Google, Amazon, Apple Security Flaws Could Mean Vulnerability for All Their Users – Including E-Book Buyers
This last week, Gizmodo reporter Mat Honan was hacked, and had all the data from his iPhone, iPad, and laptop computer erased—including irreplaceable baby photos of his daughter. While the hack itself doesn’t necessarily have anything to do with e-books, it came about because of security holes in several cloud computing ecosystems—and by an odd coincidence, these ecosystems are three of the e-tailers most commonly used for buying e-books and other electronic media. Thus, many of our readers who use these sites could be vulnerable to the same attacks.
Who were these e-tailers? Amazon, Apple, and Google.
Honan has written a four-page article for Wired describing how he became aware of the attacks, and what he learned about how they were perpetrated through his conversations with the hacker who did it. And the results are chilling. I had originally assumed the accounts fell to plain old social engineering, when someone tricks the person over the phone into telling them something they shouldn’t. But the hack ended up not involving human error at all—it took advantage of existing flaws in the way the security setup works, and how information from one site can be used to authenticate at another.
For example: anyone who can find out your name, billing address, and e-mail can add a new credit card number to your Amazon account by phone—then he can call back in and use that new credit card number as an authentication factor to change the e-mail on the account and send a password reset. While they couldn’t get access to the complete card numbers already stored on the account, and would probably be asked to re-enter the numbers to verify before they ordered, they could nonetheless see the last four digits—the same digits that Apple uses as an authentication to set a new iCloud password.
And Honan’s email address was scooped by checking for password recovery on Gmail. If you don’t have two-factor authentication enabled, Gmail will show enough of the recovery password to provide a guessable pattern.
And the security holes are all still there. Honan and other Wired reporters tried them out over the course of writing the story, and they still work. They’re inherent in the way the system works, and it’s not clear what, if anything, can be done about them.
Honan admits culpability in not backing his computer up, and linking his cloud accounts together. He reflects that using “Find My Mac” was a mistake because it was what allowed the hackers to wipe his computer remotely. And he suggests it’s a good idea to have a password recovery email that isn’t used for any other purposes and so can’t be used to gain access to accounts like Amazon or iCloud.
But in the end, perhaps the scariest thing is that he didn’t come in for this attention because of anything he’d written or had done. The hackers just wanted to steal his three-character Twitter account, and the only reason they’d wiped his computer was to make it harder for him to get back into it.
So if you buy e-books, or music, or movies, or anything from Amazon, Apple, or Google, be warned. Your accounts might easily be compromised, if anyone has a reason to go after them—or just feels like it.
Comments
DavidW August 7, 2012 um 8:01 am
If you use the same password for all accounts then yes. But that is not the fault of those services. I’ve recently wondered about the problem of using the same password on everything, how do you use more and not get confused or lost?
Well talking to one of the IT guys at work he told me his system: have the same root password but append something to it specific to the account, and obviously use a completely different password for financial stuff.
My Father has different passwords for everything, but he keeps an encrypted file with them in it, and the password he does memorize is the password to decrypt the file.
Again, is it a security flaw if users are not smart or sensible about protecting their accounts? I don’t want an additional increase in friction to access my accounts because some people are nervous but not nervous enough to be smarter about their security.
Mark Sly August 31, 2012 um 3:18 pm
Sounds like you haven’t fully read the story about Honan — none of his passwords were hacked into. No attempts to find any passwords were made at all.
The hacker wanted access to the Twitter account, and figured the password reset email address was his gmail account. He was able to figure out Honan’s name and address from the Twitter account and his other on-line personal info on other websites.
From there, he made two calls to Amazon and was able to get a password reset by adding a fake credit card to Honan’s account, then using it as authorization to get a new email address added. Send the password reset to the new email address, and now he has the last four digits of his victim’s credit card.
He discovered through gmail that Honan had an alternate password reset for his gmail account going to an Apple account. Apple needs an account, a billing address, and the last four digits of the credit card number (courtesy of Amazon). Bingo – the Apple account is now compromised (and his iProducts).
Now he sends a password reset from the gmail account to the Apple email address, and he’s in the Gmail account. From there to the Twitter account, and he’s got more than he needs to hack almost everything else Honan has online.
Simple passwords are not secure even if you have unique, complicated passwords. They were completely and utterly bypassed in this hacking event. Google’s 2-stage authorization could have saved his Twitter and Gmail accounts, but not his Amazon and Apple accounts. (Use of single-vendor credit card numbers from companies like Discover and Bank of America could have saved his Apple account.)
-MarkSly
Len Feldman August 7, 2012 um 10:45 am
Based on what happened to Matt Honan, there’s a few things that you can do to protect yourself:
* If you have Google accounts, turn on two-step verification and install the Google Authenticator app on your iPhone or Android phone.
* Don’t use exactly the same name in your email addresses (it was that, not using the same password, that allowed the hackers to get the information they needed to do social engineering.)
* If you’re a Mac user, don’t enable the "Find My Mac" feature in iCloud–that’s what allowed them to wipe his Mac remotely.
Tim Smythe August 7, 2012 um 11:23 am
I am sorry for him it was a hard lesson learned. I have two-step authentication on my email and I like the extra security it offers. You just telesign into your account and it’s good to go. I’m hoping that more companies start to offer this awesome functionality. In reality this should be a prerequisite to any system that wants to promote itself as being secure. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection.