How Your Online Identity can be Hacked

This is a long read but very worthwhile. It covers how the wired reporter's account was hacked. He goes through it step by step and it was remarkably easy. Major corporations building these solutions are not thinking through how secure these processes are. It is a bit like computers used to be a couple of decades back. There were so few breaches that folks just didn't worry about how secure computing was. Just as well, cloud computing and online services are so new that catastrophic failures are not frequent enough to force companies to take proper action. Let's hope this poor reporters bad fortune leads to better measures for the rest of us:

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

Just to summarize how this went:

1. Hacker goes to reporter's web site and finds his gmail alias.
2. Hacker then looks up his address which anyone can do with free or paid services. BTW, I did this and for $2 found the owner of our house some 10 years ago which no one could find! Had all known locations including current phone number!!!
3. With the above two, he goes to Amazon to *add* a credit card to reporter's account. Amazon happily accepts the new credit card info. BTW, there are cites that generate valid credit card numbers online.
4. If you forget your amazon password, they let you reset the account if you have mailing address and last four digits of the credit card info which of course he had. He proceeds to reset that account and requests account info from Amazon which includes them giving you the last four digits of credit card info. This info now gave him the last four digits of the reporter's real credit card on file at amazon.
5. He goes to Apple to reset reporter's AppleID account. All they require is email address and last four digits of the credit card!!! Which of course he had in hand. They ask him the security questions which he got wrong but apparently that did not matter.
6. He immediately resets the AppleID with his own password.
7. Reporter had linked AppleID to gmail. He resets that.
8. Using the above he is able to reset the Twitter password since gmail was used as the account info for that. Once there, he started to post whatever he wanted to his twitter account.
9. For some unknown reason the hackers partner decides to wipe out his Mac, iPad and iPhone.
10. He had not backed up his Mac for a year so he lost all of the pictures of his family, files, etc.
11. He wiped out his gmail account. Roughly a decade worth of email saved was now gone.

I am used to these hacks being sophisticated but there is little here that is fancy or hard. I am sure the technique was posted online and folks just connected the dots and went after him. BTW, the reporter/Wired tried all of these techniques and managed to get through. So all of the exposure is still there.

I suggest looking through the above list and think through how the scenarios may apply to you.

While the reporter faults himself, I put 90% of the fault on companies who have built these services. Which one of them has publicized that all someone needs to hack your account is your email address and last four digits of your credit card number? As the reporter nicely states, when you order Pizza and give the guy your credit card number and email alias/name, that is potentially all he needs to bring your world to an end per above! When did the credit card number become this secret authentication scheme to be trusted this way? Credit card numbers are not private data as they are shared with countless merchants. Very often I am asked to given them my email alias at check out for some discount program, mailings, etc. All you need is a corrupt clerk and you are toast. If they steal money from the credit card, your liability is limited to $50. What is the recourse for this poor reporter? How does he get all of his data back? Did Apple try and go to their back ups to get his files back? How about Google? Apparently not. Really sad.

Looks like folks are starting to think this through. No doubt there has been a rash of copycat attempts: http://www.pcmag.com/article2/0,2817,2408206,00.asp

-----

The devastating hack of Wired writer Mat Honan has prompted Apple to change its password reset policy - at least for now.

According to Wired, AppleCare representatives are currently not allowed to help customers change their passwords over the phone. The move comes after a hacker used this method to gain access to Honan's account.

The change is in place for at least 24 hours, an AppleCare rep told Wired.

An Apple spokeswoman confirmed that the company has temporarily suspended the ability to reset Apple ID passwords over the phone. AppleCare reps will instead direct callers to iforgot.apple.com, which will let customers select one of two options: have a password reset email sent to their alternate email address, or answer a previously supplied security question.
When over-the-phone password resets are restored, Apple said it will require customers to provide "even stronger" identity verification, but the spokeswoman did not have details on what that might entail.

Yesterday, Amazon confirmed that it will no longer allow Amazon customers to change account settings like email and credit card data over the phone.

At issue is a hack that allowed an individual who identified himself as Phobia to gain access to Honan's accounts via an unsecured Gmail account and Amazon and Apple password reset loopholes that resulted in customer service representatives basically handing over access to Honan's accounts. Phobia, who apparently just wanted Honan's simple, three-letter Twitter account (@mat), managed to delete years worth of documents, photos, and more.

In a lengthy piece about the ordeal, Honan blamed himself for hack, arguing that had he set up Google's two-factor authentication, the whole mess could've been avoided.

The only solution is local back up. I am not an iPHone user but I assume iTunes or whatever can be used to sync with a PC and then you can back that up.