Epic story of journalist who lost all his data to hackers

[kranky]

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Let's not hammer on his neglect to back up his data. But the WAY he got hacked (without having malware/spyware/keyloggers) is definitely worth understanding. Because I'm sure there are a lot of people who would be vulnerable to this same scenario.

It was all because some hacker wanted to get into the guy's Twitter account.

It's a long read but worth it.

 

[tefleming]

was enough to convince me to setup two factor authentication on my gmail

 

[MontyAC]

Doesn't hurt to add the phone verification.

 

[darkewaffle]

lol those amazon calls are clever, but yea the guy's a moron for using such tightly linked accounts and devices.

 

[Ns1]

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

O_O


Gotta ramp up security again...

 

[Brainonska511]

was enough to convince me to setup two factor authentication on my gmail

Same. I don't think my stuff is that tightly linked, but still....

 

[Texashiker]

~ EDIT ~

After reading the article, that is some scary stuff.

 

[God Mode]

I stopped reading at the first "Lulz". Those older than 16 should never use that word.

 

[ImpulsE69]

And thus yet again why no matter how technical you think you are and how wonderful technology is, going "cloud" everything and "storing info online" for ease of use is not necessarily a good idea. Good luck convincing the masses of that though.

..then there's that part where everyone thinks apple is infallible.

Hackers gonna hack.

 

[Krazy4Real]

Nasty. Wow.

 

[darom]

lol those amazon calls are clever, but yea the guy's a moron for using such tightly linked accounts and devices.

I would say 80-90% of general users' population can be defined in this fashion. What really pisses me off is that with little social engineering one can get access to your accounts. Very clever.

I liked Kaspersky's founder's idea to issue the digital "passports" to online users to prevent such events from happening. Here is another interesting article:
http://www.wired.com/dangerroom/2012/07/kaspersky-indy/

 

[postmortemIA]

another reason to stay the hell away from Windows 8.

 

[rivan]

Holy....ouch.

 

[Fingolfin269]

Wow. I like to think I'm pretty careful but I usually think about things from site to site. This ability to socially engineer yourself through one place in order to gain access to another using a single piece of data from another is kind of scary. I don't think that broadly and doubt many do.

The larger picture here is how can people really protect themselves?

 

[Puppies04]

I stopped reading at the first "Lulz". Those older than 16 should never use that word.

Tbh I think he was using it ironically.

 

[Ns1]

Wow. I like to think I'm pretty careful but I usually think about things from site to site. This ability to socially engineer yourself through one place in order to gain access to another using a single piece of data from another is kind of scary. I don't think that broadly and doubt many do.

The larger picture here is how can people really protect themselves?

Use unexpected answers to security questions, 2 step auth, and more shit that I'm about to google.

 

[Texashiker]

The larger picture here is how can people really protect themselves?

Maybe we are spreading ourselves too thin?

Maybe we are relying on too many digital services?

 

[jagec]

Apple lets you wipe all of your iDevices remotely with a single login? That's idiotic. Now I have to go find an Apple user just so that I can laugh at them.

 

[gorcorps]

I think we need to discuss the overuse of the word "epic"

 

[Ns1]

Apple lets you wipe all of your iDevices remotely with a single login? That's idiotic. Now I have to go find an Apple user just so that I can laugh at them.

I like it, in case my phone is lost I'd sure as fuck remotely wipe it.

 

[Anubis]

wait how did they wipe his laptop?

 

[Triumph]

I dislike all of these online vendors who store all of my information on their website "for my convenience," and I also dislike all of these vendors who make me create a login account just to buy some contact lens solution. I don't want to do that in B&M stores, why should I do it for your stupid website? I remember Radio Shack back in the day used to be really big on that - you'd go in to buy a $3 cable and they'd want full name, address, and phone number. Didn't like it then, don't like it now.

I know all of this information is stored behind the scenes anyway, but that's another level of hacking compared to social engineering someone's login and passwords.

 

[gorcorps]

wait how did they wipe his laptop?

Same way they wiped his iphone and ipad, Apple has a tool that lets you remote wipe any of their devices you have set up for the service in case of theft. This included his Macbook.

 

[gorcorps]

The part of the story that bothers me is:

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.

What is the point of the security questions if they don't even use them as a security measure? Seems to me this was the biggest failure here as there were security measured in place that for some reason the techs ignored. Part of me wonders if the desire to make customers extra happy is what made this too easy... if a customer yells enough about forgetting a couple questions, but has enough of the other info, a customer service rep may just give them the info to make them happy and be quiet. Bad for security, good for CS (until something like this happens).

 

[kranky]

The part of the story that bothers me is:



What is the point of the security questions if they don't even use them as a security measure? Seems to me this was the biggest failure here as there were security measured in place that for some reason the techs ignored. Part of me wonders if the desire to make customers extra happy is what made this too easy... if a customer yells enough about forgetting a couple questions, but has enough of the other info, a customer service rep may just give them the info to make them happy and be quiet. Bad for security, good for CS (until something like this happens).

And the kicker was that Wired magazine was able to duplicate the hacker's MO so it can't be a "rogue employee not following our security policy" excuse. Social engineering can be pretty effective if the person has the skills to pull it off.