Apple & Amazon security patched after hack
How secure is your digital presence? How easy would it be for someone to take over your various online accounts and piece together enough information to compromise your eBay, Amazon and PayPal accounts? Not very according to a recent victim Mat Honan, and all the hackers wanted from him was his Twitter account @Mat.
Surprisingly it took very little for them to wipe his iPhone, blank his iPad and even erase all the data on his MacBook, not to mention deleting his gmail account and of course broadcast racist and homophobic messages on his Twitter account.
It appears very simple, and mainly because Amazon and Apple considered different bits of personal data to be important. It also wasn’t helped that his gmail and Apple me.com email address used the same prefix, not unusual for many people but this made them easy to match and his physical address was easy to find from his website domain registration via a Whois lookup.
The way it worked was that once the hackers figured out his apple email address from the account recovery page on Google they had most of what they needed. Google displayed m••••firstname.lastname@example.org as the back up email address so now the hackers knew to target Apple. All they needed for Apple was his address (Whois) and the last four digits of his credit card.
Apparently the credit card was the easiest bit of the lot, the hackers simply phoned Amazon and asked to add a bogus credit card to the account (you just need the street address and email address both of which they had by this time). Then a little later they rang Amazon back claiming to be locked out of the account and using the name, billing address, and the new credit card number as credentials Amazon allowed them to add a new email address. Reset the Amazon password using the new email address and you can view all credit card information including the last four digits of the genuine card on the account.
Back to Apple with the genuine card details, name and address and the hackers took over the Apple account, wiped the iPhone, iPad and Macbook and used the Apple me.com email address to reset the gmail password. Reset the Twitter password with gmail and promptly wiped the gmail account too.
The hackers say they did it to highlight security issues. However it’s frightening how easily it can be done.
It makes a good case for using a different email address (not just the domain, but the first part too) for your online accounts and having a unique address that you use for nothing else registered for those accounts that have a back up email address.
However it’s also worth noting that the information Amazon considered unimportant enough to display in plain text in Mat’s Amazon account was the very information Apple considered secure enough to update a password. The more accounts you have the more likely it is that there’s enough information out there about you to attack one of your online accounts, and it looks like that once one is compromised the rest will all follow.
Thankfully Amazon and Apple have updated their security to ensure this hack can never occur again, but which other companies could be used to access all of your online life?