Forgot your password?
typodupeerror
Privacy Apple

How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft 222

Posted by Unknown Lamer
from the quick-turnaround dept.
An anonymous reader writes "The story behind the hacking of Mat Honan's multiple accounts has been revealed and points to massive failures in how Amazon and Apple handle password recovery. Accounts for both sites can be easily accessed with simple to find publicly available information. If you ask me, both companies should be liable for violating privacy laws."
This discussion has been archived. No new comments can be posted.

How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft

Comments Filter:
  • by aepervius (535155) on Tuesday August 07, 2012 @03:26AM (#40902689)
    "In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

    All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.
    • by pnot (96038) on Tuesday August 07, 2012 @03:51AM (#40902757)

      "In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

        All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.

      Indeed, the article itself makes this point: And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life..

      Till receipts also commonly show this information.

      • by mcvos (645701) on Tuesday August 07, 2012 @05:22AM (#40903131)

        I don't give credit card numbers to pizza boys. I give them cash. Or I pay with iDeal, a Dutch internet payment system that's actually secure, unlike all that credit card crap.

        Really, rest of the world, you guys need to implement iDeal so I can use it for international payments. The only reason I have a credit card at all is because it's the only way to buy stuff online from non-Dutch sites. Steam uses iDeal. Once everybody else does too, we can finally get rid of those stupid credit cards.

        • Re: (Score:3, Insightful)

          by Rei (128717)

          I don't know about iDeal, but I'm always appalled at how much trouble Americans have with securing their identity. It's not that hard:

          Step 1) Have a *public* identifier for you. None of this "if you know the social security number" or "if you know all or part of a credit card number" or such nonsense.
          Step 2) Have one or more *private* passcodes or other authentication schemes (really, everyone should have those rotating-passcode keychain devices like the banks give out here for use with important stuff).

          • by flimflammer (956759) on Tuesday August 07, 2012 @07:22AM (#40903627)

            Privacy issues for most of your post. People in general do not like the idea of a national ID system. This isn't just a US thing, either. A lot of countries try to fight this sort of system when it comes knocking.

            As for personal checks, they are not used that frequently anymore. Most places I go to don't even accept them. I haven't encountered one personally in several years. They're used little more than promissory notes between people nowadays. Short of going to an ATM or bank, there's no easy way to give people cash. Personal checks still fill that role. Nothing wrong with that.

            • by w_dragon (1802458)

              People in general do not like the idea of a national ID system

              Just what do you consider a SSN to be?

              • by Rei (128717)

                Exactly. An ID number is just a unique representation of an individual - think of it as an alternative name, guaranteed to be unique. The difference is, the SSN is supposed to be "semi-secret", kind of secret, kind of not. It's your ID and password all bundled into one! Aka, idiotic. And not linked at all in a consistent, queryable manner with your contact information. Doubly idiotic. And while it functions as a kind-of password, it's semi-predictable. A triple-play of Fail.

            • by Rei (128717)

              In America, someone sends you a bill... how do you pay it? You write them a check.

              Here, someone sends you a bill. You log on to netbanking (for example) with a password and rotating-code keyfob, go to the payments page, punch in the ID and account number information of who you're looking to pay, the bill pops up, you confirm the amount you want to pay and enter your netbanking pin... and that's that. No check ordering, no postal service, no stamps, no handwriting, no interpreting of handwriting, no fraud

              • by AF_Cheddar_Head (1186601) on Tuesday August 07, 2012 @10:56AM (#40905479)

                Not really, I live in America, I haven't written a check in 7 years.

                All my bills are paid through a service known as Billpay. All the banks and credits unions have something similar.

                Time to stop making fun of us backward Americans and do some real research before writing your rants about us.

                And this applies to most of my co-workers also. The only Americans that rely on checks anymore are over the age of 70 and that is what they grew up with so it is kind of hard to change.

                • by whoever57 (658626)

                  All my bills are paid through a service known as Billpay. All the banks and credits unions have something similar.

                  I use a billpay system also, but:
                  The billpay system has been unable to get my home mortgage billing details (I think the mortgage company would prefer that I use their own system to pay the mortgage, but I refuse to hand control of when my mortgage gets paid over to the biller)
                  There were some changes recently which meant that some bills stopped being available through the billpay system for

                • by Rei (128717) on Tuesday August 07, 2012 @12:05PM (#40906241) Homepage

                  Then you're exceedingly unusual. A quick Google Search turns up this [jak-stik.ac.id]:

                  * Americans write 42.5 billion checks per year - that's one check per person every three days.
                  * In the United States checks are among the most popular form of payment, above credit cards.
                  * People write roughly 450 million "bad checks" or checks that bounce every year - that's 1.5 per person per year.
                  * 60 percent of all transactions not paid for with cash are paid by check.
                  * Consumers are 65 percent more likely to use checks than other forms of electronic payments.
                  * The number of checks used by Americans is increasing. In recent years check use rose 54 percent alone.
                  * More than 39 trillion dollars in payments are made every year with checks, compared to just 7 trillion for other forms of payment.

                  Mind you, I have no way to validate those numbers, but it matches my experience with the American check culture. A lot of places in America don't have options for online bill paying. You just happen to have lucked into being in a place that does. Americans typically write each other checks to send each other money as well - such as a "birthday check" from a parent or whatnot.

          • I hate writing checks. I wish they would go away, but I have two issues as to why I can't stop writing them yet.

            First, there is no way for me to pay my rent, electric bill, water bill, and garbage bill if I did it electronically. The electric company has sent out a notice that sometime next year they will start taking payments online, but that's next year.

            Second, I do not trust the security of my bank, or any bank, in the small town that I live in. A friend also banks at this bank and it only took
            • Re: (Score:2, Informative)

              by Anonymous Coward

              In Brazil, ALL bills share a common system. This means you can pay them anywhere: at drugstores, banks, ATMs, online, wherever. I just pay through my bank's online banking. The bank use two factor authentication, with a 8-digit PIN that's used exclusively to login at the online banking plus a 6-digit token whose value changes every minute, used for every sensitive operation. Any banking operation on the account (bills, investments, withdrawals, transfers, debit/credit card usage, etc) is immediately communi

              • by Rei (128717)

                Our system here in Iceland is like yours in Brazil. I just don't get how America can be so backwards in so many regards. And people there by and large don't even realize it.

                • by Shados (741919)

                  Such systems do exist in the US, they're just not totally universal, depending on who you deal with.

                  But i totally can pay all my bills, rent, utilities, everything, via a unified system. Its not accessible from "anywhere" like the parent talked about, but it is accessible from ATMs everywhere and from my bank's website. I'm from Canada where the system is a bit more universal, but now that I live in the US, at least anything I actually need to deal with works through that system. Good enough. Everything at

          • by cvtan (752695) on Tuesday August 07, 2012 @08:52AM (#40904159)
            One glaring difference between US and Euro money dealing is that in the US bank-to-bank transfers are expensive. In Germany, they are free (by law, I believe). So if you are buying a $60 item in the US, you can't afford to spend $40 to do a bank transfer so you write a check. This situation is even worse if you are trying to buy something in Europe. Bank transfers are too expensive, individuals do not take credit cards, Paypal is not popular (because euro bank transfers are ~free), you can't send a personal check and mailing cash is problematic. It's the 21st century somewhere, but not at a US bank.
            • by Shados (741919)

              Only certain types of transfers cost money. Generally to the same banks they're free, and to pay bills and whatsnot, they're also free (at least to the payer).

              I pay my rent via transfer, and it doesn't cost anything (and I doubt the owners are paying the fee for me, because they charge a stupid fee for credit card payments).

              International transfers are another story.

          • by neonKow (1239288)

            How exactly do you propose to implement any of this in Mat Honan's situation? Give Apple, Google, and Twitter access to Iceland's national database with contact information for everyone in the country? Make the database public? Have Apple, Google, and Twitter send you keyfobs?

            How is any of this scalable in way that doesn't lead to a single point of weakness where a compromise there will compromise all your accounts at once?

            • by Rei (128717)

              I'm saying that you should have your own system similar to ours, and that the reason you (and your companies) are so vulnerable to identity theft is because you don't.

              • by neonKow (1239288)

                I'm saying that you should have your own system similar to ours, and that the reason you (and your companies) are so vulnerable to identity theft is because you don't.

                My point is that this statement is completely untrue; implementing your country's system might be good for many reasons, but it won't really help most forms of identity theft. Where on earth do you see an opportunity to use your system to make the situation better for companies from any nation, much less for multi-national companies like Apple, Google, and Twitter that much authenticate users from countries all over the world.

                Your idea stops scaling as soon as you realize you're dealing with 200+ nations' w

    • by Ecuador (740021) on Tuesday August 07, 2012 @04:17AM (#40902897) Homepage

      At first I was aghast at how they could implicate Amazon for revealing the last 4 digits of your card, when they appear in every transaction receipt printed etc.
      However, after reading TFA it is obvious that Amazon has a serious security flaw as well that they need to address as well. It seems that you can call Amazon support knowing only the name, email and billing address of a person and you can add a bogus credit card number to their file. Then you call back and tell them you can't access your account and they will let you add a new email address to reset your password and you use the credit card number you had just added as verification of your identity!
      True, Amazon showing the last 4 digits of your CCs on your account is not a problem, but giving access to your account to a person armed only with knowledge of your name, address and email is a serious flaw.
      The summary and even the article don't make it that clear what the problem is with Amazon, you have to read through TFA.

      • by mtmra70 (964928)

        My mortgage company has a similar jacked up login process.

        Like a lot of places, they have you answer some pretty mind numbing security questions after typing in your user name and password. If you don't remember the security answer you can hit the "I forgot" button. What then happens is shocking - it takes you to a screen to reset the answers. Why in the world do you ask security questions after a user/pass auth if the same info lets you reset them?!!?

        And the real kicker. When you want to make a PAYMENT th

    • by Lord_Jeremy (1612839) on Tuesday August 07, 2012 @07:47AM (#40903761)
      What?!! Apple requests the CVV2 code of your credit card for verification, not the last 4 digits of the number. The CVV2 code is never shown on a statement or invoice anywhere, and since they're processing credit card transactions they can only store it hashed.
      • Re: (Score:3, Informative)

        by Anonymous Coward

        Go back to your cave fanboi, if you RTFA they tried themselves calling Apple and the last 4 digits was all they asked. Also, vendors don't normally store the CVV code, because its purpose is exactly that - let the user verify the transaction by entering it themselves. So Apple storing it and letting their CSRs view it would be quite against established CC security practices.

  • by akamad (1308139) on Tuesday August 07, 2012 @03:27AM (#40902691)
    I would argue that the biggest benefit of using free services (like GMail) is they offer no or crap phone support! Thus making it very difficult for a hacker to social engineer their way into your account.
    • Unless you have your backup email address set as an iCloud address somebody already got access to...
    • by rvw (755107) on Tuesday August 07, 2012 @05:23AM (#40903135)

      I would argue that the biggest benefit of using free services (like GMail) is they offer no or crap phone support! Thus making it very difficult for a hacker to social engineer their way into your account.

      We were hacked several months ago, and our Amazon EC2 account was hijacked. How did they do this? We host our domain names at a local provider, and somehow they got control over that account. Then they changed the DNS for the mail to their own service. We had two-factor logins at Amazon (normal login + generated key). They tricked Amazon into believing that the key was broken, that they were the rightful owner (with control over the mail), and Amazon removed it. We still wonder how they did all this.

  • by StealthyRoid (1019620) on Tuesday August 07, 2012 @03:32AM (#40902701) Homepage
    Every e-commerce company in the world that allows you to store your card info will display the last four digits of your card number, because what other option is there? What other unique determinant could you possibly display in order to allow people to select one card from a set? There's nothing at all insecure about that on its own, and it's silly to pretend as though everyone else becomes liable for Apple's crappy security policy. This is way more about a.) How one guy had a bad personal password policy, b.) poor security training for Apple support staff and poor security policies at Apple, and c.) How stupid it is to make any of your data deletable remotely. "There's this option to wipe all my data on Apple's site, and then these evil hax0rs totally did it, and I didn't have backups" does not translate into "Amazon has bad security policy".
    • by tlambert (566799) on Tuesday August 07, 2012 @04:08AM (#40902863)

      Amazon allowed a bogus card to be added to the account because all they did was check the check-digit, rather than doing that as step one, and then doing an authorization hold/authorization release after requiring the security code from the back of the card as step 2. This would have correlated the billing address and card number in the credit card company database, which would have failed, flagging it as a bogus card.

      After this, a second call to Amazon using the bogus card information plus the (already known) billing information got them a password reset, again without them issuing an authorization hold/authorization release. And THAT is where they got the last 4 digits of the (actual) non-bogus credit card number to give to Apple. Admittedly, it's possible that this would cost a web site (other than Amazon, who owns their own payment provider) a transaction fee to do, but they could always require a transaction fee billed to the card being used as identification as part of the recovery process. For example, it looks like Norton Antivirus allows the same thing (just do a quick search for the phrase "the credit card number ending in", you'll see a bunch of people wondering about charges to cards they never registered with various services).

      Apple using the last 4 digits as an identity verification was screwed up, but it wasn't information the bad guys had without Amazon's help, in this case.

      • Re: (Score:3, Interesting)

        by StealthyRoid (1019620)
        Naw, I didn't miss that part, I just don't think it makes an argument for this being a failure of Amazon security policy. Given that you need to know someone's account email address (how hard is it to do foo+amazon@dingleberry.com, or some other not-easily-guessed email address?), billing address, etc, to even get an Amazon rep to talk to you, the protections on that front seem sufficient (maybe not best, but sufficient) to me. Running an auth/void doesn't really work either. Sure, Amazon has their own p
        • by mkraft (200694)

          The problem here is that for the average Internet user, if you have someone's Amazon email address, you pretty much automatically have access to that person's Amazon account. Not everyone has multiple email accounts and the billing address and name can be gotten from agragators like http://www.spokeo.com./ [www.spokeo.com]

          At that point the person can gain access to the users Amazon account and simply go on a shopping spree at the users expense. Getting into an iTunes account with the same email is just a bonus.

          • FWIW only online purchases (ie MP3s, Game downloads, etc) can really be bought that way from Amazon by a third party who has your password. From experience (not hacking! Just using) whenever you enter a new shipping address you have to re-enter your credit card information for the card you're using to make the purchase. You can't simply say "Oh, I'll use the one you have on file ending in 1234."

            I'm sure it's a problem for many people, but at the same time it's not as bad as it could be if, say, someone b

      • by OCedHrt (1001533)
        Amazon had the exact same flaw as Apple. Allowing a password reset with last 4 digits and a billing address. The bigger flaw at Amazon was allowing the addition of a credit card with the same identification.
      • FWIW, it need not be a bogus card. You can buy a VISA gift card (paying cash and showing no ID), then on the gift card website enter the name and address of your victim. It is now a perfectly legit card in that person's name. I use VISA gift cards on Amazon all the time (in my own name). You could probably do quite a bit of identity theft or creating false personas, using such a method.

    • Every e-commerce company in the world that allows you to store your card info will display the last four digits of your card number, because what other option is there? What other unique determinant could you possibly display in order to allow people to select one card from a set?

      User-defined label when entering card details.

      Online banking typically does this, so even though you see (some of) your account digits while online, it's really the name you gave it that's meaningful.

  • by l3v1 (787564) on Tuesday August 07, 2012 @03:50AM (#40902755)
    From Wikipedia article (Data Protection Directive - Comparison with US data protection law):

    "The United States prefers what it calls a 'sectoral' approach to data protection legislation, which relies on a combination of legislation, regulation, and self-regulation, rather than governmental regulation alone.[10] Former U.S. President Bill Clinton and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology." (emphasis added)

    I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.

    Nobody in their right minds would trust all of their data exclusively and only to a company (yes, you know, that "cloud" you like so much is operated by one or more companies with data protection and privacy policies changing by the weather). If you do so, something like the original article mentions can happen anytime.

    I'm not saying you shouldn't use the "cloud" (how I hate that word, oh my), but you should never trust and rely on it completely without any (or weak and borderline useless) fallback. Remember, it's your data, it's your life, protect it as you would protect anything that you own and hold precious.

    Thing is, since computing and PCs have become everyone's tools and don't require in-depth tech knowledge, it's pretty easy to get average users to use and rely on such services. It's simple, they don't really know what they are getting into. And it's for this reason that it's sad to see a more knowledgable person (i.e. article writer) fail so terribly.

    Always remember, just because so many people are hooked to it and it's easy to use, that doesn't mean it's safe and reliable. It's not.
    • by AHuxley (892839)
      The US had 2 options, set a weak gov standard and get lol at when its is broken and noted to be weak from day one (DES).
      This breaks the trust feeling with generation of young US crypto experts who so want to feel the US gov is not allowing weak crypto for good intentions.
      Self-regulation allows the US gov to sit down and have a nice chat to .com commerce interests and ensure when you buy anything "Middle East" related they can database you without too much effort.
      Self regulation also protects eg CIA front
      • by lindi (634828)

        Hmm, isn't DES actually quite strong? It resisted both differential and linear cryptanalysis. The key size is not enough today but it certainly was in 1977.

    • Everytime you read the equivalent of "self-regulating" in a law, you know that lobbyists have again won a battle against citizens and democracy and that this regulation isn't worth the paper it's printed on.

    • I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.

      I think the intent is that there'd be industry standards, with their own best practices, standards body, and compliance testing. Things like movie ratings and OpenGL compliance are self-regulated.

      • I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.

        I think the intent is that there'd be industry standards, with their own best practices, standards body, and compliance testing. Things like movie ratings and OpenGL compliance are self-regulated.

        But. But. But. The Free Market!!!!

        • That *is* the free market. Trust is also a market feature that comes & goes, even though government demands blind trust in its own devices. If the market decides adhering to some standard is necessary (which takes education, marketing, and precedent in some combination), then providers adhere and ideally organize. If the market decides some standard doesn't bring anything of value, it falls out of use.

          The issue is that these sorts of security problems are not a deciding factor for individuals or even

    • There are really two choices, that have (over time) an exactly equal minimum error rate (= probability of being hacked, etc.) - one is to have multiple independent, dynamically changing methods of securing things; the other is to have one central authority. I repeat - from first principles in information theory - these both have the exact same optimum. Let's say, for the purposes of argument, that the optimal probability of error is 5%. The difference between the two options is the distribution of errors

  • This isn't a new problem... This guy was naive/careless at best for not using multifactor authentication. But hey, at least his new article is getting some traffic, not that anyone will ever take him seriously again.

    • Re: (Score:3, Interesting)

      by thmsdrew (2608605)
      I won't take my security advice from him, but there's no need to discredit his entire body of work because of this. Surely he deals in other topics.
  • by pbjones (315127) on Tuesday August 07, 2012 @03:53AM (#40902771)

    Not backing up data, able to get Amazon account data with 2 phone calls, able to get an Apple/Google/whatever password reset with just a little bit of work. They could have also stolen his CC statement from his mailbox, as well as a Utility bill and got part of the way to getting a new credit pin or drivers license and after a bit of time a new passport. This sort of hacking is not new, just different. Once the security questions used to be the standard 3, your mums maiden name, your city of birth, and your first pet/car/whatever, now the answers are often on-line or traceable via Facebook. The blame should be shared amongst everyone, including the person who did the hacking. Excuse me, I have to backup my computers.

    • by l3v1 (787564)
      Once the security questions used to be the standard 3, your mums maiden name, your city of birth, and your first pet/car/whatever, now the answers are often on-line or traceable via Facebook

      Well, it's not the biggest and most effective way, but what I used to do (and still do if required) in such cases was that I picked randomly from the questions and gave totally unrelated random words as answers, which I recorded in a protected file. Unless someone could get to the file and crack it, there's no way to
      • by pbjones (315127)

        I do similar, but a few years ago there was no choice, it was only 3 questions. ... as your Facebook email contains you FB ID, so you can also get a head start on cracking FB accounts, thanks to Facebook.

      • by Havenwar (867124)

        Of course that makes your password exactly as safe as if you had the password itself stored in a protected file, which would mean you'd theoretically never need your security question answers since you would never forget your password. Unless of course you lose the file, in which case... I really hope you keep those files in two different places.

    • by jjo (62046)
      Some of the standard data can be secure. For example, I have never revealed my first pet's name online, so you could search for it in vain for the rest of your life. At first it just never came up in discussion, but as soon as I realized the security implications, I decided that there were some trivial, obscure data that no one else needed to know.
      • by Gilmoure (18428)

        I just made up a name of a pet to use.

        No, it's not the name of the first girl who dumped me. Or even the tenth or twentieth.

  • by retech (1228598) on Tuesday August 07, 2012 @03:58AM (#40902803)
    Yes, the same Mat who did not back anything up locally or (shutter to think) redundantly, is an expert. If this sorry excuse is what passes an expert, I think my grandma has a good chance at a new career.

    What an idiot.
    • by Chewbacon (797801)
      Exactly why I don't like the cloud. I hate the idea of some guy reading knowledge base and misinterpreting policy and procedure standing between some stranger and my data. I use an iPhone, but backup to my computer at home and NOT the iCloud. I backup my computer quite often to my home server, which I can tunnel into should I need it. I make my own security policies, support my own stuff, and I'm the only one who needs to login to it. In fact, that's the basic policy: I am the only one who is allowed t
    • It's probably related to the fact (according to a survey I read some years ago) that most accountants never balance their checkbooks. I would be willing to bet that 70+% of geeks don't backup their personal data regularly, and have less-than-ideal password policies for their own web accounts.

  • by Qbertino (265505) on Tuesday August 07, 2012 @04:00AM (#40902811)

    This is a very good article, every /. nerd worth his honors should read it. It's pushed my paranoia levels almost up to normal again. That alone was worth the time. I've been dragging out that backup HDD for my MB Air far to long and will now change that.

      I'm also going to solidly review my online presence and accounts, and how they could be linked. And fix any problems that pop up.

    Bottom line: Read the article, it's a healthy wake-up call and if you're like me, you need that once in a while.

    My 2 cents.

    • This is a very good article, every /. nerd worth his honors should read it. It's pushed my paranoia levels almost up to normal again. That alone was worth the time. I've been dragging out that backup HDD for my MB Air far to long and will now change that.

      I'm also going to solidly review my online presence and accounts, and how they could be linked. And fix any problems that pop up.

      Bottom line: Read the article, it's a healthy wake-up call and if you're like me, you need that once in a while.

      My 2 cents.

      Yes indeed, we may not be making the same mistakes as Mr Honan, but this should be treated as a wake up call to review your own security policies. Mine are better that most, as I guess is the norm on Slashdot, but our time would be better spent looking for the chinks in our own online armour, rather than mocking Mr Honan for not backing up his Mac. It was stupid though.

    • My bottom line take-away from this is that the most fundamental level of security these days is your primary e-mail account. If you don't have two-factor authentication on it, you are asking for trouble. Relying on one-factor authentication for your primary e-mail seems to be almost as bad as failing to back up your data. (And if you have a credit card on file with Apple, it looks like their e-mail security approaches zero-factor security.)
    • Anyone sufficiently clued up on IT would

      A) Have backed up their data on a physical medium, eg USB stick

      B) Would not daisy chain their accounts that would allow the hacking of one lead to the others.

      This guy might considered himself and expert - personally I consider him an idiot who bought into the whole Cloud we'll-look-after-your-data-for-you-no-need-to-worry marketing hype aimed at the clueless.

      In broad technical terms there is no difference between a modern cloud service and an ftp server from the 1980s

      • In broad technical terms there is no difference between a modern cloud service and an ftp server from the 1980s - if someone gets your password you're scr3wed.

        One might suggest that 25 years of minimal progress on security, in the face of a considerable expansion of the internet's hostile population, is a major failing... Especially since, unlike most ftp servers of the 80's, 'cloud' services are heavily marketed toward nontechnical users.

    • by jo_ham (604554)

      I'm not sure I trust a guy who doesn't back up. So much for a so-called "tech expert".

      His story is also precisely why I don't cross link accounts like that so that if you lose one, you lose them all.

  • Moreover, if your computers arenâ(TM)t already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use iCloud. Googleâ(TM)s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system yet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms â" which can be cracked,

  • Until recently, I wasn't even aware GMail offered 2-factor authentication. I think it was a little note on the login screen one day that it even existed.

    I did set it up immediately, as my entire life runs through that account, but had been running for years without it.

  • by Havenwar (867124) on Tuesday August 07, 2012 @04:31AM (#40902949)

    From what I see here, the main problem was apple's security protocol, with amazon coming in a close second... All other things he could really have protected himself against... Using two factor authentication on google and so on. But you can't protect yourself from a company finding easily obtainable information good enough to just hand over control of your account with...

    As far as I'm concerned Apple should be liable for damages in this case. They have acted as a gatekeeper, portrayed a sense of security, and then been blatantly lax in security.

    What does the law say about a case where I hand over say my credit card information to a merchant and they act carelessly with it, thus allowing it to be intercepted by a criminal? Say I go to a restaurant and they take my card and then let it lay around on the counter for half an hour for anyone to see, scan, steal?

  • I would argue Apple's security questions is no worse than most security questions from other vendors. Most info that is asked by companies to protect your data can be mined off the web via various methods.Unless you've lived in a hole and have no credit history,etc there is a trail and a clever person can find the answers.

    That's why I make up my answers per account, there's no way to find the answers unless you have access to my physical system with encrypted docs.
    But let's be real, normal people won't g
    • by GryMor (88799)

      Which is great, but in this case Apple allowed the hackers to completely bypass the normal security questions by answering a question that you can't 'make up', and in fact, that they didn't let you know was a security question.

      That said, now that we know about it, there is a way of getting around it: Have a different credit card number for each site!

      Though I hope Amazon's CS customer authentication and authorization procedures will get overhauled to eliminate these escalation attacks.

  • Oh look , chickens dropping out of the Cloud and coming home to roost.

  • I've said it before, and I'll say it again -- managing identity is a quintessential government function, and should be handled by the government online as well. The basic problem here is that we should have a nationwide, and possibly global, single sign on system, with our rights protected by clear and unambiguous legislative features. Nobody thinks that the issuing of drivers' licenses should be done by private enterprise (or, if they do, they're idiots.) Why do we think online identity is less importan

    • by 0123456 (636235)

      I've said it before, and I'll say it again -- managing identity is a quintessential government function, and should be handled by the government online as well.

      Oh, yes. Let's let a gang of psychopaths with guns own our online lives. They would never think of creating fake identities for themselves, selling our identity to others, or simply deleting or blocking our ID and preventing us from accessing anything.

  • by tkprit (8581)

    I read this on emptyage, when he still thought he'd been brute-forced, and I still don't understand using the apple email (esp if you don't use the apple email) — that's tied to all your gadgets — as a backup for an insecure gmail account that you use publicly for everything (ie, it's posted on twitter).

    Are people really this stupid?

    Do they have absolutely zero sense of self-preservation?

    This is such an extreme case, it reads like a hypothetical. "Suppose someone gave the keys of their house to

  • by mark-t (151149) <markt@PARISlynx.bc.ca minus city> on Tuesday August 07, 2012 @10:10AM (#40904959) Journal

    He says, when talking about the hackers, that "...their ultimate goal was always to take over [his] Twitter account". Why, then, did they delete his Google Account, and then remotely erase his iPhone, iPad, and MacBook? I might get that they want to erase evidence that could be used to track them down, and to that extent, wiping the Google account, which they had apparently gotten access to, makes a modicum of sense. But unless they were using his iPhone, iPad, and MacBook as well, I'm not sure how erasing all of them was in any way helpful to them in any regard whatsoever. No... the bastards that did this to him definitely had some malicious intent involved.

    I'm not saying that he wasn't hacked... nor am I saying that he wasn't hacked in this way, I'm suggesting that the allegation that the hackers were only after his twitter account seems extremely dubious... at least to me.

Forty two.

Working...