Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft

Unknown Lamer posted about 2 years ago | from the quick-turnaround dept.

Privacy 222

An anonymous reader writes "The story behind the hacking of Mat Honan's multiple accounts has been revealed and points to massive failures in how Amazon and Apple handle password recovery. Accounts for both sites can be easily accessed with simple to find publicly available information. If you ask me, both companies should be liable for violating privacy laws."

cancel ×

222 comments

Sorry! There are no comments related to the filter you selected.

the 4 last digit of CC are unsecure (4, Interesting)

aepervius (535155) | about 2 years ago | (#40902689)

"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.

Re:the 4 last digit of CC are unsecure (5, Informative)

pnot (96038) | about 2 years ago | (#40902757)

"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

  All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.

Indeed, the article itself makes this point: And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life..

Till receipts also commonly show this information.

Re:the 4 last digit of CC are unsecure (4, Interesting)

mcvos (645701) | about 2 years ago | (#40903131)

I don't give credit card numbers to pizza boys. I give them cash. Or I pay with iDeal, a Dutch internet payment system that's actually secure, unlike all that credit card crap.

Really, rest of the world, you guys need to implement iDeal so I can use it for international payments. The only reason I have a credit card at all is because it's the only way to buy stuff online from non-Dutch sites. Steam uses iDeal. Once everybody else does too, we can finally get rid of those stupid credit cards.

Re:the 4 last digit of CC are unsecure (2, Insightful)

Rei (128717) | about 2 years ago | (#40903471)

I don't know about iDeal, but I'm always appalled at how much trouble Americans have with securing their identity. It's not that hard:

Step 1) Have a *public* identifier for you. None of this "if you know the social security number" or "if you know all or part of a credit card number" or such nonsense.
Step 2) Have one or more *private* passcodes or other authentication schemes (really, everyone should have those rotating-passcode keychain devices like the banks give out here for use with important stuff). Because the key is public, nobody is dumb enough to use it as a password.
Step 3) Have a single national database which stores information about you, with at a minimum, your name, public ID, and address. This is your *official* contact information.
Step 4) Any major transactions done using your identity, including changing your contact information, involve you being contacted using your official contact information in the database.

This is basically the system we use here in Iceland, and it works very well. Doesn't help us with foreign firms that don't grasp security, however.

Also, what's up with Americans and writing personal checks? Geez, it's the 21st century here...

Re:the 4 last digit of CC are unsecure (3, Insightful)

flimflammer (956759) | about 2 years ago | (#40903627)

Privacy issues for most of your post. People in general do not like the idea of a national ID system. This isn't just a US thing, either. A lot of countries try to fight this sort of system when it comes knocking.

As for personal checks, they are not used that frequently anymore. Most places I go to don't even accept them. I haven't encountered one personally in several years. They're used little more than promissory notes between people nowadays. Short of going to an ATM or bank, there's no easy way to give people cash. Personal checks still fill that role. Nothing wrong with that.

Re:the 4 last digit of CC are unsecure (2)

berberine (1001975) | about 2 years ago | (#40903755)

I hate writing checks. I wish they would go away, but I have two issues as to why I can't stop writing them yet.

First, there is no way for me to pay my rent, electric bill, water bill, and garbage bill if I did it electronically. The electric company has sent out a notice that sometime next year they will start taking payments online, but that's next year.

Second, I do not trust the security of my bank, or any bank, in the small town that I live in. A friend also banks at this bank and it only took me a short time to be able to get into her bank account. To log into your personal checking account, you need a password, PIN, and identify a photo that you uploaded. You can get the PIN wrong 5 times before you're locked out of the account and have to go in person to fix things.

I already knew that the bank won't reset your PIN. They mail you a new one or you have to go in personally to get it reset. That was the only hard part. Of course, just chatting with my friend, I discovered she used her mom's birthday as the PIN. I didn't need to talk to her for anything else. She leaves her cell phone on her desk with her email and Facebook accounts logged in. So, I just clicked on the "forgot my password" button on the bank website and reset it. Then I logged in. The photo part is a photo that you upload. It was completely obvious that it was her dogs.

Now, I did all this while sitting next to her because she didn't see the big deal in using the same passwords everywhere or leaving her accounts logged in on her phone all the time. I kind of freaked her out a bit, but she was thankful that I showed her how easy it would be for anyone who just knew a little bit about her could get into her account. We spent the next Saturday changing passwords everywhere she was online and actually securing her accounts. I also got her to go into her bank and set it up so that, if the password to her bank account needs to be reset, she has to do it in person now. She still keeps her Facebook and email open on her phone, but at least they have different passwords now. To me, it's not 100% secure, but it's better than it was.

I live in a very small town and have limited banking options. The banks here are all the same when it comes to online banking. I really don't want to put all my hard earned money into a system that I don't believe is safe or secure. If any of the banks in town ever does that, they will get my business. Until then, I'm stuck writing checks for all my bills.

Lastly, I have three credit cards. I use one online exclusively. They have been excellent at fraud detection. I call once a week to check my balance and transactions. This takes about 3 minutes, but I can know immediately if something has happened. Twice the credit card company has called me and asked if I just tried to make a transaction because it threw up red flags with them. Once was me and it was a merchant I had never used before. The other time, there was a breach wherever they store their numbers. They just changed my account number and issued me new cards. It'd be nice if the banks could get their act together.

I like the idea of the way Iceland does it. I have several Dutch friends and I like their system of online banking. I just don't think the US takes it as seriously as other countries. When they do, I'll jump at the chance to get rid of checks and bank online.

That is not the problem with Amazon (5, Interesting)

Ecuador (740021) | about 2 years ago | (#40902897)

At first I was aghast at how they could implicate Amazon for revealing the last 4 digits of your card, when they appear in every transaction receipt printed etc.
However, after reading TFA it is obvious that Amazon has a serious security flaw as well that they need to address as well. It seems that you can call Amazon support knowing only the name, email and billing address of a person and you can add a bogus credit card number to their file. Then you call back and tell them you can't access your account and they will let you add a new email address to reset your password and you use the credit card number you had just added as verification of your identity!
True, Amazon showing the last 4 digits of your CCs on your account is not a problem, but giving access to your account to a person armed only with knowledge of your name, address and email is a serious flaw.
The summary and even the article don't make it that clear what the problem is with Amazon, you have to read through TFA.

Re:That is not the problem with Amazon (1)

mtmra70 (964928) | about 2 years ago | (#40903571)

My mortgage company has a similar jacked up login process.

Like a lot of places, they have you answer some pretty mind numbing security questions after typing in your user name and password. If you don't remember the security answer you can hit the "I forgot" button. What then happens is shocking - it takes you to a screen to reset the answers. Why in the world do you ask security questions after a user/pass auth if the same info lets you reset them?!!?

And the real kicker. When you want to make a PAYMENT they ask you the last four of your SSN. Who on earth asks for info like that when handing them money???? I could understand withdrawing money....but depositing money?? O_o

Re:the 4 last digit of CC are unsecure (0)

Anonymous Coward | about 2 years ago | (#40903519)

All digits of a credit card are not secure. You give your credit card number to all kinds of people and systems. A credit card number is not secret, and neither is anything else that's printed on the card.

Re:the 4 last digit of CC are unsecure (3, Informative)

Lord_Jeremy (1612839) | about 2 years ago | (#40903761)

What?!! Apple requests the CVV2 code of your credit card for verification, not the last 4 digits of the number. The CVV2 code is never shown on a statement or invoice anywhere, and since they're processing credit card transactions they can only store it hashed.

Re:the 4 last digit of CC are unsecure (0)

Anonymous Coward | about 2 years ago | (#40903793)

All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason)

The last 4 (or 5) digits of your CC number are just a checksum of the actual card number. It was invented to help prevent data entry/keyboarding errors, not as a form of security.

Benefits of free services (5, Interesting)

akamad (1308139) | about 2 years ago | (#40902691)

I would argue that the biggest benefit of using free services (like GMail) is they offer no or crap phone support! Thus making it very difficult for a hacker to social engineer their way into your account.

Re:Benefits of free services (1)

Theophany (2519296) | about 2 years ago | (#40902735)

Unless you have your backup email address set as an iCloud address somebody already got access to...

Re:Benefits of free services (1)

akamad (1308139) | about 2 years ago | (#40902743)

Indeed. As always, it's the weakest link that will screw you over.

Re:Benefits of free services (3, Informative)

rvw (755107) | about 2 years ago | (#40903135)

I would argue that the biggest benefit of using free services (like GMail) is they offer no or crap phone support! Thus making it very difficult for a hacker to social engineer their way into your account.

We were hacked several months ago, and our Amazon EC2 account was hijacked. How did they do this? We host our domain names at a local provider, and somehow they got control over that account. Then they changed the DNS for the mail to their own service. We had two-factor logins at Amazon (normal login + generated key). They tricked Amazon into believing that the key was broken, that they were the rightful owner (with control over the mail), and Amazon removed it. We still wonder how they did all this.

Re:Benefits of free services (1)

Celexi (1753652) | about 2 years ago | (#40903455)

If you pay for Google apps they do offer phone support. However you would need to have the support pins which you can only get by logging in your account. There is no way to access support without those pins at all.

Apple's Failure, Not Amazon's (3, Insightful)

StealthyRoid (1019620) | about 2 years ago | (#40902701)

Every e-commerce company in the world that allows you to store your card info will display the last four digits of your card number, because what other option is there? What other unique determinant could you possibly display in order to allow people to select one card from a set? There's nothing at all insecure about that on its own, and it's silly to pretend as though everyone else becomes liable for Apple's crappy security policy. This is way more about a.) How one guy had a bad personal password policy, b.) poor security training for Apple support staff and poor security policies at Apple, and c.) How stupid it is to make any of your data deletable remotely. "There's this option to wipe all my data on Apple's site, and then these evil hax0rs totally did it, and I didn't have backups" does not translate into "Amazon has bad security policy".

You missed the part about Amazons password reset (5, Informative)

tlambert (566799) | about 2 years ago | (#40902863)

Amazon allowed a bogus card to be added to the account because all they did was check the check-digit, rather than doing that as step one, and then doing an authorization hold/authorization release after requiring the security code from the back of the card as step 2. This would have correlated the billing address and card number in the credit card company database, which would have failed, flagging it as a bogus card.

After this, a second call to Amazon using the bogus card information plus the (already known) billing information got them a password reset, again without them issuing an authorization hold/authorization release. And THAT is where they got the last 4 digits of the (actual) non-bogus credit card number to give to Apple. Admittedly, it's possible that this would cost a web site (other than Amazon, who owns their own payment provider) a transaction fee to do, but they could always require a transaction fee billed to the card being used as identification as part of the recovery process. For example, it looks like Norton Antivirus allows the same thing (just do a quick search for the phrase "the credit card number ending in", you'll see a bunch of people wondering about charges to cards they never registered with various services).

Apple using the last 4 digits as an identity verification was screwed up, but it wasn't information the bad guys had without Amazon's help, in this case.

Re:You missed the part about Amazons password rese (3, Interesting)

StealthyRoid (1019620) | about 2 years ago | (#40902913)

Naw, I didn't miss that part, I just don't think it makes an argument for this being a failure of Amazon security policy. Given that you need to know someone's account email address (how hard is it to do foo+amazon@dingleberry.com, or some other not-easily-guessed email address?), billing address, etc, to even get an Amazon rep to talk to you, the protections on that front seem sufficient (maybe not best, but sufficient) to me. Running an auth/void doesn't really work either. Sure, Amazon has their own payment gateway, but that doesn't make it free, it just makes it cheaper for them. Given the volume of cards that they accept into their system every day, running two transactions on each would pretty quickly jack up costs considerably. For subscription services like Norton, that might make sense, because the overall transaction volume is fairly low, but for Amazon, that bill would get pretty big.
Now, compare Amazon's relatively reasonable, if not super awesome, procedures to Apple's, where all you need is the last four in order to get access to all data and devices, and tell me this is still an Amazon problem.

Re:You missed the part about Amazons password rese (0)

Anonymous Coward | about 2 years ago | (#40902933)

Are you stupid? To get access to someone's Amazon account you need their email address and billing address. To get access to someones Apple account you need their email address, billing address, and last 4 of their CC. Both of these systems are stupidly insecure, but it is pretty goddamn obvious Amazon's is the worse.

Re:You missed the part about Amazons password rese (1)

xaxa (988988) | about 2 years ago | (#40903227)

Are you stupid? To get access to someone's Amazon account you need their email address and billing address. To get access to someones Apple account you need their email address, billing address, and last 4 of their CC. Both of these systems are stupidly insecure, but it is pretty goddamn obvious Amazon's is the worse.

But what is Amazon protecting?

1) The ability to order goods using my credit card to be delivered to my registered address
2) The ability to order virtual goods using my credit card (music, ebooks, gift certificates).

1) doesn't really help the fraudster. 2) might, but they're difficult to resell and Amazon probably don't care about refunding these purchases -- they're very low value

Now, what is Apple protecting?

1) Everything using that email address
2) All Apple equipment registered to the account, and all files on that equipment

Re:You missed the part about Amazons password rese (1)

TCM (130219) | about 2 years ago | (#40903299)

But what is Amazon protecting?

1) The ability to order goods using my credit card to be delivered to my registered address
2) The ability to order virtual goods using my credit card (music, ebooks, gift certificates).

You forgot

3) The ability to takeover your Apple account

So clearly, Amazon is worse than Apple because Amazon is Apple and more!

Re:You missed the part about Amazons password rese (0)

Anonymous Coward | about 2 years ago | (#40903463)

And once they have complete access to your Amazon account, they can't just change the physical shipping address why?

Re:You missed the part about Amazons password rese (1)

xaxa (988988) | about 2 years ago | (#40903479)

And once they have complete access to your Amazon account, they can't just change the physical shipping address why?

If you try and do that (I did last week, to order something to be delivered to work) they ask for the CCV code from the back of the credit card (if you choose to pay with an existing card).

Re:You missed the part about Amazons password rese (1)

flimflammer (956759) | about 2 years ago | (#40903641)

Because Amazon won't allow you to without extra information the person would not be able to provide. (CCV code)

Re:You missed the part about Amazons password rese (1)

OCedHrt (1001533) | about 2 years ago | (#40903531)

Once he had password reset Amazon, he can add other shipping addresses. Amazon does allow you to ship to other addresses, at which point it will be up to the credit card company to block the charge.

Re:You missed the part about Amazons password rese (2)

flimflammer (956759) | about 2 years ago | (#40903657)

He may be able to add extra shipping addresses, but he won't be able to use any of the cards on the account to ship to them. Amazon requires the CCV code on all purchases made with existing cards on the account when shipping to a new address.

Re:You missed the part about Amazons password rese (0)

Anonymous Coward | about 2 years ago | (#40902989)

Well, at least Amazon has a support procedure 'Add a credit card to an account by phone call' that has no valid uses, since you can do that online. The only use cases seems to be to hack into Amazon accounts.

Re:You missed the part about Amazons password rese (1)

mkraft (200694) | about 2 years ago | (#40903055)

The problem here is that for the average Internet user, if you have someone's Amazon email address, you pretty much automatically have access to that person's Amazon account. Not everyone has multiple email accounts and the billing address and name can be gotten from agragators like http://www.spokeo.com./ [www.spokeo.com]

At that point the person can gain access to the users Amazon account and simply go on a shopping spree at the users expense. Getting into an iTunes account with the same email is just a bonus.

Re:You missed the part about Amazons password rese (2)

OCedHrt (1001533) | about 2 years ago | (#40903523)

Amazon had the exact same flaw as Apple. Allowing a password reset with last 4 digits and a billing address. The bigger flaw at Amazon was allowing the addition of a credit card with the same identification.

Re:Apple's Failure, Not Amazon's (0)

Anonymous Coward | about 2 years ago | (#40902881)

Except that if you read the article, the hacker was able to add an email address to (and thereby reset the password on) the Amazon account by associating a bogus credit card number with an existing account with next-to-no authentication.

Amazon's really big mistake is to allow people to add a credit card in such a way.
Why on Earth would you ever need to add a card in this way?

Both Amazon and Apple made the mistake of authenticating using a credit card number.
Isn't everyone aware that credit card numbers are pretty much public to anyone you buy from?

What is the solution? Maybe do what PayPal do. Charge, then refund, a small amount to the credit card.
Only the account holder can determine what the amount was (unless Amazon keeps adding credit cards in such a stupid fashion).

Re:Apple's Failure, Not Amazon's (1)

kaws (2589929) | about 2 years ago | (#40903433)

I can see the possibility of not being able to add a card over the internet for whatever reason.

Re:Apple's Failure, Not Amazon's (1)

mimicoctopus (2701643) | about 2 years ago | (#40902887)

Every e-commerce company in the world that allows you to store your card info will display the last four digits of your card number, because what other option is there? What other unique determinant could you possibly display in order to allow people to select one card from a set?

Card issuer.

Re:Apple's Failure, Not Amazon's (2)

profplump (309017) | about 2 years ago | (#40902939)

Which is great if you only have one card per brand-name issuer and completely useless in any case where that isn't true -- and it's certainly not true for me. Whereas the chances of the last few digits of your account number matching any other account for the same customer are exceedingly small. It may still be a bad idea, but "card issuer" is certainly not a reasonable replacement.

Re:Apple's Failure, Not Amazon's (1)

mimicoctopus (2701643) | about 2 years ago | (#40903021)

I've never heard of anyone having more than one card from the same issuer before. Usually, a bank won't offer you a second card if you already have one with them. Why do you have multiple cards from the same bank?

In the case where you have two cards with the same issuer one digit could be used, provided it is different. In the event it's not different, two digits and so on until a noticeable difference exists.

Re:Apple's Failure, Not Amazon's (1)

viperidaenz (2515578) | about 2 years ago | (#40903079)

Please think before you press submit
A bank may offer you a credit card and a debit card. Both from the same issuer.
You might have accounts at different banks, with credit cards from each bank, but they're all from Visa
You might have a company credit card and a personal card.
Unless you register all of your cards with a particular website, how does that website know how many digits it will take to make a difference?

Re:Apple's Failure, Not Amazon's (1)

mimicoctopus (2701643) | about 2 years ago | (#40903099)

You might have accounts at different banks, with credit cards from each bank, but they're all from Visa

Visa is not the card issuer, the bank is.

Re:Apple's Failure, Not Amazon's (1)

jawtheshark (198669) | about 2 years ago | (#40903165)

I have five cards with the samer issuer. A debit and a credit card for the common account with my wife, and a debit and two credit cards for my personal account with the same bank. (Before anyone asks: these cards have different "functions" for accounting reasons and I have no credit card debt whatsoever. )

Re:Apple's Failure, Not Amazon's (0)

Anonymous Coward | about 2 years ago | (#40903367)

I've never heard of anyone having more than one card from the same issuer before. Usually, a bank won't offer you a second card if you already have one with them. Why do you have multiple cards from the same bank?

Why not? I applied for one card because it had a great promotional bonus for signing up, and no annual fee.

About two months later, the same bank had a better promotional bonus for a different card, and still no annual fee.

Didn't cost me anything, the promotional bonuses were very nice, and the slight reduction in my credit score doesn't matter.

Other people have multiple cards from the same bank to more easily keep track of business & personal expenses.

Re:Apple's Failure, Not Amazon's (1)

Plumpaquatsch (2701653) | about 2 years ago | (#40903411)

I've never heard of anyone having more than one card from the same issuer before. Usually, a bank won't offer you a second card if you already have one with them. Why do you have multiple cards from the same bank?

Because of a bank merger. Because you got one from your employer. Because you use one for business expenses, and the other for private use.

Re:Apple's Failure, Not Amazon's (1)

White Flame (1074973) | about 2 years ago | (#40903461)

Every e-commerce company in the world that allows you to store your card info will display the last four digits of your card number, because what other option is there? What other unique determinant could you possibly display in order to allow people to select one card from a set?

User-defined label when entering card details.

Online banking typically does this, so even though you see (some of) your account digits while online, it's really the name you gave it that's meaningful.

Why remote wipe? (0, Flamebait)

flyingfsck (986395) | about 2 years ago | (#40902709)

The remote delete feature is the dumbest of dumb feature I ever heard of. That alone is a good reason not to use Apple products.

Re:Why remote wipe? (5, Insightful)

juventasone (517959) | about 2 years ago | (#40902729)

If your device is lost or stolen.

Re:Why remote wipe? (1)

mwvdlee (775178) | about 2 years ago | (#40902785)

If your device is lost or stolen, data should not be permanently deleted, just locked away until the owner personally comes round to identify herself with a passport or other legal ID of some sort. You can more to permanent delete after some time has passed without a "restore" request.
I don't see why this should be any problem at all; Apple, Google and all their competitors claim to keep backups, which is effectively the same but with a user-"controlled" restore procedure.

Re:Why remote wipe? (1)

retchdog (1319261) | about 2 years ago | (#40902869)

the article says that the remote wipe is reversible with a four-digit pin made up at the time of deletion.

which leads me to wonder why apple couldn't just reverse it for the guy once he apprised a real human being of the situation. given the lack of sophistication everywhere else in this scheme, i seriously doubt that the four-digit pin is really used to encrypt your data. it must just be for authentication, so why couldn't this guy get apple to unwipe his drive?

Re:Why remote wipe? (2)

asdf7890 (1518587) | about 2 years ago | (#40903067)

If your device is lost or stolen, data should not be permanently deleted, just locked away until the owner personally comes round to identify herself with a passport or other legal ID of some sort. You can more to permanent delete after some time has passed without a "restore" request.

From an enterprise security point of view, once the device is out of your hands you want the data off it, full stop. If it isn't there then there is no chance that someone can read it. If everything on the device were properly encrypted, then you could just delete any keys and the restore would simply mean putting the keys back on.

I don't see why this should be any problem at all; Apple, Google and all their competitors claim to keep backups, which is effectively the same but with a user-"controlled" restore procedure.

That is the solution, not "not deleting". The off-device backups are your restore point either if you get a new device or that one is returned to you. As long, of course, as the backup account is not compromised at the same time as the device. No matter how securely you store you keys/tokens most phones are unlocked by a four digit pin so you've got not more than two days before someone brute forces that and gets in if they are determined and start when they first get hold of the device (so make sure if you lose the device that all the authentication credentials for the backups are changed ASAP).

Of course most stolen phones just get factory wiped before being fenced anyway, as most thefts of such devices are opportunistic rather than planned, so this is only a concern if someone might specifically target you (such as if others in your company's industry might want to have a peak at some significant trade secret) or if you have something really objectionable on the device (at which point if the thief notices it that can blackmail you)- most people like you or I are unlikely to be targeted in that way.

Re:Why remote wipe? (2)

kaws (2589929) | about 2 years ago | (#40903443)

Just like what asdf7890 said, some people want the security option of wiping the data. I suppose that an option could be to remotely encrypt a drive. Btw, there is the option in apple's icloud to remotely lock a device with a passcode of your choice. Wiping it is just another option.

Re:Why remote wipe? (1)

pnot (96038) | about 2 years ago | (#40902789)

If your device is lost or stolen.

Why not just encrypt the drive? Seems more secure to me -- remote wipe presumably won't work if the target machine doesn't have net access.

(Of course, the drive will be unlocked if your machine is stolen while switched on and logged in, but the solution to that is to lock the screen whenever you're not at the computer.)

Re:Why remote wipe? (1)

Anonymous Coward | about 2 years ago | (#40902919)

Remote wipe only makes sense if the drive is encrypted. Actually wiping an entire hard drive takes too long. Devices with a remote wipe feature (usually) actually keep the entire drive encrypted and the remote wipe erases encryption key (which itself is usually password protected). Without the encryption key, the encrypted information left on the hard drive is essentially random noise.

Re:Why remote wipe? (1)

Anonymous Coward | about 2 years ago | (#40903315)

Devices with a remote wipe feature (usually) actually keep the entire drive encrypted and the remote wipe erases encryption key

Not with blackberry. Remote wipe overwrites everything.

Re:Why remote wipe? (1)

AmiMoJo (196126) | about 2 years ago | (#40903709)

But why irreversibly wipe it? Arne't iOS devices encrypted by default, in which case you could keep a backup of the encryption key somewhere safe and just erase it off the device.

Re:Why remote wipe? (0)

Anonymous Coward | about 2 years ago | (#40902773)

That is because everyone and their mother complained that they didn't have remote wipe and thus could never be used in the enterprise.

It is like Linux was not ready for the enterprise since it didn't support hot swapping CPUs, memory and PCI cards. Not that any other often used operating system in the enterprise could do this (there are a few exceptions), but those were the arguments at the time.

Re:Why remote wipe? (1)

Tony2Heads (985529) | about 2 years ago | (#40902971)

proper lawns are Festuca rubra

Re:Why remote wipe? (1)

Plumpaquatsch (2701653) | about 2 years ago | (#40903427)

The remote delete feature is the dumbest of dumb feature I ever heard of. That alone is a good reason not to use Apple products.

While Android [google.com] phones are perfectly fine with you?

Trying to tar Amazon at the same time (1)

Anonymous Coward | about 2 years ago | (#40902741)

As the author admits: anyone with access to your card number ( even the waiter at the restaurant ) and a phone book has enough information to satisfy Apple's "security" procedures.

Re:Trying to tar Amazon at the same time (1)

mcvos (645701) | about 2 years ago | (#40903151)

Credit cards themselves are of course woefully insecure. We need a better payment system.

Re:Trying to tar Amazon at the same time (0)

Anonymous Coward | about 2 years ago | (#40903345)

We have one. Cash.

Side benefit - it encourages use of local storefronts, which in turn helps your neighbors eat.

not privacy, data protection (3, Informative)

l3v1 (787564) | about 2 years ago | (#40902755)

From Wikipedia article (Data Protection Directive - Comparison with US data protection law):

"The United States prefers what it calls a 'sectoral' approach to data protection legislation, which relies on a combination of legislation, regulation, and self-regulation, rather than governmental regulation alone.[10] Former U.S. President Bill Clinton and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology." (emphasis added)

I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.

Nobody in their right minds would trust all of their data exclusively and only to a company (yes, you know, that "cloud" you like so much is operated by one or more companies with data protection and privacy policies changing by the weather). If you do so, something like the original article mentions can happen anytime.

I'm not saying you shouldn't use the "cloud" (how I hate that word, oh my), but you should never trust and rely on it completely without any (or weak and borderline useless) fallback. Remember, it's your data, it's your life, protect it as you would protect anything that you own and hold precious.

Thing is, since computing and PCs have become everyone's tools and don't require in-depth tech knowledge, it's pretty easy to get average users to use and rely on such services. It's simple, they don't really know what they are getting into. And it's for this reason that it's sad to see a more knowledgable person (i.e. article writer) fail so terribly.

Always remember, just because so many people are hooked to it and it's easy to use, that doesn't mean it's safe and reliable. It's not.

Re:not privacy, data protection (1)

AHuxley (892839) | about 2 years ago | (#40902999)

The US had 2 options, set a weak gov standard and get lol at when its is broken and noted to be weak from day one (DES).
This breaks the trust feeling with generation of young US crypto experts who so want to feel the US gov is not allowing weak crypto for good intentions.
Self-regulation allows the US gov to sit down and have a nice chat to .com commerce interests and ensure when you buy anything "Middle East" related they can database you without too much effort.
Self regulation also protects eg CIA front companies http://cryptome.org/2012/08/cia-proprietaries-1975.pdf [cryptome.org]
"IRS personnel would be notified that thev had begun to audit an Agency proprietary, and the audit would be discontinued "
If the CIA wants to fund freedom fighters (now the "good guys") in Syria - nice to have quality encryption options that dont seem out of place.
What two big brand names are doing with such weak security seems very strange. What two big US brand names where asked to do for US national security seems ....

Re:not privacy, data protection (1)

lindi (634828) | about 2 years ago | (#40903255)

Hmm, isn't DES actually quite strong? It resisted both differential and linear cryptanalysis. The key size is not enough today but it certainly was in 1977.

Re:not privacy, data protection (1)

V for Vendetta (1204898) | about 2 years ago | (#40903265)

Everytime you read the equivalent of "self-regulating" in a law, you know that lobbyists have again won a battle against citizens and democracy and that this regulation isn't worth the paper it's printed on.

Re:not privacy, data protection (1)

White Flame (1074973) | about 2 years ago | (#40903487)

I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.

I think the intent is that there'd be industry standards, with their own best practices, standards body, and compliance testing. Things like movie ratings and OpenGL compliance are self-regulated.

Re:not privacy, data protection (1)

RabidReindeer (2625839) | about 2 years ago | (#40903789)

I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.

I think the intent is that there'd be industry standards, with their own best practices, standards body, and compliance testing. Things like movie ratings and OpenGL compliance are self-regulated.

But. But. But. The Free Market!!!!

Multifactor Authentication (1)

Heretic2 (117767) | about 2 years ago | (#40902769)

This isn't a new problem... This guy was naive/careless at best for not using multifactor authentication. But hey, at least his new article is getting some traffic, not that anyone will ever take him seriously again.

a lot of mistakes here (4, Insightful)

pbjones (315127) | about 2 years ago | (#40902771)

Not backing up data, able to get Amazon account data with 2 phone calls, able to get an Apple/Google/whatever password reset with just a little bit of work. They could have also stolen his CC statement from his mailbox, as well as a Utility bill and got part of the way to getting a new credit pin or drivers license and after a bit of time a new passport. This sort of hacking is not new, just different. Once the security questions used to be the standard 3, your mums maiden name, your city of birth, and your first pet/car/whatever, now the answers are often on-line or traceable via Facebook. The blame should be shared amongst everyone, including the person who did the hacking. Excuse me, I have to backup my computers.

Re:a lot of mistakes here (2)

l3v1 (787564) | about 2 years ago | (#40902841)

Once the security questions used to be the standard 3, your mums maiden name, your city of birth, and your first pet/car/whatever, now the answers are often on-line or traceable via Facebook

Well, it's not the biggest and most effective way, but what I used to do (and still do if required) in such cases was that I picked randomly from the questions and gave totally unrelated random words as answers, which I recorded in a protected file. Unless someone could get to the file and crack it, there's no way to get through that with social engineering or public profile data collection.

Re:a lot of mistakes here (1)

pbjones (315127) | about 2 years ago | (#40902861)

I do similar, but a few years ago there was no choice, it was only 3 questions. ... as your Facebook email contains you FB ID, so you can also get a head start on cracking FB accounts, thanks to Facebook.

Re:a lot of mistakes here (1)

Havenwar (867124) | about 2 years ago | (#40902895)

Of course that makes your password exactly as safe as if you had the password itself stored in a protected file, which would mean you'd theoretically never need your security question answers since you would never forget your password. Unless of course you lose the file, in which case... I really hope you keep those files in two different places.

Re:a lot of mistakes here (1)

BlackCreek (1004083) | about 2 years ago | (#40903279)

Of course that makes your password exactly as safe as if you had the password itself stored in a protected file, which would mean you'd theoretically never need your security question answers since you would never forget your password. Unless of course you lose the file, in which case... I really hope you keep those files in two different places.

Reasons to add random trash to these recovery questions is that:
-- it keeps *you* from actually adding your first pet's name;
-- ** it keeps the website from nagging you to add recovery questions **
-- my bank for instance requests a security recovery question to be added, I told them my mother's maiden name was something like "kj63h546*3@"

I do the same as the grand-parent. My passwords are different for every account and are created using (pwgen or apg, I can't never bother to check if one is better than the other). I really don't remember any of my passwords, I only really remember the browser password that protects these, the SSH passphrase and the GPG passphrase to decrypt the password file.

On a side note, I never add my Facebook password to the browser, as that makes it so cumbersome to login to Facebook that I really only login every 3 months for friendship request maintenance.

tream 'em like passwords (1)

trptrp (2041816) | about 2 years ago | (#40902855)

that's why I generally just feed random data into these field (treat them like pw field except not saving the value)

Re:a lot of mistakes here (1)

jjo (62046) | about 2 years ago | (#40903435)

Some of the standard data can be secure. For example, I have never revealed my first pet's name online, so you could search for it in vain for the rest of your life. At first it just never came up in discussion, but as soon as I realized the security implications, I decided that there were some trivial, obscure data that no one else needed to know.

Why Mat? (1)

stx23 (14942) | about 2 years ago | (#40902779)

Something I haven't seen through reporting of this is why Mat Honan was targeted, was it the Gizmodo / Wired connection or something more sinister directed at him?

Re:Why Mat? (1)

mogness (1697042) | about 2 years ago | (#40902835)

I read in his original article that he had a three character twitter username (@mat), and that was why the hackers targeted him

But he's and IT Expert! (5, Informative)

retech (1228598) | about 2 years ago | (#40902803)

Yes, the same Mat who did not back anything up locally or (shutter to think) redundantly, is an expert. If this sorry excuse is what passes an expert, I think my grandma has a good chance at a new career.

What an idiot.

Re:But he's and IT Expert! (0)

Anonymous Coward | about 2 years ago | (#40902983)

"shudder"

Re:But he's and IT Expert! (0, Flamebait)

mimicoctopus (2701643) | about 2 years ago | (#40903041)

The fact that he was using all Apple products, with iCloud no less, is a good sign that he's not an expert.

After all, this is the company which profits from people who are willing to pay a lot more for a computer system provided it is very simple and is secure from viruses and hackers. LOL.

Re:But he's and IT Expert! (1)

Chewbacon (797801) | about 2 years ago | (#40903087)

Exactly why I don't like the cloud. I hate the idea of some guy reading knowledge base and misinterpreting policy and procedure standing between some stranger and my data. I use an iPhone, but backup to my computer at home and NOT the iCloud. I backup my computer quite often to my home server, which I can tunnel into should I need it. I make my own security policies, support my own stuff, and I'm the only one who needs to login to it. In fact, that's the basic policy: I am the only one who is allowed to get it, no security questions, last-4 digits of some damn number. Just me. Once a week, I plugin a portable drive and it adds another layer of redundancy to my backups. So even if all hell breaks loose and someone kills my server and desktop, I have minimal losses compared to everything. But this does make me want to take a look at how I manage the facets of security that I am responsible for on accounts that I do not have control over.

Re:But he's and IT Expert! (1)

quetwo (1203948) | about 2 years ago | (#40903773)

Which is great, until you have a house fire, or your gear at home gets stolen.

Re:But he's and IT Expert! (0)

Anonymous Coward | about 2 years ago | (#40903677)

If this sorry excuse is what passes an expert, I think my grandma has a good chance at a new career.

And your mama:

[The hacker] said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted.

They must be Russians [slashdot.org] .

A very good article. Read it! (5, Interesting)

Qbertino (265505) | about 2 years ago | (#40902811)

This is a very good article, every /. nerd worth his honors should read it. It's pushed my paranoia levels almost up to normal again. That alone was worth the time. I've been dragging out that backup HDD for my MB Air far to long and will now change that.

  I'm also going to solidly review my online presence and accounts, and how they could be linked. And fix any problems that pop up.

Bottom line: Read the article, it's a healthy wake-up call and if you're like me, you need that once in a while.

My 2 cents.

Re:A very good article. Read it! (2)

Spottywot (1910658) | about 2 years ago | (#40902929)

This is a very good article, every /. nerd worth his honors should read it. It's pushed my paranoia levels almost up to normal again. That alone was worth the time. I've been dragging out that backup HDD for my MB Air far to long and will now change that.

I'm also going to solidly review my online presence and accounts, and how they could be linked. And fix any problems that pop up.

Bottom line: Read the article, it's a healthy wake-up call and if you're like me, you need that once in a while.

My 2 cents.

Yes indeed, we may not be making the same mistakes as Mr Honan, but this should be treated as a wake up call to review your own security policies. Mine are better that most, as I guess is the norm on Slashdot, but our time would be better spent looking for the chinks in our own online armour, rather than mocking Mr Honan for not backing up his Mac. It was stupid though.

Secure your e-mail! (1)

jjo (62046) | about 2 years ago | (#40903473)

My bottom line take-away from this is that the most fundamental level of security these days is your primary e-mail account. If you don't have two-factor authentication on it, you are asking for trouble. Relying on one-factor authentication for your primary e-mail seems to be almost as bad as failing to back up your data. (And if you have a credit card on file with Apple, it looks like their e-mail security approaches zero-factor security.)

If you're a nerd you don't need the wake up call (1)

Viol8 (599362) | about 2 years ago | (#40903557)

Anyone sufficiently clued up on IT would

A) Have backed up their data on a physical medium, eg USB stick

B) Would not daisy chain their accounts that would allow the hacking of one lead to the others.

This guy might considered himself and expert - personally I consider him an idiot who bought into the whole Cloud we'll-look-after-your-data-for-you-no-need-to-worry marketing hype aimed at the clueless.

In broad technical terms there is no difference between a modern cloud service and an ftp server from the 1980s - if someone gets your password you're scr3wed.

Blindness (1)

Bob9113 (14996) | about 2 years ago | (#40902879)

Moreover, if your computers arenâ(TM)t already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use iCloud. Googleâ(TM)s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system yet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms â" which can be cracked, reset, and socially engineered â" no longer suffice in the era of cloud computing.

Cloud services can be compromised without using your password, and the two big OS manufacturers are pushing people to entrust their most valuable information to the cloud. The problem with this, he observes, is that passwords are not sufficiently secure.

He writes for a technophile journal, making recommendations to people who trust his expertise, about how to use technology. He was just bitten, quite seriously, by the exact problem with trusting the cloud. He holds the specific role that is supposed to warn the humble masses about threats like this, and he blames password security.

I think Woz understated the threat [slashdot.org] .

Look, Apple doesn't get security... (0)

Anonymous Coward | about 2 years ago | (#40902905)

You're entrusting your entire digital life to these people.

If you want real security, get a blackberry. It's a device that you control, not the manufacturer.

Re:Look, Apple doesn't get security... (1)

profplump (309017) | about 2 years ago | (#40902967)

Except for the you-must-give-RIM-your-email-password-to-get-email bit, sure. And that's ignoring all the limitations of their email system.

I really did like my BlackBerry in terms of the control provided to the subscriber -- as opposed to the retarded model on Android/iOS where the app developer decides what permissions are necessary -- but I don't see how trusting RIM is more secure than trusting Apple/Google/etc.

Re:Look, Apple doesn't get security... (0)

Anonymous Coward | about 2 years ago | (#40903229)

Except for the you-must-give-RIM-your-email-password-to-get-email bit, sure.

Not really, RIM has two services for email, BIS (blackberry internet service) and BES (blackberry enterprise service). People often get them confused.

With BIS, you give RIM your email password and RIM relays email to/from your device. In this case, RIM could read your email.

With BES, RIM does not have your email password or decryption keys. RIM just forwards the encrypted message much like the mobile carrier or your ISP.

I don't see how trusting RIM is more secure than trusting Apple/Google/etc.

Because you don't need to trust RIM with the BES platform.

That is the part many people & governments have trouble understanding. If you show up at RIM with a court order to hand over someone's BES email, RIM does not have the decryption keys or cleartext messages. BES was designed that way.

Also, the BES platform has been audited, tested & certified from end to end by many govt and non-govt organizations: http://us.blackberry.com/business/topics/security/certifications.html [blackberry.com]

Iphone & Andriod have been certified by... nobody.

Re:Look, Apple doesn't get security... (0)

Anonymous Coward | about 2 years ago | (#40903395)

Because you don't need to trust RIM with the BES platform

Which is not available to us mere mortals. So Blackberry is out of the picture for security.

Gmail should make 2-factor more prominent (1)

sirwired (27582) | about 2 years ago | (#40902907)

Until recently, I wasn't even aware GMail offered 2-factor authentication. I think it was a little note on the login screen one day that it even existed.

I did set it up immediately, as my entire life runs through that account, but had been running for years without it.

Apple fanboy gets a reality check (1)

TheMathemagician (2515102) | about 2 years ago | (#40902923)

I must admit it does amuse me a little to see a smug Apple fanboy so crushed by the realisation that Apple doesn't really care about him or his security. The moral is not to daisy-chain all your accounts together so snugly.

Well, that didn't cause me any problems... (3, Insightful)

Havenwar (867124) | about 2 years ago | (#40902949)

From what I see here, the main problem was apple's security protocol, with amazon coming in a close second... All other things he could really have protected himself against... Using two factor authentication on google and so on. But you can't protect yourself from a company finding easily obtainable information good enough to just hand over control of your account with...

As far as I'm concerned Apple should be liable for damages in this case. They have acted as a gatekeeper, portrayed a sense of security, and then been blatantly lax in security.

What does the law say about a case where I hand over say my credit card information to a merchant and they act carelessly with it, thus allowing it to be intercepted by a criminal? Say I go to a restaurant and they take my card and then let it lay around on the counter for half an hour for anyone to see, scan, steal?

Re:Well, that didn't cause me any problems... (3, Interesting)

viperidaenz (2515578) | about 2 years ago | (#40903113)

The law doesn't really need to say anything. The company wouldn't appreciate the loss of business because they can no longer accept credit cards because they violated the contracts with their providers. Those contracts probably make the company liable for any losses too.

So what should security questions be? (2)

justcauseisjustthat (1150803) | about 2 years ago | (#40903169)

I would argue Apple's security questions is no worse than most security questions from other vendors. Most info that is asked by companies to protect your data can be mined off the web via various methods.Unless you've lived in a hole and have no credit history,etc there is a trail and a clever person can find the answers.

That's why I make up my answers per account, there's no way to find the answers unless you have access to my physical system with encrypted docs.
But let's be real, normal people won't go this far or be this paranoid!!

Re:So what should security questions be? (0)

Anonymous Coward | about 2 years ago | (#40903765)

You're not safe. Read the article again. The attackers were able to bypass the personalized security questions by knowing the target's address and the public part of his credit card number.

I've said this before... (0)

Anonymous Coward | about 2 years ago | (#40903365)

It's a fool who places their security in someone else's hands . Especially, in people whose education level is far below
the yoke of responsibility placed upon them for the task. I'm not trying to be offensive, but is anyone stupid enough to believe
that iApple would spend the thousands of dollars necessary to educate their cheap labor in these matters?

If you have a device that can be remotely controlled by a corporation like iApple, this will always happen. iApple has no
liability what-so-ever. None. Nada. Clear? People forget that these devices are nothing more than convenience toys .
Yes, they are toys. Useful sometimes, but toys.

This will always be the case until laws like the Fair Credit Reporting Act are passed to cover things like this. But, we know
those things won't happen in the post-Bush era we live in.

The most upsetting thing about this article is that he doesn't even understand his potential loss. He's an idiot, I'm sad to say.
He mentions it himself in his article, but he doesn't even realize the danger he's placed his most precious possession in.
Here's why - He claims that they were after his twitter account - this may be true; there aren't enough facts to determine this.

Suppose they/he were after a living entity? Is anyone stupid enough to believe this can't happen? With all of the personal info
people are exposing unprotected on their devices
, a perp in a candy store would have a harder time taking a candy bar...
Tinfoil you say. It hasn't happened yet, it can - and a terrible tragedy and loss to the family that it happens to...

We're led to think this is all a game by marketing - we'll protect your life they say to us with their smugness as they take our money.
"I've got back ups - I'm protected." There are some things you can't backup. Honestly, I don't know how we've got to this point.

It's scary and sad - we're letting Corporations decide our personal safety. We're bullied into believing they have our best
interests in hand. We've accepted the lie and pay for it, too. This is absolutely insane.

I know this was a dark post; I wish people would realize the reckless stupidity they're engaged in...

CAPTCHA = conserve

i dont care about online identitys. thats small (0)

Anonymous Coward | about 2 years ago | (#40903389)

the big thing, is credit card companies identify you by knowledge that is available across good research.

which is now much cheaper then 20 years ago.

the say
hacking cost must be bigger then profit of hacking pass security costs, are not true when it comes to recovery password.

wasn't sarah palin's email account hacked that same way?

wrong (0)

Anonymous Coward | about 2 years ago | (#40903469)

Just because the question is "What's your mother's maiden name?" It doesn't preclude you answering with a 64character random hash.

You get what you pay for (1)

Novogrudok (2486718) | about 2 years ago | (#40903499)

Free (ad-supported) and cheap internet services can be very good and useful, but they have to compromise between ease of use, security and cost. You want your data to be relatively safe? Compartmentalize (with different methods of access: cloud, local disk, non-erasable storage like DVDs), distribute (home, office, bank safe), switch off access when not needed.

And use different passwords for different sites, please!

Whats that clucking I can hear? (1)

Viol8 (599362) | about 2 years ago | (#40903587)

Oh look , chickens dropping out of the Cloud and coming home to roost.

Thanks Mat Honan (0)

Anonymous Coward | about 2 years ago | (#40903769)

Thank you for sharing your sad tale of security woes.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>