After a journalist for Wired had his digital life wiped away, and his coverage on the topic exposed how their customer service and user experience policies can be exploited for malicious gain, Apple and Amazon have adopted new policies for account access.
Earlier this week, SecurityWeek reported on the story of Mat Honan, the journalist who was targeted for nothing more than lulz, and his three character Twitter account. As a by product of the attack, Gizmodo’s Twitter feed was hijacked, and Honan lost everything connected to his iCloud account – including his iPhone, iPad, and MacBook Air. But the story of how this happened is what forced two of the world’s largest companies to alter their customer experience / service policies.
Honan was hacked because the attackers were able to social engineer their way past Apple’s tech support. Using information discovered online, the attackers first targeted Amazon’s customer service practices, and pretending to be Honan, added a false credit card to his Amazon account.
They called back, and reported that they had lost access to the Amazon account in question. Providing the information on Honan that they already had, and the newly added credit card details, they were able to access Honan’s Amazon account via the Web.
Once inside Honan’s Amazon account, they took the data presented there, including the last four digits of Honan’s legitimate credit card associated with the account, and used this information to access his iCloud account via Apple. All they needed was a few bits of information, and a calm steady voice that made them convincing. Apple gladly allowed them access. From there, things went from bad to worse, but it is a case of classic social engineering. Honan detailed his experiences in this lengthy report on Wired.
“In many ways, this was all my fault,” Honan wrote in his retelling of the story.
“My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter… But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s…”
Because of that report, Amazon said in a statement that they “can confirm that the exploit has been closed as of yesterday [Monday] afternoon.”
As such, Amazon customers can no longer use the phone to alter credit card or other account details. This, if anything, hammers in the notion that security is a trade off. Customers lost the ease of managing their account via the phone, in order to offer a slightly stronger measure of protection that may or may not prevent a similar attack in the future.
Likewise, while not offering an official statement, Apple also changed their policies. As of Tuesday morning, Apple will no longer allow Apple ID password requests made via phone, instead customers will be pointed to website – iforgot.apple.com or appleid.apple.com.