In the space of one hour, our entire digital life was destroyed.
The attacker gained access to the person’s Google account and Twitter account EASILY also since the person used the iCloud account as the backup email address to the other accounts.
We don’t know about Apple iCloud, but if you can wipe someone’s laptop and phone remotely, is it not possible that the hackers first took a copy of all the data, in the search for bank account or log on details.
Before the hackers gained access to his Twitter account and that of Gizmodo, the hackers first gained access to his iCloud account, where they caused irrevocable havoc.
If one uses their Google email address as the backup email to their iCloud and Twitter accounts, the same problem occurs.
Because we’m a jerk who doesn’t back up data, we’ve lost at more than a year’s worth of photos, emails, documents, and more.
But what happened to us exposes vital security flaws in several customer service systems, most notably Apples and Amazon’s.
Amazon tech support gave them the ability to see a piece of information a partial credit card number that Apple used to release information.
Apple has confirmed to Honan that its own tech support staff provided the hacker entry into his online world via a bit of clever social engineering.
In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.
The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
3, when hackers broke into our accounts, we’ve heard from other users who were compromised in the same way, at least one of whom was targeted by the same group.
Since the hacker had access to his email accounts, it was effortless to access Honan’s other online accounts such as Twitter.
The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification.
And Windows 8, the most cloud centric operating system yet, will hit desktops by the tens of millions in the coming year.
Security experts say it is “very concerning” that Apple’s staff could be so easily tricked, while even Apple co founder Steve Wozniak believes the move to cloud computing will create “horrendous” problems in the next five years.
When we opened our laptop, an iCal message popped up telling us that our Gmail account information was wrong.
Unsure of exactly what was happening, we unplugged our router and cable modem, turned off the Mac Mini we use as an entertainment center, grabbed our wife’s phone, and called AppleCare, the company’s tech support service, and spoke with a rep for the next hour and a half.
They got in via Apple tech support and some clever social engineering that let them bypass security questions.
Nor would Apple tech support ever tell us about the first call voluntarily it only shared this information after we asked about it.
, according to Apple’s tech support records, someone called AppleCare claiming to be us.
It did this despite the caller’s inability to answer security questions we had set up.
And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
They then were able to follow the link in that e mail to permanently reset our AppleID password.
Two minutes later, an email arrived notifying us that our Google Account password had changed.
At 5:12 the attackers posted a message to our account on Twitter taking credit for the hack.
By wiping our MacBook and deleting our Google account, they now not only had the ability to control our account, but were able to prevent us from regaining access.
Our MacBook data including those irreplaceable pictures of our family, of our child’s first year and relatives who have now passed from this life weren’t the target.
One of the reasons it took us so long to get anything resolved with Apple during our initial phone call was because we couldnt answer the security questions it had on file for us.
(Of course, when we gave them those, it was no use, because tech support had misheard our last name.)It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account.
After convincing some poor sap that he was Honan, ClanVv3 had Apple support change his iCloud password, which gave the hacker full access.
Apple tech support confirmed to us twice over the weekend that all you need to access someone’s AppleID is the associated e mail address, a credit card number, the billing address, and the last four digits of a credit card on file.
We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password.
In this particular case, the customers data was compromised by a person who had acquired personal information about the customer.
We are reviewing all of our processes for resetting account passwords to ensure our customers data is protected.
On Monday, Wired tried to verify the hackers access technique by performing it on a different account.
This means, ultimately, all you need in addition to someone’s e mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file.
Mark Jones is a business journalist based in Melbourne, Australia. Mark has a passion for financial markets and breaking news stories and loves writing about business news, stock market, and economic opinions that matters most to its audience. Mark spends a lot of time discovering and researching latest financial markets and industry news stories in order to make sure the latest and greatest stories are brought to you first on BigBoardNews.com.