The background
Apple and Amazon have changed their password retrieval systems after Wired editor Mat Honan’s digital life was compromised. Apple has asked its support staff to stop changing user passwords over the phone, and Amazon have closed a security hole which allows people to take control of an account if they know someone’s name, email and home address.
Honan spent one hour and a half on the phone with Apple when he realised something was wrong: his iPhone powered down, then his computer asked for a four digit pin which hackers had installed to prevent him gaining access. His entire Mac was wiped, and his Twitter account hacked. One of the hackers, named Phobia, made contact with him, and Honan was then able to carry out his own mock hack. Commentators are saying that Apple and Amazon should never have allowed such a thing to happen; and that cloud computing needs a whole new level of security.
What happened to Honan
In a long piece on Wired, Honan explained how his “entire digital life was destroyed.” Hackers took over his Google account, used his Twitter account for racist and homophobic messages, and erased all the data on his iPhone, iPad and Macbook. Why? Well, first of all his “accounts were daisy-chained” – once into Amazon, they could get into Gmail. Whilst he deeply regretted what happened to him, he noted that the experience highlighted security flaws in customer service systems. For instance, Apple thinks that the 4 credit card numbers which Amazon display are secure enough to use as identification. This is a massive “disconnect.” The problem is that cloud computing needs a much better, different security system. All the hackers wanted was Honan’s Twitter account – and to do that they were prepared to delete all his personal data. Weirdly, he wasn’t upset about being hacked – he was upset about Amazon and Apple.
“even though i wasnt the one that did it i feel sorry about that. Thats alot of memories im only 19 but if my parents lost and the footage of me and pics i would be beyond sad and im sure they would be too,” [sic] wrote Phobia, one of the hackers.
Apple takes customer privacy seriously
An Apple spokesman, Natalie Kerris, said, quoted on The Daily Mail, that Apple took “customer privacy seriously,” and that it required “multiple forms of verification before resetting an Apple ID password.” It claimed that its internal policies weren’t properly followed.
Apple and Amazon’s failure is inexcusable
Simon Sharwood on The Register said that this sort of password breaching has been going on for ages. He remembered being a consultant in Australia for a bank, which was having to deal with famous people ringing up and asking for their details – but of course, they were con artists. In fact the problems facing Amazon and Apple have “been something customer service professionals have been on top of for a decade.” Their “failure looks inexcusable.”
It’s not passwords, it’s people that are the problem
The fact is, said Andrew Couts on Digital Trends, people “are imperfect.” It’s not your password that’s the problem – it’s people. Sure, anyone still using “password” as their password gets what they deserve. But that’s not “the weakest door in the vault.” Unfortunately, “humans are so often imperfect, malicious and dumb,” and the real problem is the thing “between the seat and the keyboard.”
How to avoid being hacked
So how can you avoid such things? The Daily Mail had a list of suggestions: Don’t let any online retailer store your card information; don’t use credit cards on iTunes (use gift cards instead); turn on two-factor authentication in Gmail; and split up your Apple accounts, with one for iTunes and another for iCloud. Periscope has another suggestion: don’t use cloud computing.