Honangate: Apple and Amazon must learn a lesson

Posted on by Mike Evans

The facts behind the disastrous hacking of Wired columnist Mat Honan’s Apple ID are shocking. Let’s hope Honangate has created an even bigger sense of shock in Cupertino and that Apple will finally do something to make things safer for us all.

Honan’s hacker didn’t need to crack the Apple ID password. Honan could have had a NASA-busting, fiendishly complicated password and the hacker could have reset it to 1234 after a few moments of cosy chat with an Apple representative. In fact, he used three easy-to-find facts to convince Apple that he was M.Honan and not A.Hacker:

  1. Apple ID: That’s usually your @me or @mac remail address. Easy peasy.
  2. Home address: Another easy challenge for the determined thief
  3. The last four numbers of Honan’s credit card: As we all know, the last four number are used by many on-line organisations for verification. These four digits are the least secure part of any credit card data. In Honan’s case (and in the the case of many of us) the same credit card had been used for Amazon and Apple. The hacker was able to bluff Amazon into divulging the information.

The result: Honan’s Apple ID was reset. All his devices, including his Mac, were wiped clean. He lost over a year’s work and had to go through hoops to get things straightened out. It could have been worse. The hacker could have changed addresses and gone on a spending spree at the Apple on-line store. Says Honan:

what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

I can understand Apple needs to balance ultime security against inconvenience. Many users are no doubt very bad at remembering passwords and other bits of security information. These are the same people who are always losing their Apple ID password and requesting a reset. However, at the risk of making life a bit more difficult for the improvident, Apple must look after its core users.

Not only Apple, but Amazon and others should urgently examine their authentication procedures. These days, vital bits of the identity jigsaw are held by many different organisation. It doesn’t take a supercomputer to break your password, it simply demands a bit of logic, including the ability to assemble the pieces of the jigsaw.

∞ Permalink