Apple and Amazon Security Hit
Apple has suspended a policy that enabled users to reset their Apple ID password over the phone in exchange for relatively easy-to-obtain personal details: the email address, billing address and the last four digits of the credit card number associated with the account.
Hackers exploited the system to gain full control of journalist Mat Honan’s iCloud account and wipe his iPhone, iPad and Mac, including precious photographs of his young daughter that he had not backed up.
They obtained the last four letters of his credit card from Amazon, which has also tightened procedures following the high-profile incident.
Amazon’s call centre allowed customers to call in to change their password as long as they could identify themselves with their name, email address and mailing address. Once the hackers had gained control of Mr Honan’s Amazon account, they were able to view the last four digits of his credit card number, which Apple required to give them control of his Apple ID.
“Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information – a partial credit card number – that Apple used to release information,” said Mr Honan in a detailed account of the online identity theft, which took place on Friday.
“In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” he added in criticism of the two firms’ security procedures.
Mr Honan said he was “not even especially angry at Phobia, or his partner in the attack”.
“I’m mostly mad at myself. I’m mad as hell for not backing up my data,” he said.
“But I’m also upset that this ecosystem that I’ve placed so much of my trust in has let me down so thoroughly. I’m angry that Amazon makes it so remarkably easy to allow someone into your account, which has obvious financial consequences.
“And then there’s Apple. I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life.”
This is another clear case of security frailties in large organisations and if it can happen to them, it could happen to your business. When was the last time you reviewed your security? Are you vulnerable to attack? Aerial are offering a 100% free business security check to the first 10 readers that comment on this blog or email us (Click Here)