Report: Hack attack exposes major gap in Amazon and Apple security

Posted at 6:35 AM, Aug 08, 2012
and last updated 2012-08-08 06:35:04-04

Julianne Pepitone, CNNMoney

NEW YORK (CNNMoney) – The recent hacking of Mat Honan was doubly shocking: he’s a writer for tech Bible Wired, and hackers were able to crack his accounts with non-technical ease.

Here’s the scariest part: Anyone with both an Amazon account and an Apple ID is potentially vulnerable to the same attack.

The two companies say they’re working to close the security gaps exposed by Honan’s hack, but they were tight-lipped on Tuesday about the details of what changes they’re making.

Honan’s harrowing tale, which he chronicled in a detailed story for Wired late Monday, explains how a Friday-night hack quickly snowballed and took down many of his digital accounts: Amazon, Apple iCloud, Gmail and Twitter, plus the data on his three Apple devices.

At the heart of his story is a dangerous blind spot between the identity verification systems used by Amazon and Apple, two of the tech industry’s most popular vendors.

Like many people, Honan has a variety of email addresses. Several of them can be easily tracked down by anyone hunting around online. The hacker who went after Honan found his address — a tip-off that Honan had an AppleID account.

The attacker then used Amazon’s systems to break into Apple’s.

The trick worked like this: Call Amazon and tell them you want to add a credit card number to your account. The company will ask for your name, billing address, and an associated email address. That’s it. (Wired tested the method using a fake credit card number. It worked — twice.)

Then hang up, call back, and tell the next Amazon representative that you’ve lost access to your account. They’ll ask for your name, billing address, and a credit card associated with the account — like the one you added just moments earlier. With that information, Amazon will allow you to add a new email address to the account.

Go to Amazon’s website and send a password reset to the new email address. Now you’ve got access to your target’s Amazon account and can see all the credit cards on file for the account.

Amazon masks most of the credit card numbers, displaying only the last four digits.

But here’s the catch: That’s enough to go and game Apple’s systems.

“The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification,” Honan wrote in his Wired account.

The hacker — who later contacted Honan and agreed to share details about the technique if he didn’t press charges — called Apple tech support and requested a password reset on Honan’s email account. The hacker couldn’t answer any of the account’s security questions, but Apple offers another option.

“It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account,” Honan wrote. “Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.”

Apple told CNNMoney in an emailed statement that “we found that our own internal policies were not followed completely.”

The company would not comment further on what policies went awry. As far as Honan could determine, using credit card numbers to verify identity is a standard method.

“Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file,” he wrote. “I was very clear about this.”

Amazon says it is working to plug holes on its end: “We have investigated the reported exploit, and can confirm that the exploit has been closed as of yesterday afternoon,” the company told CNNMoney on Tuesday.

But what, exactly, has changed? Amazon declined to comment or answer further questions.

A separate Wired article posted Tuesday said Amazon’s customer service representatives will no longer change account settings like credit cards or email addresses by phone.

That change came too late for Honan, though. Once the hacker had access to Honan’s Apple account, the damage was swift and devastating. He used Apple’s remote wipe tool to delete all the data on Honan’s phone — then did the same to his iPad and MacBook. The hacker also nuked Honan’s Google account and began posting racist and homophobic messages on his Twitter page.

In his article, Honan seemed to cast little blame on the hackers; instead he said it was his fault for not backing up his data, and for “daisy-chaining” his various accounts together.

Honan thinks the biggest culprits are Apple and Amazon, for making systems that can so easily be gamed — especially when they’re targeted together.

That’s the part that has the tech industry spooked. Millions of people have accounts with both Amazon and Apple, which means Honan isn’t the first victim of this attack method.

“You hear about it if it’s a celeb or a writer, because they have the medium to tell their story,” one commenter wrote in response to a Forbes article about the hacking. “Something similar happened to one of the members of my Rotary Club. Why haven’t you heard about it? Because he’s a retired dentist living 8 miles in from the south coast of England.”