Wednesday, August 08, 2012

Apple freezes policy that led to Wired writer's digital destruction

The two companies that were most "responsible" for the hack that destroyed Wired writer Matt Honan's digital life have responded quickly, and closed the loopholes that allowed hacker "Phobia" and his cohorts to take over a number of Honan's accounts.

First, changed its policy that allowed people to call customer support and change the email address associated with an account or add a credit card number as long as the caller could provide three relatively easy-to-find pieces of information: name, email address and billing address.

Next, Apple told its customer support personnel to immediately halt the processing of AppleID password changes requested over the phone. To be clear, though, that stoppage is only temporary, at least for now, with a CS rep telling Wired that the hold would last for at least 24 hours. He wasn't clear on the reason for the hold, but he speculated that the freeze was put in place so that Apple can consider what, if any, security policies needed to be changed on a permanent basis.

The full details of Honan's digital crisis are available here. Essentially, though, it was a cascading failure.

A hack into Honan's account using the "exploit" above resulted in a hack into his AppleID account using Apple's security hole, and that led to hack into Honan's Gmail account, but via valid means, not through an exploit.

From there, they took control of his Twitter account, which was their target. Along the way, though, they deleted his Gmail account, and wiped his iPad, iPhone and MacBook Pro (and he had foolishly not backed up the photos of the first 1-and-1/2 years of his daughter's life).

On Monday, Apple issued a statement that said that an initial look “found that our own internal policies were not followed completely.” However, according to sources in Apple's CS group, if the support rep who took the Phobia's call issued a temporary password for Honan's account based on his AppleID, billing address, and the last four digits of a credit card, he would have been "absolutely" following Apple support policy.

No comments: