The weakest link by far is Apple

How is Apple the weakest link in this? According to Honan's account, Amazon was as equally, if not more weak in its verification processes:<p><a href="http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/" rel="nofollow">http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-hona...</a><p>&#62; <i>First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.</i><p>&#62; <i>Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.</i><p>At least to get into the Apple account, you need the credit card on file. For Amazon, you can <i>send a fabricated credit card number</i> and get complete access (because you can add a new email account, to which you send a password reset to).<p>Apple just seems like the worser player because Mat Honan put so much power into the hands of iCloud. If Honan was in charge of administering enterprise services using Amazon's EC2 services, and hackers used his account to wipe out everything (or compromise corporate security), everyone would be calling out Amazon.<p><i></i>Edit: I haven't seen this fact mentioned much, but Honan's billing address was compromised through a WHOIS lookup on his domain. This is a huge reason to use registry protection services. It's true someone could look you up using things like Pipl and Spokeo, but that's only if you have something in public records, such as a mortgage (or, in some cases, leases).<p>Honan is in an especially tough situation because of the uniqueness of his real name.

It’s getting pretty annoying that Marco is <i>consistently</i> able to recap yesterday’s top tech news item, <i>add no insight,</i> and hit the top of HN.<p>Or am I missing something? Is there value added in this process? Or do these concerns end up reaching a much wider audience?

Apple's performance here is inexcusable for a software company. It displays either a complete disregard or a complete lack of understanding of basic security.

This whole saga proves it's too hard for companies to implement effective security policies on their own.<p>What's needed right away is a "badge of security approval" from an independent third party, which verifies not just the technological side, but the customer-service side too. Including things like:<p>- password policies (e.g. not limiting to 16 characters)<p>- hashing and salting passwords<p>- standards for security questions (these are usually so horribly written)<p>- standards for identity verification if you've forgotten password AND sercurity question answers (most sites will not be big enough to bother with this, so you just lose your account, but Facebook/Apple/Google/etc. need to have a common model, so inconsistencies between companies can't be exploited)<p>- policies for sending out password-reset emails, adding/changing e-mail addresses, with appropriate user notification<p>- waiting periods between changing emails and passwords, so you can't just go and change everything about an account all at once<p>- special unique privileges to initiate operations that can delete large amounts of data (like a special second password, or extra security questions, for deleting your account, remote wipe, etc.)<p>These are just vague ideas off the top of my head, not an actual proposal. But we really need a set of "best practices", and a way of identifying that companies are actually following those best practices.<p>A secure "lock" icon in the browser bar is no longer enough.

I don't know where else to bring this up, and had no idea how to discuss it when it happened. So i'll do it here, in this excellent thread of Security discussion.<p>Dropbox doesn't send an email notification, or anything of the sort, when adding a computer to your Dropbox account.<p>I discovered this, when one day I realized some of my files in Dropbox were deleted. Specifically my 1Password file.<p>I logged in to check things out, and discovered that there was a weird computer added to my account. I promptly changed my password to dropbox, did a recover of my 1password file, changed the master password of that, then went through and changed passwords of my most important information stored in 1password.<p>The fault lied with me, in that my dropbox account was still using my temp 'testing this service out' password I'd used when i first signed up. Stupid me. My 1password master password was already very strong so I wasn't highly concerned.<p>What ticked me off, was that there was absolutely no notification or verification process when adding a computer to your Dropbox account! I wrote Dropbox, and their only response, after MANY days, was 'make sure your password is strong'.

Leaving aside Apple's choices regarding the degree of security employed to protect their customers, this would be a non-story but for the fact that Apple decided to treat Honan's Macbook as if it were an iPhone.<p>Email accounts get hijacked, phones loose data, and impersonation happens on Twitter. A blog post about one of these or all in combination may make the front page of HN, but unless the writing is compelling (and in this story none of it is), it will not persist there.<p>This story is a story because the Macbook was wiped remotely. That's what's scary. Losing data on a phone or iPad will never potentially entail the loss of years of work. They are second and third devices, and intended primarily for consumption not creation.<p>It's our computers which hold our work (and as this story shows, moving it to "the cloud" may not offer significantly greater protection). An architect doesn't store her design on her iPhone, nor a developer her code, nor an entrepreneur his company's books. Our computers tend to hold important parts of our lives. They are the tools we use to create and retain our work.<p>Apple forgetting that for the sake of a consistent sales sheet across product lines is really the heart of this story's traction.<p>Remote wiping at the flick of a switch is a bug, not a feature in the consumer world.

four digits are worthless. somebody was able to get the last four digits of my social security number (how many times have we given that info to customer service reps thinking it's "safe?") and used the digits to open a credit account on BillMeLater (yes, they did not require the full social security number to open an account). they then started buying stuff (nike shoes -- why doesn't that surprise me?).<p>the <i>only</i> reason i discovered this is because they didn't have my real email address and BillMeLater called me to tell me they needed me to update my email address. so, we also know that they don't even require email address authentication. now all of my credit reports are locked. i recommend everyone do the same.<p>sorry to hijack the discussion, but wanted to provide another "4 digits suck" example.

&#62; It’s appalling that they will give control of your iCloud account to anyone who knows your name and address, which are very easy for anyone to find, and the last four digits of your credit card, which are usually considered safe to display on websites and receipts.<p>Not trying to defend anyone. But has this been reproduced enough to confidently say they'll give control to "anyone"? Or was it just an employee mistake not following the policies in place? It would be a mistake on their part either way, but I'm just trying to understand what the mistake was.

Even if Apple fix the account recovery process, the fact that any flaw in iCloud security could easily lead to all attached devices getting remotely wiped is extremely scary. All of your work gone in moments!<p>Don't get me wrong, remote wipes are useful. But they should be protected by some kind of a "Remote Wipe Authorization Passphrase" that the user must set up. Otherwise we are all simply at the mercy of the next access control vulnerability in iCloud.

Quick question for HN'ers... does anyone actually feel safe using cloud services for personal data storage?<p>In the interest of full disclosure... I can barely muster trust enough for gmail. Actually, I don't trust gmail, which is why I don't use it for anything important or personal. I certainly would not put my child's photos onto a cloud service and expect them to be safe. And from what I understand, these people put, not only their data on iCloud, but their ACTUAL DEVICES are administrable from iCloud. That seems insane to me. It seems that this is the inevitable result of any such system.<p>I guess I am just a bit surprised at the surprise being expressed here. USB drives are not THAT horrible are they? They seem, to me, far more reliable backup methods.

It's also interesting that for Amex cards, that part of the card number is very structured. The middle two of the last four are almost always 00 or 01 since it is just incremented for reissued cards.

Nothing is 100% guaranteed secure. Let's start there.<p>As far as password recovery, I would like to see something more "physical", if you will. For example, Apple charges a small random amount to the CC on file and you have to come back and give them the amount.<p>A fingerprint scanner on every iPhone could be interesting.<p>I think the reality is that nearly all but the most safety conscious/paranoid hackers reuse easy-to-remember passwords across a multiplicity of sites. Some might have two or three passwords to fence-off, say, financially related logins from non-financial stuff. Still, the vast majority of Internet users are probably in the first group with a simple password across every single login they have. That's the problem. And, with such tools as Facebook logins you also have a situation where discovering on login gets you in to all manner of sites.<p>How do you protect Mom, Dad and Uncle Fester from this? You are not going to turn them into computer scientists or security experts. No, they are not going to create and remember fifteen different thirty-two character passwords with a mixture of alphanumerics and symbols. That's just not going to happen.<p>Not sure what the solution might be at this point. The Internet, due to the nature of its organic evolution does not have an underlying security construct that is, for lack of a better word, bulletproof.

I can't think of a time when I didn't see the last four digits of my credit card on a receipt. This is a totally boneheaded move on Apple's part

RE: "At the bare minimum, for this level of recovery that bypasses security questions, they should require confirmation of the entire credit-card number and verification code."<p>That's still a fail because if your wallet probably contains credit cards, which have your name and credit card number, obviously. And driver's licenses in the US, as far as I know, include an address. So it's all there. You're screwed.<p>What is necessary is 2-factor authentication, which is what a lot of us have been saying for a long time (I wrote this blog post in 2009, after another Twitter-related hacking: "Why The Twitter Breach Is Bullish for Two-Factor Authentication": <a href="http://chrisco.wordpress.com/2009/07/16/why-the-twitter-breach-is-bullish-for-two-factor-authentication/" rel="nofollow">http://chrisco.wordpress.com/2009/07/16/why-the-twitter-brea...</a>). If not 2-factor, at least don't make recover possible with things so easily obtained, such as information from items typically contained in a person's wallet.

Why is this at the top of HN? Just because its from marco? There is nothing new in the article. Can a moderator please change the title to the actual tile of the post "Apple and Amazon Security Flaws Led to Mat Honan’s Hacking"? The current title is just linkbait for people that thought it was a general discussion about apple's weaknesses from marco.

Does "remote wipe" also wipe attached drives, or just the system disk? It would really suck to also lose your Time Machine backups that way. I alternate my TM backups between several disks, leaving one of them off-site in case of catastrophe, but I'd still lose a good chunk of data if remote wipe targets attached volumes.

Instead of a remote wipe, what they should do is a remote encryption. Generate a pair of public/private keys, use the public one to encrypt the data, and destroy the private one after a month or so. Encrypted data is indistinguishable from random data, but at the same time, the user can get it back.

I have one question as I'm not aware of any - has anybody had there blackberry hacked and remotely wiped.<p>What proportion of share price is effected by security, as that is all a company realy care about.<p>Now maybe the whole credit card system that we have is at fault - one number to rule them all to pay for things. Maybe is we had a system were we could give each transaction a unique number you could was unique to each vendor you used. Then if that number is leaked it woud be clear were it leaked from and only effect the people who leaked it. Until then there are disposable credit cards.<p>If Apple only accepted Apple credit cards and if Amazon only accepted Amazon credit cards, then this would not of happened. Can see what the outcome of this will be and people will still complain.

AFAIK almost every bank in India has now been ordered by the government to use 2 factor authentication. What's more, a specific bank I use has also included an interesting approach against phishing attacks.<p>You are basically assigned an access phrase and access image. They ask you to look at these two things and know what they are. Then, when you visit the site you enter ONLY your username. Once you click submit you're shown your access phrase and access image. If this were a phishing site, there is a high chance that your access phrase and image wouldn't match so you'd know to GTFO.<p>This is followed with a 2 factor authentication. Pretty solid IMHO :)

The title of this article is completely misleading. It really is astonishing how the author is primarily targeting Apple to be at fault here. While protecting customer information is a top priority for reputable companies such as Apple, you cannot equate one non-diligent AppleCare employee to the entire organization. Clearly, the AppleCare employee that was easily socially-engineered did not follow standard operating procedures. For the record, the "hackers" who destroyed Honan's digital life should be prosecuted. Its sad that Honan is letting these young punks get away with their malicious and unethical acts.

Obviously. And yet, you have to admire the sneakiness of the hacker to even think of something so simple. If nothing else, this whole fiasco called attention to a terrible system that's probably already been changed by Apple.

What if Apple provided some sort of 2-factor auth that you had verify with the phone rep? Like they'll send you an email or sms and you verify the code back to the rep?

I think this will result in Apple selling less apps: People will set a way better password on their Apple account, and since you need the same password to buy $1 apps (every time!) as you do for remote wipe, people will buy less apps. They should probably have several levels: one simple PIN code for less intrusive stuff, and a lot of checks for the remote wipe (or expensive purchases).

I don't know how this whole affair reflect on Apple as a company, but this seems like Apple's best opportunity to let users know whether it should be taken seriously as a cloud service and specifically e-mail provider.

The EU has data protection law which means companies that store personal data are legally obliged to protect it. I wonder if Apple are in breech of the law here? Will someone affected make a complaint?

The last four digits are the ones on almost any receipt from a payment done with credit card which is not censored. And all the other info is in the phonebook or other places on the net.

Oh wonderful. Replace one set of weaknesses with something much, much worse - allowing any customer service rep access to your entire credit card (including CCV)!<p>I do like his second idea though.

Weakest link is having a chain of events that prevent you from doing a backup. Two phrases that spring to mind "back don't fudge up" and "trust nobody".<p>Remember time beats all security.

Name, Address and last 4 digits of your credit card... Seems like one would be screwed if you lost your wallet with you DL in it.