How Apple’s Lax Security Allowed One Man’s Digital Life To Be Erased
Mat Honan writes for Wired about the pitfalls of having interconnected online accounts, and the ease with which 19-year-old hackers were able to erase his digital life (and takeover Gizmodo’s Twitter) via security oversights in Amazon and Apple’s systems.
At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack….
On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. We were successful. This means, ultimately, all you need in addition to someone’s e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of how the hackers got them….
As of Monday, both of these exploits used by the hackers were still functioning. Wired was able to duplicate them. Apple says its internal tech support processes weren’t followed, and this is how my account was compromised. However, this contradicts what AppleCare told me twice that weekend. If that is, in fact, the case — that I was the victim of Apple not following its own internal processes — then the problem is widespread….
I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can’t put a price on.