comsc US Politics | AMERICAblog News: How one guy got seriously hacked, and Apple blew it
Join Email List | About us | AMERICAblog Gay
Elections | Economic Crisis | Jobs | TSA | Limbaugh | Fun Stuff

How one guy got seriously hacked, and Apple blew it

| Reddit | Tumblr | Digg | FARK

Horrific story on WIRED.
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.
I didn't even know that you could link those various accounts. Jesus, read this part about how they hacked Amazon:
Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. Phobia says that a partner performed this part of the hack, but described the technique to us, which we were able to verify via our own tech support phone calls. It’s remarkably easy — so easy that Wired was able to duplicate the exploit twice in minutes.

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
One thing I don't like about the article is that the writer assumes you know what he's talking about when he writes of "daisy chaining" two accounts together. I'm not entirely sure whether he means using the same "id" for both accounts, or literally is there some way to link the two accounts? Or what "two-factor authentication for Gmail" is. Okay I looked up two factor verification, I know what it is - it's a pain in the ass. Keeps phoning you when you want to log in to gmail or Blogger. Seriously annoying "fix."

blog comments powered by Disqus