matHonan_v4edit

Hacking an iCloud account

Photo: Ariel Zambelich/Wired. Illustration: Ross Patton/Wired

Mat Honan is your average tech writer. He’s a senior writer at Wired and was also previously at Gizmodo. He’s a fairly ordinary guy until you consider the issue that his entire digital life was recently destroyed:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

 

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Worst of all it doesn’t even seem that difficult to do:

It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.

To work out Mat’s .Me email address was pretty simple:

My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, the hacker went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission. Because I didn’t have Google’s two-factor authentication turned on, when the hacker entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot.

To get the last four digits of Mat’s credit card all the hackers needed was a phonecall to Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. Then you hang up. Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.

Pretty evil, pretty genius. The solution is to turn on Two-Factor Authorisation on your Google account in order to counter this at entry point number one. Scary stuff but really interesting. Hopefully Mat will get his data back but backup, backup, backup.

Source (Wired)

 

Leave a Reply