” Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.”
If you haven’t read Gizmodo writer Mat Honan’s gut-wrenching play-by-play of how his entire digital life was evaporated in the matter of hours, do yourself a favor and Instapaper it. Or, if you’re too busy to read the whole article, I’ve created a quick-and-dirty summary that retraces the hacker’s steps and highlights some steps we can take to protect ourselves from similar attacks.
How It Happened
1.) Hacker targets @mat via Twitter
Get the Free Pen Testing Active Directory Environments EBook
2.) Hacker browses to @mat’s personal website, which is linked from his Twitter profile
3.) Hacker sees @mat’s Gmail address on his website
4.) Hacker tries to login to Gmail using @mat’s (knowing he won’t get in)
Hmm, if the hacker can’t break into @mat’s Gmail account, why is this important?
When you tell Gmail that you’ve lost your password, it responds by showing you the partially obscured alternate email address it has on file for account recovery.
This is a big hole. Why? Because firstname.lastname@example.org was enough information to know which service to attack next – iCloud, which, as you’ll see in a minute, is extremely vulnerable to social engineering.
It’s worth noting that, as @mat mentions in Wired, if Gmail’s two-factor authentication was enabled, the nightmare ends here. Hopefully Google will figure out a better mechanism for securing your alternate email account other than blanking out a few characters (a security question would be a good start!).
Email is the skeleton key to your online identity since so many services reset your account via a confirmation link sent to your email address. Guard it well.
How can you protect your Gmail account?
5.) Hacker obtains @mat’s billing address by doing a simple WHOIS lookup on his website’s domain name
I can’t really ding @mat here since, as he points out, most peoples’ billing addresses are obtainable via WhitePages or a similar service unless you’re unlisted, which isn’t a bad idea. If you own a domain name, think about paying the extra $20/year for private registration.
6.) Hacker obtains last 4 digits of @mat’s credit card
Why was the hacker after the last 4 digits? Because this was the last piece of the iCloud-cracking puzzle. In order to verify your identity, AppleCare phone support requires: 1) name, 2) email, 3) billing address, and 4) the last 4 digits of the credit card on file. The hacker already had 3 of the 4.
Where might someone’s credit card number be stored? Amazon!
The hacker (correctly) assumed that @mat had an Amazon account that used one of his two known email addresses as the account name. But how did the hacker gain access? Hint: he didn’t crack the password. He used social engineering.
The hacker placed a call to Amazon tech support claiming to be @mat. He provided his name, address, and email (yikes!), and then asked the tech support rep to add a new credit card number to the account. Then he hung up the phone and waited.
Later, the hacker placed a subsequent call to Amazon saying he lost access to his account. Upon providing name, address, and the newly added fake credit card number, Amazon support let the hacker add a new email address to the account (e.g., email@example.com).
The hacker could now click “forgot password” on the Amazon login page and the subsequent password reset email would go to firstname.lastname@example.org instead of @mat’s real email address. Having reset the password, the hacker then logged into the Amazon account and nabbed the last 4 digits of the real credit card on file.
“And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’re giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.”
How can you protect your Amazon account?
Until Amazon rethinks their identity verification process, the only way to protect against this social engineering hack is to delete any credit card data you have on file with Amazon. Yes, it’s painful to have to enter your credit card information every time you place an order, but is it as painful as having your digital identity stolen?
Let’s recap: Hacker grabs public information: name, gmail address, billing address. Gmail’s login system reveals that @mat has an AppeID (email@example.com). The hacker knows that in order to own that AppleID the only missing piece is the last 4 digits of @mat’s credit card, which can be socially engineered from Amazon support. Whew.
Still with me? Good. Here’s where it gets really ugly.
7.) Hacker calls AppleCare with the information required to infiltrate an iCloud account: name (public), email (public), billing address (public) and last 4 digits of a credit card (virtually public).
How can you protect your AppleID?
Apple requires you to have a credit card on file if you want to use iTunes and the App Store, so deleting your credit card data might not be a viable option. However, you could dedicate a single purpose credit card for Apple. If the card @mat stored with Amazon didn’t match the card stored with Apple, the attack would have stopped here. Regardless, Apple needs to seriously rethink their identity verification process.
8.) Hacker remote wipes @mat’s iPhone, iPad and Macbook Pro
There are more security steps involved to opt into a MailChimp newsletter than to remotely decimate an entire laptop. The way iCloud’s remote wipe process was designed leads me to believe they didn’t even think through the possibility that an iCloud account could be hacked.
How can you protect your data?
Backup your data. No excuses. Have multiple backups and test your restores. You can get a 2TB external hard drive for $120 on (wait for it…) Amazon, and online backup services are a few bucks a month for unlimited data. (Anecdotally, the only hard drive failure I ever experienced was 1 day after my very first online backup completed. Most people aren’t so lucky.)
So many systems are interconnected in the cloud making things more convenient than ever before, but we have to realize that this same interconnectedness makes security exponentially harder. Passwords are no longer good enough—not for the important stuff. If Apple, Amazon, and (too a much lesser extent) Google—companies with a combined market cap of 900B—can’t get security right, what are the lesser known providers doing?
Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.