Cloud storage was dealt a shocking blow when hackers managed to get past the security of iCloud. How did it happen, and what will it mean for the future of the cloud?
When Matt Honan realized he had been locked out of his iPhone and laptop, he knew something was wrong, and he was right. Honan’s entire digital life, stored on his iCloud account, had been wiped clean in a matter of minutes. That was the bad news. The good news was that the hackers who did this to Honan, although having access to all of his vital information, only set out to hack his Twitter account and, according to them, publicly exploit Apple’s security flaws. The other piece of good news is their victim, aforementioned Matt Honan, happened to be a senior writer at Wired.com and reporter at Gizmodo, and had the ability and sense to pursue his hackers and report his findings to the rest of us.
One of these hackers, who later made direct contact with Honan, was willing to dish about the disturbingly simple steps it took to obtain Honan’s information and virtually destroy his entire digital life. The biggest issue turned out to be not just a weakness in Apple’s own security protocol, but an inconsistency in security between Apple and Amazon. While Apple considers the last four digits of a credit card number secure enough to obtain the highly vital Apple ID, Amazon (and many other vendors) deems those same numbers unimportant enough to display quite openly. Thus, to access all of Honan’s personal information the hackers need only choose a vendor and get started.
In this case, the hackers called up Amazon, and after providing Honan’s full name and billing address (obtained by using any of several people or address search tools), were given access to make changes on his personal Amazon account. The hackers then asked to add a new credit card to the account, giving them even further access and the ability to set up a new email address that linked to Honan’s account, to which Amazon promptly sent a password reset. The new password was then used to log into Honan’s personal Amazon account, where the last 4 digits of all the credit cards were on bold and brazen display. With those four little digits, the hackers could gain access to his Apple ID and the last feeble defense against Honan’s digital life was rendered useless.
It’s easy to put blind faith into large, established companies like Apple and Amazon. Yes, this specific security breach relied on the inconsistencies between the two separate company’s security protocols. However, while the standards each have in place may work in singularity that, unfortunately, does not jive with the sole purpose of the web-connectivity.
It’s important that we don’t rely too heavily on our providers to protect our personal information. Honan noted that there are several ways to take initiative when it comes to your digital lives:
Back up your computer and your phone regularly on physical media such as your local hard drive or a DVD
Don’t re-use passwords for multiple accounts, and change your password frequently. If given the option, always request that security questions be required for password resets or account changes.
If your email service provider allows for it, set up 2 step authentication for additional protection (Gmail allows users to do this)
Choose different email prefixes/usernames for different accounts (this is a common and understandable mistake for people who don’t want to keep track of multiple usernames and handles – but this is crucial)
Create a separate email address to use for recovery purposes. Don’t use this email address for anything else, don’t ever give it out for other reasons, and try to make the username something completely unrelated to yourself.
The takeaway is this-while Apple and Amazon should reconsider their security protocol, we should all be taking our own initiative to protect our digital lives.