How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft 222
An anonymous reader writes "The story behind the hacking of Mat Honan's multiple accounts has been revealed and points to massive failures in how Amazon and Apple handle password recovery. Accounts for both sites can be easily accessed with simple to find publicly available information. If you ask me, both companies should be liable for violating privacy laws."
not privacy, data protection (Score:4, Informative)
"The United States prefers what it calls a 'sectoral' approach to data protection legislation, which relies on a combination of legislation, regulation, and self-regulation, rather than governmental regulation alone.[10] Former U.S. President Bill Clinton and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology." (emphasis added)
I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.
Nobody in their right minds would trust all of their data exclusively and only to a company (yes, you know, that "cloud" you like so much is operated by one or more companies with data protection and privacy policies changing by the weather). If you do so, something like the original article mentions can happen anytime.
I'm not saying you shouldn't use the "cloud" (how I hate that word, oh my), but you should never trust and rely on it completely without any (or weak and borderline useless) fallback. Remember, it's your data, it's your life, protect it as you would protect anything that you own and hold precious.
Thing is, since computing and PCs have become everyone's tools and don't require in-depth tech knowledge, it's pretty easy to get average users to use and rely on such services. It's simple, they don't really know what they are getting into. And it's for this reason that it's sad to see a more knowledgable person (i.e. article writer) fail so terribly.
Always remember, just because so many people are hooked to it and it's easy to use, that doesn't mean it's safe and reliable. It's not.
Re:the 4 last digit of CC are unsecure (Score:5, Informative)
"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."
All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.
Indeed, the article itself makes this point: And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life..
Till receipts also commonly show this information.
But he's and IT Expert! (Score:5, Informative)
What an idiot.
You missed the part about Amazons password reset (Score:5, Informative)
Amazon allowed a bogus card to be added to the account because all they did was check the check-digit, rather than doing that as step one, and then doing an authorization hold/authorization release after requiring the security code from the back of the card as step 2. This would have correlated the billing address and card number in the credit card company database, which would have failed, flagging it as a bogus card.
After this, a second call to Amazon using the bogus card information plus the (already known) billing information got them a password reset, again without them issuing an authorization hold/authorization release. And THAT is where they got the last 4 digits of the (actual) non-bogus credit card number to give to Apple. Admittedly, it's possible that this would cost a web site (other than Amazon, who owns their own payment provider) a transaction fee to do, but they could always require a transaction fee billed to the card being used as identification as part of the recovery process. For example, it looks like Norton Antivirus allows the same thing (just do a quick search for the phrase "the credit card number ending in", you'll see a bunch of people wondering about charges to cards they never registered with various services).
Apple using the last 4 digits as an identity verification was screwed up, but it wasn't information the bad guys had without Amazon's help, in this case.
Re:Benefits of free services (Score:4, Informative)
I would argue that the biggest benefit of using free services (like GMail) is they offer no or crap phone support! Thus making it very difficult for a hacker to social engineer their way into your account.
We were hacked several months ago, and our Amazon EC2 account was hijacked. How did they do this? We host our domain names at a local provider, and somehow they got control over that account. Then they changed the DNS for the mail to their own service. We had two-factor logins at Amazon (normal login + generated key). They tricked Amazon into believing that the key was broken, that they were the rightful owner (with control over the mail), and Amazon removed it. We still wonder how they did all this.
Re:the 4 last digit of CC are unsecure (Score:4, Informative)
Re:the 4 last digit of CC are unsecure (Score:3, Informative)
Go back to your cave fanboi, if you RTFA they tried themselves calling Apple and the last 4 digits was all they asked. Also, vendors don't normally store the CVV code, because its purpose is exactly that - let the user verify the transaction by entering it themselves. So Apple storing it and letting their CSRs view it would be quite against established CC security practices.
Re:the 4 last digit of CC are unsecure (Score:4, Informative)
Re:the 4 last digit of CC are unsecure (Score:2, Informative)
In Brazil, ALL bills share a common system. This means you can pay them anywhere: at drugstores, banks, ATMs, online, wherever. I just pay through my bank's online banking. The bank use two factor authentication, with a 8-digit PIN that's used exclusively to login at the online banking plus a 6-digit token whose value changes every minute, used for every sensitive operation. Any banking operation on the account (bills, investments, withdrawals, transfers, debit/credit card usage, etc) is immediately communicated via SMS and e-mail. If anything unexpected happens, I call my manager and the damage is contained (and my funds restored, if necessary) within minutes. If they detect some movimentation that raises flags, I'm called to confirm, in the same way you've said (this happened to me only once, my wife bought lots of things from various online stores in about 30 minutes). All of our major banks have a similar level of security.
By the way, transfers within the same bank chain happen immediately; to any other bank, it takes about a day. The way I see it, the American banking system is absurdly obsolete. The fact that people pay bills by mailing checks sounds bizarre (we've had this unified system for as long as I can remember). The resistence to online banking (caused, as you said, by the track records of the banks) makes no sense here. And we are the 3rd world country, we'd expect your systems to be more modern than ours!
Checks? What are those? (Score:4, Informative)
Not really, I live in America, I haven't written a check in 7 years.
All my bills are paid through a service known as Billpay. All the banks and credits unions have something similar.
Time to stop making fun of us backward Americans and do some real research before writing your rants about us.
And this applies to most of my co-workers also. The only Americans that rely on checks anymore are over the age of 70 and that is what they grew up with so it is kind of hard to change.
Re:Checks? What are those? (Score:4, Informative)
Then you're exceedingly unusual. A quick Google Search turns up this [jak-stik.ac.id]:
* Americans write 42.5 billion checks per year - that's one check per person every three days.
* In the United States checks are among the most popular form of payment, above credit cards.
* People write roughly 450 million "bad checks" or checks that bounce every year - that's 1.5 per person per year.
* 60 percent of all transactions not paid for with cash are paid by check.
* Consumers are 65 percent more likely to use checks than other forms of electronic payments.
* The number of checks used by Americans is increasing. In recent years check use rose 54 percent alone.
* More than 39 trillion dollars in payments are made every year with checks, compared to just 7 trillion for other forms of payment.
Mind you, I have no way to validate those numbers, but it matches my experience with the American check culture. A lot of places in America don't have options for online bill paying. You just happen to have lucked into being in a place that does. Americans typically write each other checks to send each other money as well - such as a "birthday check" from a parent or whatnot.