Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Amazon and Apple Change Policies After Journalist is Attacked

Account Hacks

After a journalist for Wired had his digital life wiped away, and his coverage on the topic exposed how their customer service and user experience policies can be exploited for malicious gain, Apple and Amazon have adopted new policies for account access.

Account Hacks

After a journalist for Wired had his digital life wiped away, and his coverage on the topic exposed how their customer service and user experience policies can be exploited for malicious gain, Apple and Amazon have adopted new policies for account access.

Earlier this week, SecurityWeek reported on the story of Mat Honan, the journalist who was targeted for nothing more than lulz, and his three character Twitter account. As a by product of the attack, Gizmodo’s Twitter feed was hijacked, and Honan lost everything connected to his iCloud account – including his iPhone, iPad, and MacBook Air. But the story of how this happened is what forced two of the world’s largest companies to alter their customer experience / service policies.

Honan was hacked because the attackers were able to social engineer their way past Apple’s tech support. Using information discovered online, the attackers first targeted Amazon’s customer service practices, and pretending to be Honan, added a false credit card to his Amazon account.

They called back, and reported that they had lost access to the Amazon account in question. Providing the information on Honan that they already had, and the newly added credit card details, they were able to access Honan’s Amazon account via the Web.

Once inside Honan’s Amazon account, they took the data presented there, including the last four digits of Honan’s legitimate credit card associated with the account, and used this information to access his iCloud account via Apple. All they needed was a few bits of information, and a calm steady voice that made them convincing. Apple gladly allowed them access. From there, things went from bad to worse, but it is a case of classic social engineering. Honan detailed his experiences in this lengthy report on Wired.

“In many ways, this was all my fault,” Honan wrote in his retelling of the story.

“My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter… But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s…”

Because of that report, Amazon said in a statement that they “can confirm that the exploit has been closed as of yesterday [Monday] afternoon.”

Advertisement. Scroll to continue reading.

As such, Amazon customers can no longer use the phone to alter credit card or other account details. This, if anything, hammers in the notion that security is a trade off. Customers lost the ease of managing their account via the phone, in order to offer a slightly stronger measure of protection that may or may not prevent a similar attack in the future.

Likewise, while not offering an official statement, Apple also changed their policies. As of Tuesday morning, Apple will no longer allow Apple ID password requests made via phone, instead customers will be pointed to website – iforgot.apple.com or appleid.apple.com.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.