“…our own policies were not followed…”; Apple and Amazon Hacks August 8, 2012
Posted by Chris Mark in Data Breach, InfoSec & Privacy.Tags: Amazon, Apple, authentication, cybercrime, cybersecurity, iCloud, mark consulting group, Matt Hanon, risk, security, social engineering
trackback
This past week, tech writer Matt Honan (of Wired) had his Amazon and Apple accounts hacked and his “…digital life destroyed”. You can read his first hand account here. The hacker did not use any special technology rather was able to hack the accounts using a basic social engineering and knowledge of who the systems worked. Here is a description of the hack from CNN.com:
“At the heart of his story is a dangerous blind spot between the identity verification systems used by Amazon and Apple, two of the tech industry’s most popular vendors.
Like many people, Honan has a variety of email addresses. Several of them can be easily tracked down by anyone hunting around online. The hacker who went after Honan found his @me.com address — a tip-off that Honan had an AppleID account.
The attacker then used Amazon’s systems to break into Apple’s.
The trick worked like this: Call Amazon and tell them you want to add a credit card number to your account. The company will ask for your name, billing address, and an associated email address. That’s it. (Wired tested the method using a fake credit card number. It worked — twice.)
Then hang up, call back, and tell the next Amazon representative that you’ve lost access to your account. They’ll ask for your name, billing address, and a credit card associated with the account — like the one you added just moments earlier. With that information, Amazon will allow you to add a new email address to the account.
Go to Amazon’s website and send a password reset to the new email address. Now you’ve got access to your target’s Amazon account and can see all the credit cards on file for the account.
Amazon (AMZN, Fortune 500) masks most of the credit card numbers, displaying only the last four digits.
But here’s the catch: That’s enough to go and game Apple’s systems.
“The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification,” Honan wrote in his Wired account.
Matt succinctly detailed the flaws: “It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account,” Honan wrote. “Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.”
In response to a request for a statement, Apple conceded: “we found that our own internal policies were not followed completely.”
Global Security, Privacy, & Risk Management 
This incident goes to show why validating with a pin that isn’t recorded anywhere is better than the last four of a CC; at the very least the last 6 of a CC should be used if that’s an option
Keeping the last 6 is a violation of card brand rules. That being said, how do you validate a PIN that is not kept anywhere? Even if you record a hash of the PIN, it requires the user input the PIN in some capacity…exposing yet more vulnerabilities…