Mat Honan on being hacked

Mat Honan was hacked. The nightmare unfolded minute by minute, a sequence of security failures daisy-chaining their way into a disaster. But there was a single point of entry: Apple's willingness to hand over the keys to his account to anyone with the last four digits of his credit card number and home address.

What happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

It reminds me of how air crashes occur. In isolation from one another, storms, structural flaws and tired or incompetent personnel are rarely enough. But together, in just the right sequence, it all goes horribly wrong.

The worst part: Wired attempted the same social engineering technique today, and it still won them control of iCloud accounts.

How Apple and Amazon Security Flaws Led to My Epic Hacking [Wired]

Previously: Yes, I was hacked. Hard. []


  1. I remember getting two pieces of correspondance from two separate vendors. One had my credit card number xx’d out except for the last four digits. The other had the whole number and only xx’d out the last four digits. Glad nobody stole my mail that day.

  2. Another point of entry would be domain names.  X uses an address at his own domain to manage his cloud service account but he forgets and lets the domain expire. I register the domain and capture all his emails. Then I trigger a password change on his cloud service account, nab the email message and take control.

        1. decent registrars remind you an expiry is coming. i look after 1k+ domains for getting on 15 years. never. lost. any.

  3. What I find somewhat (morbidly) fascinating is how the greater emotional salience of physical loss/theft compared to electronic loss/theft have(possibly just up until now, possibly even still) made acceptance of remote access and wipe tools as instruments of security rather than vulnerabilities almost automatic.

    It will be interesting to see Apple do damage control, given that they have been pushing their online services hard of late(the remote wipe feature is optional; but even minor stuff like getting the free incremental updates for iLife applications bundled with hardware requires an account) and given that their security system(at least at the phone-drone level) is pretty dreadful.

  4. It’s stuff like this that makes the whole always-on, always-connected, everything-in-the-cloud “dream” more like a “nightmare” to me. I’ll happily keep copies in the cloud, but I want more control and more ownership over my critical data.

    1. Absolutely. Apple and Amazon need to get their shit together, but he lost my sympathy when he wrote that he didn’t backup his machine. 

      It isn’t that hard. 

        1. Not for his MacBook Air.  And IIRC even PhotoStream is time-limited, i.e. pictures fall of the end if not properly saved to a device.

          Cloudstorage – and I use that stuff a lot –  that’s not under one’s total control is a convenience, not a true backup.

          I’m lazy myself. Hourly off-site backups of important data, full disc backup of other stuff about once a month, time machine backups hourly or every couple of days for the MBA that doesn’t have a lot of unique data anyway.

          Not a lot of work.  About  5 € a month for 100 GB offsite storage to an unrelated service. 

          Even if I’d be hit that hard as him, I’d only lose a couple of hours work. Probably less.  

          1. If you have a Mac with iPhoto connected to your Photostream, it does continually collect and save all of your pictures, not just the last 1000 that are accessible in the “Photostream” section. That, of course, still needs to be backed up. I’m surprised he wasn’t using Time Machine.

          2. @fields:disqus Yes, that is one idea of photo stream: Push every photo from your mobile iOS devices and download them to your Macs.  It’s a copying mechanism with a loooong buffer, not not a storage method.

            And until you save images explicitly (there may be an automatics download at a later date), removing them from the photo stream  will remove them from the Mac, too.

            He didn’t *deserve* anything like this, of course, but his lack of backup is staggering.  A time capsule – even a second drive – would have saved him all that grief.  Mind boggling, especially for a tech journalist who has an even bigger risk of losing his laptop. 

    1.  I counted one or two trolls.  And they sounded like 4chan kids who did a search for “hacker,” landed in the wrong blog, and got busy anyway.

  5. Several idiots are using my email address when ordering items online. (For some reason they think it’s their email address, and based on the similar names I can kind of see why.) Anyway, I keep getting confirmation emails containing their names, account numbers, postal addresses, phone numbers, and last 4 digits of their credit card numbers. One person even sent me “my” payroll info, and all I need is the last 4 digits of their SSN to open the attachment. That wouldn’t take long to brute-force.

    It’s amazing what sorts of info you can get just by having a commonly used email address. If I was so inclined I could make their lives miserable, but I’m just not that type of person.

  6. And yet we have unlocked mailboxes just sitting out on the side of the street. Sure, there’s identity theft, but people generally blame that on the thieves, not the unlocked mailboxes. Just sayin’.

    1. Many people here have upgraded to lockable, parcel-sized mailboxes. Now that merchandise comes to us rather than us going out to buy it, it’s silly to have an unlocked mailbox.

      1. And many people haven’t. It’s strange to put the brunt of the blame on the victims and the security methods rather than the actual criminals. Hackers have done a swell job convincing people that they’re not the problem. And that’s maybe their best trick. Hackers have made the Internet neighborhood shitty. Kinda like the people that stole kids’ bikes in my neighborhood growing up.

        1. I’m not defending the hackers. It just seems weird to lock your house and your car but not your mailbox.

          1. I give the postal service $50/yr and they give me access to a po box in their secure facility. I’m pretty good with that arrangement.

          2. Here’s an example of a parcel-sized lockable box.  It works like a corner mailbox.  You put the parcel in, it slides to the bottom and the top half acts as a barrier.  It can be mounted on a pole or concreted into a wall.

          3. Wait a minute. You mean those cool US-style mailboxes are unlocked? 

            That seems .. weird to me.  German mailboxes aren’t the height of security either, but if you buy one that’s to spec, it’s quite a hassle to get at letters. 

          4. It seems weirder than that, to me (as someone who grew up with unlocked mailboxes, and seldom-locked houses) to depend entirely on (entirely impossible) unbreakable locks and (even more impossible) unhackable systems for your safety and security and to utterly neglect both law enforcement and social norms as safety and security technologies.

            I don’t see any way around the fact that when they contacted Amazon, falsely claiming to be him, and obtained something of value from Amazon in exchange, then no matter how bad Amazon’s system is, that doesn’t change the fact that they committed fraud. Federal felony fraud. I don’t see any way around the fact that when they misrepresented themselves to Apple as him, and obtained from Apple the tools with which they vandalized his property, that no matter how incompetent Apple’s security measures were, it doesn’t change the fact that they committed severe vandalism — considering likely pain-and-suffering losses, probably even felony level vandalism. Across state lines.

            Frankly, they shouldn’t have to have been told that what they did was wrong; shifting any significant part of the blame onto their victims (him, Amazon, and Apple) muddies the waters and plays into their BS rationalizations. And if the next person has any doubt that what these people did to him, to Amazon, and to Apple was wrong, that should be settled by making an example of them in the federal courts.

            Seriously, Antinous. I doubt you live in a place that is armored like a bank vault, and I doubt that the physical lock on your house is impregnable; Boing Boing has done enough coverage of lockpicking culture that I feel pretty confident that even you agree with that. Does that mean that it’s partly your fault or the maker of the lock on your front door’s fault if someone picks that lock or kicks in your door and smashes up your electronics with a hammer? You probably don’t walk down the street wearing a combat helmet, and even a bicycle helmet won’t protect your head from a crowbar. Does that mean that it’s partly your fault or the maker of (say) your bicycle helmet’s fault if someone walks up behind you and bashes your skull in with a crowbar?

            Locks, whether hardware or software, keep honest people honest; the best locks are only there to make it time consuming enough for people to bypass them that they increase their risk of getting caught or leaving evidence, not to make access impossible, because making access impossible is, itself, impossible. As soon as they ran into the first password login screen that asks “are you mhonan” and they said “yes,” they knew they were doing the equivalent of kicking down a locked door. For this, they need to be tracked down and made an example of. Period.

          5. Then the mailbox has only one purpose, incoming mail only. But probably like you, I remember being able to put checks in our box and lift the flag, the flag was never a message to thieves. Now, it screams, and anything of value is taken to a corner box or office. 

  7. I find it strange that people would consider storing their private data on unidentified servers run by large corporations to be a good idea in the first place. The only data that I trust to  such servers is the records of my transactions with the very companies that conduct those transactions; i.e. the credit union and the power company.

    I’m glad that a high profile case has come up for people to begin to publicly discuss the merits of keeping your data in a place that you don’t have much control over.

  8. Mostly this just reinforces my attitude that cloud storage is an unnecessary exposure for the sake of some alleged convenience. And that cloud applications are a way of handing the reins to someone else.

  9. So the message is that we should all just not trust the internet?  (Series of tubes).  I feel happy that I am currently bankrupt and couldn’t possibly have any financial stuff hijacked.  

      1. And don’t ask too many questions about what happens to the kittens that fail TCP checksumming… You don’t want to look in that bit bucket.

  10. a looming nightmare as we enter the era of cloud computing and connected devices.

    As apposed to the nightmare scenario of giving malicious servers your credit card at restaurants?  I think we’ll survive this nightmare as well.  /snark

    1. This is why companies should let you compose your own security questions/answers (Ex. “What was the name of the movie I saw with Janice in 2004?”)

      1. Ummm… if you’re stupid enough to provide a relevant answer, you’re in a lot of trouble.  “What was the name of your first pet?” — f%83PO7@dd   .    

        1.  I can’t remember a unique password for every (important) account I have, how am I supposed to remember strings like that for the password reset??

          1. RLY?   There are plenty of  ways  — a password manager tool, for one.   Or start with a string you know and like, say ” 68%plus&ONE” and append a single letter representing (alphabetically) the number of characters in the URL of the current website.   boingboing = 10 –> “j” .     

          2. Before anybody *else* replies, please do account for the ” I can’t remember a unique password for every (important) account I have” part, and do not suggest exactly the same strategies you would for passwords.

            If they’re asking you the security question in the first place, then, yes, the user’s password management has *already* failed. Bonus points for not merely blaming the user for the fact that it has done so.

          3. Get lastpass with google’s 2-factor authentication. Unfortunately, lastpass can be configured to provide lower security levels, particularly if your devices are compromised. (ie, no automatic logout)    

            In response to password strategies:

      2. Some site that I dealt with offered a choice of three security questions, all based on the assumption of heterosexuality.  That was especially weird.

  11. Usually when someone suggests I contact the CEO of the company whose product just blew up in my face, I assume they’re either being a smartass or are hopelessly naive.
    It sure is handy to be a big-deal blogger.

    1.  Dunno, I’ve worked for a firm that had a crack team of Assault Secretaries specifically for dealing with shit that would make the CEO look like a dick. they were really good at Getting Shit Done. Also, Executive Email Carpet Bomb.

  12. Personal valuable data “safely” backed up on a third party service with no local copies always seemed like a bad idea to me. I think it’s more sensible to download stuff from gmail (or anything else) and store it locally than to do the reverse. 

    1. I use the cloud to transfer files, and that’s all. I’ve got a bunch of music at Google, but only for my listening convenience, not for backup. . . . especially after I discovered that in the transfer they wiped all my carefully placed tags and substituted “Reggae” for all the things they didn’t recognize (quite a bit of my rather obscure collection.)

  13. This is exactly why the cloud is the current dotcom bubble.
    Working in IT I am well aware how terrible security is everywhere so storing your data with a 3rd party is pretty much giving it away.

  14. My wife had to surrender rights to the sanctity of her phone to install Outlook to pick up her work mail. We’re both more worried about her work wiping her phone by accident than anyone doing something nefarious with the phone, should they steal it (neither of us has ever lost a phone).

    1. ?  Is this a phone that work provided or her personal phone that work has decided they have any rights to?  If the former, don’t keep anything personal on it.  If the latter, have them pay your bill and don’t keep anything personal on it, it’s become a work phone.

      If she’s an employee and providing her own equipment it crosses the line to independent contractor and can become a liability to her and the company regarding how she is seen and who pays what taxes.

    2.  I hate this BYOD craze, it’s fuzzing lines between personal and corporate that shouldn’t be.

    3. I ran an app (rather than the default outlook client) in part so that work could only wipe outlook, and not the whole phone (android, the app was touchdown).

  15. So, with all this, What WOULD be considered acceptable Q&A for retrieving account information? Assume it’s a given that you must allow for the possibility of account retrieval. Now, what information should they be asking for before they provide your grandmother with the login credentials that she has forgotten?

    1. I had some bank or phone provider that would only mail (US snailmail) the reset info to the address on record.  This does depend on them being alert for recent changes of address, but it’s pretty safe otherwise.   The underlying problem is that everyone wants a Reset immediately if not sooner.    It’s like the warning you get when running FileVault:  if you forget the password, *nobody* can decrypt the disk.  If people would only understand this applies to online accounts as well (or to be exact, if only it did apply),  things would be a lot more secure.   Maybe, and again a waiting period applies,  require a notarized letter of identity to reset an acccount.

  16. I’ve been reading too much S.F. I read the title and figured a cyborg had been compromised.

    “They packed a mnemonic into an advert jingle, which, once embedded in my subconscious unpacked itself and began distracting me with OCD and childhood memories as it slowly deactivated my Cortical Guard. Soon I was mamboing to the tune of the Russians.”

  17. @boingboing-719824e0eae3728f7c4a4dcd786fe9c7:disqus  WTF lastpass: A cloud services to overcome the trouble that the cloud is not physically yours? Are you serious?

    May I suggest a micro- usb with  a Keepass DB, and a copy of that on at least one HD at home? And, if you want a “two-factor ID”, just save a random key file in your favorite cloud service.

    Forget the phone-based 2-factor stuff: it’s not secure.
    Never was. It’s just a way to get your phone number. If it’s a worthy ID, than it’s one for the money-gathering department of your email provider.

    1. Lastpass is zero knowledge, you had better not forget your password, it should be hard for it to be compromised, as they don’t know how to decrypt your passwords. I believe the app can run off line.

    2. I ask out of genuine curiosity: How is it not secure? What are some examples of failures for cellphone-based 2-factor authentication?

      I can think of a couple: 

      1. A thief physically steals your phone.
      2. If you keep an emergency list of codes in hardcopy form, a thief physically steals those.
      2a. If you keep an emergency list of codes as a text file somewhere, then it’s only as secure as the access to that file.

      And then a couple of ways of defeating it that I don’t know how plausible they are:

      3. A thief cracks the algorithm used to generate authentication codes.
      4. A thief gets your text messages forwarded to him. 

      Google turns up a lot of people who want to set up auto-forwarding of text messages, and there’s theoretically a command code to do it on GSM phones — but I’m not seeing any reports of the command code actually working for anyone, and a lot of reports of cell phone carrier phone support telling customers it’s not possible.

  18. No need to forward. If someone is in in the same GSM cell, add  this exploit, for example. This is “homebrew”, anno 2009. There are more professional solutions, like mobile gsm repeaters (able to log traffic). These things have been spotted in the wild. 
    As far fetched at it seems, I’ll stick to it. not safe.

  19. And yet, there will still be that contingent of smug iUsers who are “sure glad they’re using a secure OS that’s not virus-filled like Windows!”

    1. The OS was actually secure.   What wasn’t secure was the support, which gave away the key to house, which was already stacked with kerosine and matches. 

Comments are closed.