004 and have never had a problem with passwords. There does come a point where people need to accept responsibility for their data/information. If they need help, a few hoops is a small price to pay for the security the rest of us need. Putting the rest of us at risk is unacceptable.

for amazon this was secure enough because the hacker couldn't buy anything and ship to a different address. they would need the three digit CC code on the card.

it's not right for amazon to allow account changes like this but there is little financial risk to themselves

 

[Elven]

Even with a backup, with back to my mac on in your time capsule, you can remotely erase the backup file too if you like.

This is one of the reasons my backups are not "iPhoto" exports and always the actual files stored on an external which is not networked. Too much to loose.

 

[ImageWrangler]

This whole thing seems fishy to me. Who ever heard of this guy, and why would someone go through all this trouble to access his account so they could wipe his phone? Could it be he is involved in this trying to make a name for himself, or just for the publicity? I don't really know, but it sure doesn't smell right. It's hard to believe there are people who would go through all that trouble just for the "joy" of wiping someones phone.

Yeah, count me in the skeptic camp. At first I believed it though I kept thinking "man, that's a LOT of effort to get at someone's account, someone who isn't even that known, not even to me, and I read ****-ton of tech blogs and this guy's name didn't ring any bells." But I went with it though kinda had this weird feeling in the back of my head that something wasn't quite right.

Then I decided to follow the link and read, re-read his article, and it seems more like it's some Faux News thing with a bit of that trumped or manufactured breathless commentary, and something in my noggin went "... wait a second, this seems pretty fabricated."

It's not that I don't believe that an iCloud account can be hacked, of course it can, as can ANY cloud services, they're all a hackers wet dream, and there's a reason though I use the cloud for some things, I still kick it old school (yo) with hard drives (sidenote, can't wait for prices to come down on SSD external backups). I don't wear tinfoil hats either, so it's not paranoia, it's just reality cloud computing isn't perfect, and neither is physical discs really if someone wanted to break into your house. Your cloud, regardless of which, just like your house, if someone wants to get in, with enough effort, they will.

But this, this guy's tale and angle just seems a bit too pat, and again, he's kinda a nobody, so yeah, boooooggggguuussssss!!!

 

[KnightWRX]

only reason amazon modified it was because they got a billing address and an email from the hacker which he got from the whois information.

And frankly the issue is not the public whois information. It's Amazon actions based on such identification information. That is plainly unacceptable. No account modifications, none whatsoever, should take place without properly identifying the account holder.

Especially not adding "identification information" (the CC was then use to gain full access to the account) to an account.

That is a big failure on Amazon's part.

 

[dBeats]

I'm still wondering why a technology "expert" uses the same password for multiple accounts and doesn't even have a backup of his own files at home. Pictures of his daughter were spinning on a platter micrometers from destruction and he didn't have a backup plan.

Anyway, it appears Amazon, Apple, and many others still have a long way to go before things are really "secure." If this isn't a wakeup call to protect and backup your data and don't rely 100% on any "cloud" out there. It's the main reason I have streaming music. I want to OWN music.

----------

And frankly the issue is not the public whois information. It's Amazon actions based on such identification information. That is plainly unacceptable. No account modifications, none whatsoever, should take place without properly identifying the account holder.

Especially not adding "identification information" (the CC was then use to gain full access to the account) to an account.

That is a big failure on Amazon's part.

100% agree. The Amazon hack is enough to remove my CC info from my account. I'll type it in each time thanks...

 

[Chupa Chupa]

I stopped allowing Apple to store my CC on iTMS after my account was hacked a few years ago. Now it looks like I'm going to have to stop allowing Amazon to store my CC too. I'm guessing I won't be alone and it's going to hurt their business, because it adds a barrier to a customer buying something. If I can one-click, psychologically it's not as painful as having to pull out my CC and give it a few more seconds whether I want to buy what I'm buying.

Hopefully this will be a wakeup call for the entire industry. If sites are going to require Rube Goldberg-esque passwords then their customer service should make recovery just as difficult. The Amazon part of the story is jaw dropping.

 

[donnaw]

for amazon this was secure enough because the hacker couldn't buy anything and ship to a different address. they would need the three digit CC code on the card.

it's not right for amazon to allow account changes like this but there is little financial risk to themselves

You're right. And I'm sure that they really never considered the sequence of events that took place here. I'm sure the thought was that the only person who wants to add/change the CC is always going to be the account holder. And to be honest, there is no financial risk to the account holder either.

But this event does highlight the problem and now that it has been published I'm sure somebody else will try the exact same trick. And to be honest, I'm quite sure that other sites could be used, not just Amazon or Apple. And next time it may not be just a Twitter/email account or data (which anyone with any sense has backed up locally too).

 

[pdjudd]

You're right. And I'm sure that they really never considered the sequence of events that took place here.

Indeed, it sounds from the description like a perfect storm of events that happened at the right time.

 

[alent1234]

strong password would have been useless in this case, you have to minimize the surface area of your data. don't allow public databases to store your data out in the open like whois.

using a cloud service for blogging would have made this attack a lot harder. or he should have used a PO box if he got ad revenue from his site.

people can still find your data online but it becomes harder, will take longer and may cost money. which means that they will probably go and find easier targets

 

[oliversl]

This is serious, more in the side of Amazon. But Apple should do something because right now I'm scared.

 

[Vizin]

.

 

[bandalay]

What I want to know…

…is what Honan did to piss these guys off? They went to a lot of trouble to just delete his data. There were no financial benefits.

One wonders if he had dirt on some technology company.

It's either a vendetta or a publicity stunt.

 

[Flitzy]

Wired and Gizmodo.

Two publications that have less credibility than the National Enquirer.

 

[D.T.]

This is a good example of how holes in security for various systems can aggregate to create a sort of global security issue for an individual. It's one reason I try to limit how many systems I use for transactions, and why I try to make each account as unique as possible - of course, things like physical addresses, phone numbers, etc., tend to be the same.

So has there been any talk about the investigation vs. the person who actually did the hack (if they even exist per some tin-foil hat theories...)? Seems to be the visibility of this is going to turn up the heat.

 

[pdjudd]

…is what Honan did to piss these guys off? They went to a lot of trouble to just delete his data. There were no financial benefits.

One wonders if he had dirt on some technology company.

It's either a vendetta or a publicity stunt.

Again, as it has been stated a couple of times, the guy who did this wanted to hijack Mat's Twitter account.

 

[DaveGee]

Two steps we should be able to make that would go a long way in protecting ourselves.

1 - use a unique email address for sites we do business with.. Gmail makes this easy... I have 1 catch all email via gmail for ALL web based forums. I have a different email for my utilities gas/electric/cable yet another for amazon.. I roll new email addresses as needed for other shopping sites.. I tend to favor sites that allow google checkout and or PayPal so I don't usually need to roll new accounts too often.

2 - Unique credit card numbers that actually tie back to my primary credit card number that could be used specifically for a single sites transactions any other site that attempted to incur a charge on it would be declined. This would obviously require the credit card institutions involvement. Paypal used to have a 'roll your own credit card' ... It was an AWSOME service but alas they killed it .. Even tho it wasn't exactly like what I described above it sure was great. You had the option to have it open till canceled or set to auto cancel after the first transaction, you could also set a predefined upper limit as to what could be charged etc... Really nice stuff ... I'm guessing it was too costly to run... Otherwise they'd still offer it.

I remember using it one time to purchase software from a developer in the UK... I was really uncomfortable sending out my actual CC# to a payment system I didn't know so I rolled a 1x use PayPal visa card with a limit of $50 .. Just a little more than what I knew the payment would be. Worked like aces and fast ... Less than 30 minutes on a Sunday night. Good stuff... Oh well... Maybe someone will bring it back.

 

[charlituna]

I hope the hacker gets nailed for this. And he might - he had to give Amazon verified credit card information to do the hack into Mat's Amazon account to retrieve Mat's credit card info. So, unless this was done by someone with access to a working stolen credit card number, or he was given a credit card after falsifying an application for it, there should be a trail leading to him.

$15 at any Walgreens gets you a prepaid card that will past muster, will no paper trail other than perhaps the store that sold it

The real issue is that Amazon either doesn't keep a call log or someone didn't check it to see that someone had called just hours before, they should have been tipped off by an activity history

 

[Laird Knox]

Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.

You must be constantly angered by MacRumors then.

And Apple sells computers, I mean what's up with that?!

 

[apolloa]

I see people are blaming Amazon now? hahahahahahahahah, pathetic, really pathetic.

As I said, in the UK the last 4 digits of your debit and credit card are printed on EVERY SINGLE reciept you have when you use it, (ever brought petrol and just thrown the reciept in the bin?) like I said, rumage through anyones bin and you will find the information.

APPLE is at fault here, NOT Amazon. The lax in security to give someone access to a wealth of information and the ability to wipe information is both socking and imorral.

But hey, Apple are Gods, they NEVER do anything wrong!!!....

 

[charlituna]

Seriously, you shouldn't toss away any document with your CC# on it in the first place.

I burn mine. Seriously. I have paperless billing and then I burn my receipts. My neighbors just think I really love to barbecue

Not to mention that I don't crisscross my recovery emails, etc. and I back up my data

 

[Perrumpo]

Big, scary, simple failures here on the parts of Apple (using the credit card number as ID), Amazon (giving out that number!) and Google (giving out your alternate email address to strangers).

If I had to name 3 companies (that I actually use) which I trust the most to keep things secure, it would have been those 3... before today! (I know Google tracks me, but I’m surprised at this kind of lapse.)

I’m sure I’m not alone today in turning off Find My iPhone/iPad/Mac for the time being. And it’s probably smart to use different credit cards with different services, even if it means more bills to manage monthly. I do already use different (and hard to guess) passwords, and I back up in multiple ways including locally. Very important.

Something NEW is needed to make security usable AND effective for all of us, and incident this shines a light on the problems. What’s scary is, I doubt we'll see the changes (across MANY more companies than these 3) happening fast enough.

P.S. I hope the hackers spend some serious jail time after wiping out the guy’s family photos

We trust these bigger companies more, but because of that, they are bigger targets for hackers.

After hearing this about Amazon, I will be using Bank of America's ShopSafe service that generates a temporary credit card number that isn't your real one that can only be used at one merchant each and can even have spending limits.

 

[charlituna]

Obviouslly there is a security hole in the system here. However, I find it hard to believe that iCloud doesn't keep an online backup of these things even if a particular device is wiped?! i kinda thought that was the whole point of the service.. especially for things like photos and stuff which this guy has complained of losing.

If the guy had set up iCloud backup they would. But they had account access. Not that hard to erase all the contacts etc and erase the backups

 

[Elbon]

> the hackers were able to convince Apple Support to provide them with a temporary password to access Honan's account

That's not hackery - that's fraud.

 

[donnaw]

Two steps we should be able to make that would go a long way in protecting ourselves.

1 - use a unique email address for sites we do business with.. Gmail makes this easy... I have 1 catch all email via gmail for ALL web based forums. I have a different email for my utilities gas/electric/cable yet another for amazon.. I roll new email addresses as needed for other shopping sites.. I tend to favor sites that allow google checkout and or PayPal so I don't usually need to roll new accounts too often.

2 - Unique credit card numbers that actually tie back to my primary credit card number that could be used specifically for a single sites transactions any other site that attempted to incur a charge on it would be declined. This would obviously require the credit card institutions involvement. Paypal used to have a 'roll your own credit card' ... It was an AWSOME service but alas they killed it .. Even tho it wasn't exactly like what I described above it sure was great. You had the option to have it open till canceled or set to auto cancel after the first transaction, you could also set a predefined upper limit as to what could be charged etc... Really nice stuff ... I'm guessing it was too costly to run... Otherwise they'd still offer it.

I actually do something along these lines with email. I have one throw-away account I use for forums, etc. I have one account I use strictly for sites I buy from, pay bills, and other business. And I have one account I use for my banks and brokerage accounts. My throwaway is my password recovery account. And my name on all of them except the bank is not anything like my legal name. Keeps the spam down too.

I also have one bank account with a debit card I use for all my online business. I keep enough money there to cover my purchases so if it gets compromised I can only lose a couple of thousand until things get fixed. Also I have never done any electronic transfers from my big accounts to it. So there is no link. I just go deposit $$ when it runs low.

I set it all up years ago when things were even scarier and buying online was just getting started. Security was even worse then. Just never changed or consolidated. And don't plan to. Just like I don't trust any cloud service for my backups. I use them to easily transfer docs but I never rely on them.

It's not that I'm paranoid. Just lazy. If things go south it takes a lot of time to fix them. I have other things to do so I try to set things up so I don't have to think about it.

 

[charlituna]

But on the other hand, I could do it myself. I don't because it is so much more convenient to have one account for everything. I would never connect FB/Twitter/whatever to my Apple account, though.

And there it is. It's not Apple, which really doesn't care how many IDs you have. Its you and how lazy you are.

----------

In the UK

This is NOT the UK.

And you got blasted because you claimed to have information that at the time you didn't. Including exactly what went down and that Apple had broken US laws.

Which still stands as the UK laws don't apply here

In the UK I could look through your bin and find BOTH your address and the last 4 digits off your credit card with ease.

It is not Apple's fault you are careless and put that stuff in the bin. Protecting your credit card etc info is an issue that has been around for a generation. You should know better

----------

Not backing up your stuff shouldn't mean the person who violate laws on cyber criminality, committed theft of identity and cyber vandalism should go scott free.

Read the thread. My comment wasn't a reply to the notion of sending the hacker to jail for the hack.

My reply was to the comment the hacker should go to jail for the destruction of the guy's photos. And I stand by my reply to that comment

----------

only reason amazon modified it was because they got a billing address and an email from the hacker which he got from the whois information. using a blogging service would have made this a lot harder. i checked his site and it's just a blog that could sit on wordpress or blogger or some other service

Or for that matter he could use a po box that isn't also his cc billing address.

Mine costs me $5 a month and I can write it off as a biz expense.