As hacking victim's story spreads, Apple and Amazon tighten security(Read article summary)
A tech journalist's online life was erased over the weekend – and the hackers used nothing more than easily-obtainable pieces of personal information to trick Apple and Amazon into letting them gain control of his accounts.
By now you might be familiar with the saga of Mat Honan, the Wired reporter whose entire digital life was destroyed by hackers over the weekend. And you might be in the process of checking the security of your own online stuff. If you're an Amazon customer, at least, you can breathe (slightly) easier: Amazon quietly changed its customer privacy policies this week, presumably making it harder for other hackers to carry out similar attacks.
To recap: The hackers didn't use any sophisticated algorithms or brute-force attacks to gain access to Honan's online information. They just called Apple, pretending to be Mr. Honan and claiming to have lost access to the associated Apple e-mail account.
The hackers supplied two pieces of easily-discoverable information – a billing address and the last four digits of a credit card (which they were able to obtain by exploiting an Amazon loophole) – and were able to reset Honan's e-mail account. From there, they took Honan's Twitter account, and wiped his iPhone, iPad, and Macbook. Then they erased his Google account, along with tons of personal photos and documents.
Now, at least, both companies have battened down the security hatches a little bit. At the time Honan was hacked, someone could call in to change the e-mail address or credit card associated with an Amazon account by supplying a name, e-mail address, and mailing address. Shortly after Honan's story was widely publicized, though, Amazon changed its policy so that these pieces of information can no longer be changed by phone.
For its part, Apple – whose "Find My Mac" service allowed the hackers to wipe most of Honan's data – also implemented a freeze on over-the-phone password changes. Wired quotes an Apple customer service representative, as well as an employee "with knowledge of the situation," who speculates that the freeze may be a way for Apple to buy time to determine if any other security policies need to be tighted.
Of course, these changes don't mean that we're all safe from hacks again. Honan's story still serves as a cautionary tale against what he described as "flaws in data management policies endemic to the entire technology industry." But it does mean that both companies are taking more seriously their roles as the stewards of some pretty sensitive customer information.
If you're concerned about the security of your data, the usual rules still apply: Make multiple backups of your stuff (Honan only had his data backed up to Apple's iCloud service, which was compromised when the hackers took control of his Apple account. A local copy of the data would have prevented its loss). Don't link sensitive accounts to one another, as Honan did by connecting his Apple and Gmail accounts. And consider using additional security, such as Google's two-factor authentication, which requires a special phone code before an account can be accessed.