Password resets over the phone are stopped in the aftermath of the “epic hack”
Apple and Amazon have stopped resetting user passwords over the phone, after hackers used their services to get access to Wired writer Mat Honan’s iCloud account and remotely wipe all his Apple devices.
Honan has written in length about his misfortunes, criticising the interlinked cloud account systems and urging Internet companies to rethink their policies.
After collecting plenty of personal information about the journalist online, the hackers, identifying themselves as Clan Vv3 and Phobia, used “clever social engineering” to get around security questions and gain control of the accounts.
First, they got their hands on Honan’s emails and billing address. Then they rang up Amazon tech support, and used his details to see a critical piece of information — a partial credit card number. The last four digits of this number allowed culprits to get into Honan’s Apple ID account.
This, in turn, helped them get into Gmail, which gave them access to both Honan’s personal Twitter account and Gizmodo’s Twitter account. As collateral damage, the journalist’s iPhone, iPad and MacBook Air were remotely wiped of all data.
“In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” wrote Honan.
Clan Vv3 and Phobia hacked this twitter
— Is this Mat Honan? (@mat) August 4, 2012
In the aftermath of the hack, Apple had placed the blame on its staff, saying that “internal policies were not followed completely” when changing Honan’s password. However, the journalist later successfully replicated the attack, proving that this wasn’t a “one-off” occurrence. He took control of the AppleID the same way hackers did, armed with just a name, e-mail address, mailing address and the last four digits of a credit card number.
After the unfortunate event, Honan has been in contact with Apple, urging the company to change its security policies. And it seems his efforts have paid off.
On Tuesday, Apple had stopped all AppleID password resets by phone. Apple worker with knowledge of the situation told Wired that the freeze would last for at least 24 hours. He assumed this was necessary while the company was looking at its systems and analysing what went wrong.
The same day, Amazon said it had closed a hole in its customer service systems that enabled the hackers to gain control of Honan’s account using just the name, email address and mailing address. “We have investigated the reported exploit and can confirm that the exploit has been closed as of yesterday afternoon,” the company said in a statement.
Can you look after your personal data online? Take our quiz!