How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft - Slashdot

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

×

How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft 222

Posted by Unknown Lamer on Tuesday August 07, 2012 @03:11AM from the quick-turnaround dept.

An anonymous reader writes "The story behind the hacking of Mat Honan's multiple accounts has been revealed and points to massive failures in how Amazon and Apple handle password recovery. Accounts for both sites can be easily accessed with simple to find publicly available information. If you ask me, both companies should be liable for violating privacy laws."

This discussion has been archived. No new comments can be posted.

How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft

Search 222 Comments Log In/Create an Account

Comments Filter:

Apple's Failure, Not Amazon's (Score:3, Insightful)

by StealthyRoid ( 1019620 ) writes: on Tuesday August 07, 2012 @03:32AM (#40902701) Homepage

Every e-commerce company in the world that allows you to store your card info will display the last four digits of your card number, because what other option is there? What other unique determinant could you possibly display in order to allow people to select one card from a set? There's nothing at all insecure about that on its own, and it's silly to pretend as though everyone else becomes liable for Apple's crappy security policy. This is way more about a.) How one guy had a bad personal password policy, b.) poor security training for Apple support staff and poor security policies at Apple, and c.) How stupid it is to make any of your data deletable remotely. "There's this option to wipe all my data on Apple's site, and then these evil hax0rs totally did it, and I didn't have backups" does not translate into "Amazon has bad security policy".

Share
twitter facebook
Re:Why remote wipe? (Score:5, Insightful)

by juventasone ( 517959 ) writes: on Tuesday August 07, 2012 @03:40AM (#40902729)

If your device is lost or stolen.

Parent Share
twitter facebook
a lot of mistakes here (Score:5, Insightful)

by pbjones ( 315127 ) writes: on Tuesday August 07, 2012 @03:53AM (#40902771)

Not backing up data, able to get Amazon account data with 2 phone calls, able to get an Apple/Google/whatever password reset with just a little bit of work. They could have also stolen his CC statement from his mailbox, as well as a Utility bill and got part of the way to getting a new credit pin or drivers license and after a bit of time a new passport. This sort of hacking is not new, just different. Once the security questions used to be the standard 3, your mums maiden name, your city of birth, and your first pet/car/whatever, now the answers are often on-line or traceable via Facebook. The blame should be shared amongst everyone, including the person who did the hacking. Excuse me, I have to backup my computers.

Share
twitter facebook
Well, that didn't cause me any problems... (Score:4, Insightful)

by Havenwar ( 867124 ) writes: on Tuesday August 07, 2012 @04:31AM (#40902949)

From what I see here, the main problem was apple's security protocol, with amazon coming in a close second... All other things he could really have protected himself against... Using two factor authentication on google and so on. But you can't protect yourself from a company finding easily obtainable information good enough to just hand over control of your account with...
As far as I'm concerned Apple should be liable for damages in this case. They have acted as a gatekeeper, portrayed a sense of security, and then been blatantly lax in security.
What does the law say about a case where I hand over say my credit card information to a merchant and they act carelessly with it, thus allowing it to be intercepted by a criminal? Say I go to a restaurant and they take my card and then let it lay around on the counter for half an hour for anyone to see, scan, steal?

Share
twitter facebook
Re:the 4 last digit of CC are unsecure (Score:3, Insightful)

by Rei ( 128717 ) writes: on Tuesday August 07, 2012 @06:47AM (#40903471) Homepage

I don't know about iDeal, but I'm always appalled at how much trouble Americans have with securing their identity. It's not that hard:
Step 1) Have a *public* identifier for you. None of this "if you know the social security number" or "if you know all or part of a credit card number" or such nonsense.
Step 2) Have one or more *private* passcodes or other authentication schemes (really, everyone should have those rotating-passcode keychain devices like the banks give out here for use with important stuff). Because the key is public, nobody is dumb enough to use it as a password.
Step 3) Have a single national database which stores information about you, with at a minimum, your name, public ID, and address. This is your *official* contact information.
Step 4) Any major transactions done using your identity, including changing your contact information, involve you being contacted using your official contact information in the database.
This is basically the system we use here in Iceland, and it works very well. Doesn't help us with foreign firms that don't grasp security, however.
Also, what's up with Americans and writing personal checks? Geez, it's the 21st century here...

Parent Share
twitter facebook
Re:the 4 last digit of CC are unsecure (Score:4, Insightful)

by flimflammer ( 956759 ) writes: on Tuesday August 07, 2012 @07:22AM (#40903627)

Privacy issues for most of your post. People in general do not like the idea of a national ID system. This isn't just a US thing, either. A lot of countries try to fight this sort of system when it comes knocking.
As for personal checks, they are not used that frequently anymore. Most places I go to don't even accept them. I haven't encountered one personally in several years. They're used little more than promissory notes between people nowadays. Short of going to an ATM or bank, there's no easy way to give people cash. Personal checks still fill that role. Nothing wrong with that.

Parent Share
twitter facebook
I smell some B.S here. (Score:5, Insightful)

by mark-t ( 151149 ) writes: <markt@nerdf[ ].com ['lat' in gap]> on Tuesday August 07, 2012 @10:10AM (#40904959) Journal

He says, when talking about the hackers, that "...their ultimate goal was always to take over [his] Twitter account". Why, then, did they delete his Google Account, and then remotely erase his iPhone, iPad, and MacBook? I might get that they want to erase evidence that could be used to track them down, and to that extent, wiping the Google account, which they had apparently gotten access to, makes a modicum of sense. But unless they were using his iPhone, iPad, and MacBook as well, I'm not sure how erasing all of them was in any way helpful to them in any regard whatsoever. No... the bastards that did this to him definitely had some malicious intent involved.
I'm not saying that he wasn't hacked... nor am I saying that he wasn't hacked in this way, I'm suggesting that the allegation that the hackers were only after his twitter account seems extremely dubious... at least to me.

Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

360 commentsApple Vision Pro is Apple's New AR Headset
282 commentsApple Censored Robert De Niro's Gotham Speech
255 commentsShameless Insult, Malicious Compliance, Junk Fees, Extortion Regime: Industry Reacts To Apple's Proposed Changes Over Digital Markets Act
247 commentsDOJ Blames Apple For Failure of Amazon Fire Phone, Windows Phone and HTC
244 commentsApple Cancels Work on Electric Car

Prediction is very difficult, especially of the future. - Niels Bohr