How Apple and Amazon Security Flaws Led to My Epic Hacking

For the people that want to turn on two-factor authentication on their Gmail account, here's how to do it: <a href="http://support.google.com/accounts/bin/answer.py?hl=en&#38;topic=1056283&#38;answer=185839" rel="nofollow">http://support.google.com/accounts/bin/answer.py?hl=en&#38;t...</a> I highly recommend it.<p>Some of the common misperceptions I see:<p>Myth: But what if my cell phone doesn't have SMS/signal?<p>Reality: You can install a standalone program called Google Authenticator, so your cell phone doesn't need a signal.<p>Myth: Okay, but what about if my cell phone runs out of power (added: or my phone is stolen)?<p>Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet.<p>Myth: Don't I have to fiddle with an extra PIN every time I log in?<p>Reality: You can tell Google to trust your computer for 30 days and maybe even longer.<p>Myth: I heard two-factor authentication doesn't work with POP and IMAP?<p>Reality: You can still use two-factor authentication even with POP and IMAP. You create a special "application-specific password" that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.<p>Myth: Okay, but what if I want to verify how secure Google Authenticator is?<p>Reality: Google Authenticator is open-source: <a href="http://code.google.com/p/google-authenticator/" rel="nofollow">http://code.google.com/p/google-authenticator/</a><p>Hmm. Maybe I should throw this up on my blog too.

I'm sorry for the journalist who lost all of his digital information, but I think/hope that this article will have a huge impact in terms of how the security practices for all large companies with an Internet presence, will behave.<p>The fact that they pieced together all this information from multiple sources, including Amazon's ability to add credit cards over the phone, to getting the billing address through domain name registration, to hacking into Apple iCloud really makes me feel... I guess depressed is the word.<p>We really have no control over our own data security. I've been super paranoid about things like identity theft, and I got my identity stolen, which is something I've been dealing with over the past 2 years or so. Somehow, my birthdate, addresses, etc were all wrong, and I had to jump through hoops to get it changed. As well, I currently have an unpaid credit card linked to my account, and the credit agencies and the collection agency won't remove it. The collection agency required me to submit 3 copies of my signature, a police record, copies of my identification, etc, before they'll remove it, even though THEY were the ones who made the mistake. I went to the police station to file a report, but they needed documentation that I didn't have, since I had already changed most of the information through the credit agencies. At this point, I froze all my accounts through the credit agencies, and I've given up.<p>The safety of my email, etc, is something that I also take extremely seriously, and now I'm being told that there's a possibility of being hacked via clever hackers piecing together information from various sources, each of which have different security procedures. We literally have no data security except "security through obscurity", meaning that the likelihood of being randomly hacked is low, but if someone wants your account, they can and will get it, pretty easily it seems.<p>The industry NEEDS to standardize on very rigid set protocols on things like what information they give out, how accounts are reset, how things like credit cards are added to accounts, what information they leak, etc. This is ridiculous.

Last time HN discussed this story, I said "turn on 2-factor authentication for your Google account".<p>Unsurprisingly, I got the exact reaction I'm seeing here when it has been suggested: lots of questions about how it works, people who think their situation is unique so it won't work for them, and people complaining than SMS is insecure.<p>1) Don't ask anymore questions. Try it out, if you hate it turn it off.<p>2) Your situation almost certainly isn't unique. You get 10 codes to print out, you can have (revokable) application-specific passwords that don't require the token. Try it!!<p>3) Use the smartphone application.<p>Don't ask any more questions - just try it out!

Given how central (for better or worse) of a role email plays in safeguarding other accounts, the hassle of 2-factor auth for it is feeling like less and less of an annoyance.<p>About a month ago, one of my credit card accounts got hacked and was used to send money to someone else - the number itself wasn't compromised, it was the actual account. No doubt, the attackers tried to login and change my email password, but had to settle on the next best thing - spamming my email address with hundreds of emails per minute in an attempt to cover up the emails sent by my CC company.<p>Fortunately, the spamming wasn't very sophisticated and it only took me 30 seconds to filter it all to trash. I was on the phone with my credit card company within 10 minutes of the attack, which mitigated some of the damage.<p>I'm sure at some point weaknesses will be found in the 2-factor auth solution, but for now, it feels almost mandatory for important email accounts.

&#62;<i>"the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification"</i><p>I don't see how this is an Amazon security flaw. The last four digits of my credit card is printed on receipts from just about every merchant I transact credit card purchases with. Treating such public information as if it is a PIN places the flaw clearly in Apple's court.

My bank and a few other companies I deal with require some sort of pin/password in order to speak to someone over the phone. When I call, the conversation usually goes something like<p><pre><code> "Hello Mr 67, before we start I'll need your pin" "I have a pin?" "Yes, when you set up this account you were given a pin required for phone access" "Really? I have no idea what it is..." "That's ok. If you can just answer these other few questions. What's your mother's maiden name" [redacted] "and your birthdate" [also redacted] "thankyou Mr 67, now how can I help you today? ..."</code></pre>

<i>It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account.</i><p>This is scary.

I think a lot of people are missing the forest from the trees in this discussion. The real interesting question is not how he got hacked, it's why it doesn't happen more often? None of the tricks listed in the article are particularly time sensitive, the fundamental patterns behind this hack go back at least several years and they relate to fundamental design interactions between complex systems that are difficult to impossible to change. So given all this, why him? why now?<p>The answer doesn't have anything to do with how he should have set up 8 factor authentication or how he should have had a Swahili-numeric password. The answer is that his hacker had <i>extremely atypical motivations</i> and that's the reason his life got destroyed.<p>The goal of this hacker was to pwn this guy's short, valuable twitter account. It's unlikely there's really any other hacker in the world who has that goal which is why such attacks are so rare. For most hackers, there's some sort of rational ROI calculation and if the ROI is negative, the hack isn't worth doing.<p>Nerds often have a hard time seeing that security is a holistic system. It's often comprised of many flawed layers that are layered in depth to provide a statistically secure system. In real life, security comes from being able to push down the ROI through institutional mechanisms rather than personal ones. Credit cards are designed to be stolen and recovered from, investigations are able to target key players in the field and tough penalties means that the negative effects outweigh the positive gains.<p>All this has lead to a black market rate of merely $2 - $3 per stolen credit card, meaning that there's not much motivation to hack in the first place.<p>Nerds naturally have a libertarian bent which makes them more inclined to believe encryption and technology is the solution to the problem when, in reality, it's a beefed up police state and American hegemonic decisions that can span the globe.

"Moreover, if your computers aren’t already cloud-connected devices, they will be soon."<p>I disagree. You can and will (for the foreseeable future) be able to choose a computer/configuration that doesn't allow some remote third party to run arbitrary code on it or wipe it.<p>His devices were all wiped because he let a third party have that level of access.

I wonder, do any of these company send defensive communications when people try to unlock things like this?<p>Yes, I made that phrase up. So here's what I mean:<p>- "Amazon then allows you to input a new credit card." &#60;-- Amazon should then send an email confirming this to your email address, a txt to your phone, and a smoke signal to your Tipi.<p>- "Next you call back, and tell Amazon that you’ve lost access to your account.", email, phone, Tipi. And a waiting period.<p>- When you call Apple's tech support, again: email, phone, Tipi.<p>Maybe I'm missing the obvious flaw in this plan, but since customer support (humans) seems to be one of the main weak links, it would make sense for presume that's where people will attack, and to then attempt to reach out with all communication mediums possible to make sure you're talking to the real deal.

We need people to be able to regain access after losing a password, and we need only the right people to have that. This is a very hard problem.<p>One thing that we should have is a "cool down" period. If you want to regain access to, say, your GMail account, then it will take 48 hours of waiting, and phone calls and emails will go out to your contacts before that is completed, so the real person has a chance to protest.<p>I don't understand how the MacBook data was permanently lost. Even if the files were deleted in the OS, they are recoverable by disk utilities. Unless they were encrypted. Which just goes to say that when you think the solution to your problem is encryption, you don't understand your problem.

I don't have a blog and I don't know the proper convention for those "Show/Ask HN" posts so I suppose a comment here is the next best thing because my question is related.<p>After reading the "Yes, I was Hacked. Hard." post I updated several of my passwords and found that Netflix enforces a 10 character limit on their passwords. Does anyone have an idea why or how this could be the case? I would find it very ironic if they did this to save a few bits per user in their database considering they're a media streaming company.

Two-factor authentication is important for online security (and not just email accounts), but there are other lessons to be learned from Mat Honan's misfortune. I'm probably more extreme in my practices than most people, but I'm OK with the inconviences.<p>- You can't rely on companies providing online services to have your best interests as their best interests. - Take security seriously because if you don't you won't know about an attack until it's done. - Don't use a vendor's all-in-one services. - Don't use "the cloud" as a backup source. - Back up frequently. - Don't use one email account for everything. - Have an email account that is used for recoveries and nothing else... and keep it obscure. e.g: x90x90recovx@someotherhost.com - Don't use personal credit cards for online purchases. - If it's an option, don't store credit card details against your account; choose to manually enter it every time. - Don't use the same credit card for multiple sources of online shopping/billing/etc. - Don't give real answers to "security questions", such as your mother's maiden name or the name of your first pet. - Don't provide real personal information (address, contact number, etc) to online services when you create an account. - Don't use Facebook, Twitter, etc irresponsibly. - Shutdown if you're not at your computer. - Encrypt your data.

Some banks provide a service which allows you to create unique credit card numbers without actually having to get separate physical credit cards. Kind of like application-specific passwords, but for credit cards.<p>See here: <a href="https://www.citibank.com/us/cards/gen-content/messages/van/index.htm" rel="nofollow">https://www.citibank.com/us/cards/gen-content/messages/van/i...</a><p>Separate credit card numbers for Amazon and Apple would have prevented this hack.

Everyone focuses on Gmail 2-factor, but that should be added as an option for any online service. It's trivial for any web developer to use the Google Authenticator to offer 2-factor auth for your own service in just a few minutes. I made a demo a while back in less than an hour, all open source. <a href="http://dendory.net/twofactors" rel="nofollow">http://dendory.net/twofactors</a>

Useful advice via <a href="http://notes.kateva.org/2012/08/net-security-is-completely-broken.html" rel="nofollow">http://notes.kateva.org/2012/08/net-security-is-completely-b...</a>:<p>'We need to give Schneier a few drinks and get him to talk about this again. Failing that:<p>Backup for Darwin's sake. Don't enable remote wipe of Mac OS X hardware. Just encrypt it. Use Google two-factor (two-step verification) if you are a geek and can stomach it. Fear the Cloud. Keep the data you value most close to you. Don't use iCloud. Don't trust Apple to get anything right that involves the Internet and/or Identity.<p>Not being Schneier my advice isn't worth much, but fwiw I suspect the "solution" is:<p>Get rid of the secret security question. Strictly limit password resets. If someone lost last access, charge them $50 to go to bank, post office or notary to establish their identity. Incorporate biometrics (thumb print and speech probably).'

The scariest part of this article IMO is how there now is a recipe posted for getting into any amazon account. Imagine all the damage/harassment they could do once in there, buy all kinds of stuff and have it sent to you. Spin up 20 EC2 instances and use them to perform illegal activites etc, while burning up cash on your credit card.<p>That to me seems much worse than having an imac wiped.

The fact is that Apple and Amazon have far more confused customers than targets for social engineering attacks. They are <i>always</i> going to have an "I forgot everything about myself and my account, please let me in!" option. All cloud service providers are going to have this.<p>With this in mind, it may not be wise to remotely link your MacBook such that it can be wiped by Apple Central Command. Do people seriously do that? A phone is maybe kind of reasonable for this kind of thing (only kind of), but your actual laptop? Is this a requirement of new versions of OS X or something? I don't know who would set this up willingly.<p>Any local data that you want to keep from attackers should be stored as ciphertext. Your secret key should be encrypted with a strong passphrase. Most thieves, even high-level corporate espionage-type thieves, won't know how to use GPG in the first place, but if they do, if you've done it right they won't be able to get in.<p>From the perspective of keeping ourselves safe in a world where all data is kept on (or hooked up to a remote control at) the server of a big faceless corporation, all plaintext should be considered public info. Just because they haven't published or leaked it yet doesn't mean they won't, and it doesn't mean that anyone with an interest can't go in and take it, or that they won't wreak havoc for an ultimately minor goal (like access to Twitter).<p>Encryption and backup. The two constantly repeated, never honored mantras whose inconveniences have plagued computer users for decades now. If people did these things correctly, hacks would rarely matter or jeopardize significant amounts of data. This is a field that is ripe for system-level disruption; Time Machine kind of helped with the backup, but we still don't have anything decent for layman's crypto (perhaps because the business models of companies are now so dependent on reading our information and selling it back to interested parties).

"Epic Hacking"?<p>A whole lot of damage was done, yes - but a "epic hack"? Don't think so.<p><pre><code> epic: heroic; majestic; impressively great</code></pre>

"The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices."<p>This disconnect is unfortunately not limited only to tech industry. Every receipt you get while you pay with your credit card offline, will display some part of your credit card number. The crazy thing is that there is no standard for it and everyone picks different numbers! If you collect your receipts and then throw them all at once without destroying them - anybody can put the numbers together.<p>I would say this is a much bigger problem and has been around here for ages!

How can he not press charges against 'Phobia' and any of his stupid script kiddy friends? Maybe the police is too stupid to do anything and the FBI has too much other shit do to but isn't there any legal way to get these bastards?

it boils down to "who do you trust?" Ultimately you have to take some responsibility in ensuring the safety of your data and be cognizant of the weaknesses of each link. I backup my data onto an external HD. In the event of fire or that HD being lost or stolen, I have online backups of everything but video. I also have an older external HD backup stored at my parents house 2 hours away. I trust myself to an extent and the cloud to an extent, but never either absolutely. My life is not Google or iCloud or Dropbox or Drobo.

<i>When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed. But here’s the thing: If someone else performs that wipe — someone who gained access to your iCloud account through malicious means — there’s no way for you to enter that PIN.</i><p>That sounds more like remote encryption to me. And a four digit PIN is easy to brute force (assuming that it isn't asking apple for the decryption key once entered (which means you need internet access do reverse it)).

Most of the "security questions" can be answered by looking at the Facebook profile (of the person or his/her friends -- at least some have the info public). A motivated hacker can possibly crack even bank accounts using the facebook profile. The account/security is indeed in a big mess.

&#62;If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here.<p>Are you sure? Do you trust the minimum wage customer service reps of your phone company to not be susceptible to social engineering?

The scary bit (well, one of many) is how easy it is to get access to someone's Amazon account by just knowing their email address and billing address. That lets you buy anything, see their entire order history and probably gives you access to all of AWS.

Can someone explain reasoning behind the implementation of those "remote wipes"? If Apple pulls a trigger, everything on my laptop erased when it is next online? I can't see any practical application for that.

Just logged into Amazon account and removed all of the cards I have on record. Suggest everyone else does the same.

Does this scare you?

Somebody else found out an iCloud flaw... <a href="http://m.smh.com.au/digital-life/consumer-security/aussie-exposes-icloud-flaw-but-apple-stays-silent-20120806-23pmx.html" rel="nofollow">http://m.smh.com.au/digital-life/consumer-security/aussie-ex...</a>

<a href="http://whois.domaintools.com/emptyage.com" rel="nofollow">http://whois.domaintools.com/emptyage.com</a> reveals way too much about Mat Honan!

Most important lesson as far as reducing vulnerability to social engineering is concerned: whatever service we subscribe to - we should always find out about their account retrieval process.<p>In other words, we should always ask "what is the password retrieval process for the new account you just opened?" This sounds like a big task and one where not all scenarios can be covered. But I think this is a good first step - as long as we are still dealing with passwords, federated identity, half-masked credit card #'s and security questions.<p>I think this exercise would help us be careful about our choice of passwords, answers, email ids.<p>What would be the most obvious downsides to this approach?

Can we please get the entire internet to agree to stop using email addresses as usernames. It's not a user, its an email address!