The hacking of tech-journalist Mat Honan earlier this month proved that strong passwords are no competition to a streetwise social engineer. Honan, who works as a reporter for Wired’s Gadget Lab, experienced an ‘epic hack’ earlier this month.
His iPhone, iPad and MacBook were remotely wiped, his Twitter account hijacked and his Gmail deleted. The hack revealed weaknesses in two major cloud services and their customer service systems: Apple iCloud and Amazon.
Surprisingly, it was not his strong passwords at fault. It turns out a little ‘social engineering’ by a savvy 19-year-old was all it took. Honan, in fact, is a keen user of complex ‘long, alphanumeric strings of gibberish with random symbols’ for his passwords.
Two pieces of information were all the hacker, Phobia, needed to access his victim’s accounts: Honan’s billing address and the last four digits of his credit card number. The teenager was able to obtain his credit card details from Amazon, who reveals the last four digits of all customers’ credit cards to anyone with an internet connection. Apple’s phone support worker was equally obliging, creating a temporary password even though the hacker couldn’t answer the security questions correctly.
On this occasion the hacker’s main goal was to take over Honan’s three-letter ‘@mat’ Twitter account. Phobia thought it would be funny to post racist and homophobic tweets from the account.
However, the hacker also used iCloud to perform remote wipes on Honan’s iPhone, iPad, and MacBook, and while Honan was able to restore the iPhone and iPad from iCloud backups, he ended up paying nearly $1700 to restore some of the data from his MacBook, which he had never backed up. These included precious family photographs of Honan with his daughter shortly after she was born.
Amazon has since responded to the incident by claiming it will no longer show the last four digits of a customer’s credit cards. Apple has also stated that its password-change identity loophole has been closed and it now follows best security practices for authenticating its users.
However, as Honan states: “Bored teenagers up late on hot summer nights know more about social engineering exploits than I would wager most of the executives at affected companies do. That needs to change.”
Change in attitude
Hopefully, this will lead to a change in attitudes around security and its importance. If it can happen to a journalist who works in a technical industry this can happen to any one of us. Had Honan activated Google two-factor authentication to stop hackers from accessing some of his cloud-based social life and accounts, he would have saved some of his data and accounts. However, there is no avoiding the fact that a solid piece of social engineering by a teenager was all it took to make the whole security system redundant. Yet again the people factor, rather than IT processes has proven to be the area most vulnerable.