Hi Everyone
There was a big event in the IT world last week, a major identity in this world had his whole online life wiped out in the space of less than an half an hour!. Mat Honan is a senior reporter for Gizmodo and a former contributing editor for Wired magazine, last week he had his whole online life destroyed "just because" they thought it would be cool to have his 3 letter twitter name @mat.
There was a big event in the IT world last week, a major identity in this world had his whole online life wiped out in the space of less than an half an hour!. Mat Honan is a senior reporter for Gizmodo and a former contributing editor for Wired magazine, last week he had his whole online life destroyed "just because" they thought it would be cool to have his 3 letter twitter name @mat.
The attack was both the fault of Mat using convenience over cautiousness, and the lax processes of some of the major identities in the world, and I mean Major!!. These processes have been since been reviewed and some have been rectified, so at least some good has come of this event.
Some faults in Mat's behavior that made it easy for the hackers, was to use the same name for every email account, for example billsmith@gmail.com, billsmith@live.com, billsmith@me.com. This makes it too easy for attackers to guess your user account name even thought some letters were obscured. Mat also failed to activate second factor authentication when it was available, because it was more convenient not to!. Lastly Mat broke the Golden Rule and didn't have his life memories backed up.
This is a rough timeline of the attack
- 4.50 a password reset confirmation arrives in icloud mailbox (they can now access his iCloud mail)
- 4.52 a gmail pass recovery email arrives in his iCloud mailbox (they now have a password to his GMail)
- 4.54 Google account was Reset
- 5.00 Wiped his iPhone using "find my phone"
- 5.01 Wiped his iPad using "find my" app
- 5.02 Twitter account reset and owned
- 5.05 Wiped his Macbook using "find my" app (lost his entire life photos of his little girl)
Wow!!
One major fault was that it seems Apple let the attackers reset the account by just supplying a name, a billing address, and the last 4 numbers of a credit card. Have you noticed that a lot of other sites openly display the last 4 numbers of the credit card linked to your account, because they feel they are not really giving anything away.
How many people do you give your address and credit card number to when you are shopping? All these people had the ability to take over your online life if they choose to.
Another Fault was that the employee at Amazon didn't seem too worried about security details when the attackers rung them wanting to "add" a credit card to the account, it seems that bogus credit card numbers that pass the entry algorithms are easily available online. The attacker then rings back and says they cant access their email account anymore and by supplying a name, billing address and the credit card details "they" just supplied! they are given the permission to add a new email address to the account, they then go to the Amazon account, press the "lost password" tab and send a password reset to the email they just supplied!!
Wow!!
One major fault was that it seems Apple let the attackers reset the account by just supplying a name, a billing address, and the last 4 numbers of a credit card. Have you noticed that a lot of other sites openly display the last 4 numbers of the credit card linked to your account, because they feel they are not really giving anything away.
How many people do you give your address and credit card number to when you are shopping? All these people had the ability to take over your online life if they choose to.
Another Fault was that the employee at Amazon didn't seem too worried about security details when the attackers rung them wanting to "add" a credit card to the account, it seems that bogus credit card numbers that pass the entry algorithms are easily available online. The attacker then rings back and says they cant access their email account anymore and by supplying a name, billing address and the credit card details "they" just supplied! they are given the permission to add a new email address to the account, they then go to the Amazon account, press the "lost password" tab and send a password reset to the email they just supplied!!
Wow!!
Have a think about this people, and have a think about your online world and how it is all linked to each other, secondly think about what is more of a hassle, taking an extra 10 seconds to login to somewhere, or having to recover your whole online world, and repairing damage caused by hijacked social media accounts.
The whole story can be read here at http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ if you can take the time to read it, it will scare you!
