“…our own policies were not followed…”; Apple and Amazon Hacks August 8, 2012Posted by Chris Mark in Data Breach, InfoSec & Privacy.
Tags: Amazon, Apple, authentication, cybercrime, cybersecurity, iCloud, mark consulting group, Matt Hanon, risk, security, social engineering
This past week, tech writer Matt Honan (of Wired) had his Amazon and Apple accounts hacked and his “…digital life destroyed”. You can read his first hand account here. The hacker did not use any special technology rather was able to hack the accounts using a basic social engineering and knowledge of who the systems worked. Here is a description of the hack from CNN.com:
“At the heart of his story is a dangerous blind spot between the identity verification systems used by Amazon and Apple, two of the tech industry’s most popular vendors.
Like many people, Honan has a variety of email addresses. Several of them can be easily tracked down by anyone hunting around online. The hacker who went after Honan found his @me.com address — a tip-off that Honan had an AppleID account.
The attacker then used Amazon’s systems to break into Apple’s.
The trick worked like this: Call Amazon and tell them you want to add a credit card number to your account. The company will ask for your name, billing address, and an associated email address. That’s it. (Wired tested the method using a fake credit card number. It worked — twice.)
Then hang up, call back, and tell the next Amazon representative that you’ve lost access to your account. They’ll ask for your name, billing address, and a credit card associated with the account — like the one you added just moments earlier. With that information, Amazon will allow you to add a new email address to the account.
Go to Amazon’s website and send a password reset to the new email address. Now you’ve got access to your target’s Amazon account and can see all the credit cards on file for the account.
But here’s the catch: That’s enough to go and game Apple’s systems.
“The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification,” Honan wrote in his Wired account.
Matt succinctly detailed the flaws: “It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account,” Honan wrote. “Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.”
In response to a request for a statement, Apple conceded: “we found that our own internal policies were not followed completely.”