Tuesday, August 07, 2012

Easy-to-crack Amazon.com, Apple password reset procedures to blame for huge hack

The details about the "destruction" of Wired writer Matt Honan's digital life are continuing to come in, and while social engineering played a part in the FUBAR, it didn't play as large a part as was at first thought.

At first the disaster was thought to be the results of faulty Apple technical support (TS) combined with social engineering. However, the problem first started innocuously enough, on Twitter.

The summary of the cascading disaster is as follows:

1) The hackers began by going to his personal website, which was linked from his Twitter account. Honan’s Gmail address was available there. They then used Google’s automated password-recovery system. One aspect of that is to give a user a look at part of their alternative email address, which in Honan's case was m••••n@me.com (much of the address is obscured, but anyone could guess the rest of it.

2) Since Honan has his own domain name, the hacker used WHOIS to determine Honan's billing address (this sort of info can also be found at sites like Spokeo, WhitePages, and PeopleSmart, so a victim does not need their own domain name).

3) The hacker now has what? He has Honan's billing address, an email address which he presumed was associated with his presumed Amazon.com account (and it was), and his name. That was all they needed in order to get Amazon.com to add a credit card number (faked with online tools) to Honan's account. But why do that?

Simply put, once they did that, the hacker was able to call Amazon.com back and add a new email address, because they could give TS proper credit card information for his account. Then, all they had to do was request a password reset, and viola. They had access to Honan’s account details, including the last four digits of any associated valid credit cards.

4) Of course, you might wonder why they went through all this. Amazon.com only shows the last four digits of a credit card number. It's because the hacker knew that Apple only requires a customer billing address and the last four digits of an associated credit card in order to bypass security questions and access an account.

5) After steps 1) - 4), the hacker had access to Honan's iCloud account, which they then used to wipe his iPhone, iPad and MacBook Pro, using Find My iPhone and Find My Mac.

6) Let's not forget that the .me account was his alternate email account listed in Gmail. They used that fact to reset his Gmail password, and now they controlled his Gmail account.

7) They were now closing in on their target: Honan's Twitter account. They used his Gmail account to send a password reset request to Twitter, and they then had access to his @mat Twitter feed.

8) The hacker didn't know that Honan’s Twitter feed was still linked to Gizmodo’s main Twitter account (even though he is no longer employed there), so they were able to screw with Gizmodo, too. The hacker, who eventually gave Honan the details on all this, said it was a bonus.

All of this, which essentially ended up destroying Honan's digital life, was done just for lulz. It was also done using techniques that anyone with a little knowledge could use.

A few things could be learned from this FUBAR:

a) Apple and Amazon.com should tighten up their security measure. Whether they do or not is still unknown.

b) We have not, for years, used an email address that resembles our actual name. That might have made it harder for them since the first step involved guessing Honan's .me address.

c) A lot of this depended on Gmail access. Although they got into Gmail as a result of a lot of other steps, if Honan had two-factor authentication turned on for his Gmail account, this would not have happened.

Two-factor authentication requires not just your password, but something you have in your possession. Those who play Diablo III and use a "authenticator" know what we mean. It can be an app, or an actual device that spits out the authentication codes.

5) Honan had his Mac wiped and had not backed up images of the first year-and-a-half of his daughter's life. Backing up special items like that should be a requirement, and as a tech writer, Honan should have known better (which does not mean he deserved it, BTW).

[Full disclosure: we use a system where we have five local 2TB external and NAS drives backing up our data, and also store it in the cloud through a service called CrashPlan.]

6) In fact, why use Find My Mac at all? Find My iPhone is one thing, as it's not unusual to lose a mobile device, but a laptop? Without that, the hacker could not have wiped his Mac.

7) You should use a recovery email address that is used only for password recovery, for all your services. That way, it is not tied into the core parts of your life.

The second biggest lesson learned is that despite the goal just being lulz, the hacker was willing to go through all this trouble.

The biggest lesson learned is that perhaps, having your digital life so interconnected can be a bad idea. It is a teachable moment for all of us, and perhaps all of us need to rethink our security.

No comments: