Hacking Matt Honan and the Challenge of Online Security

You know that “back of the spine” feeling you get when someone accidentally scrapes a chalkboard the wrong way? The story of recent hack attack against Matt Honan causes the same tensed, “back of the spine” anxiety. In case you haven’t read his account at Wired, here’s a quick summary in Matt’s own words:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

It all started when Matt’s iPhone suddenly powered down. He plugged the phone into the wall, and the setup screen appeared. Then he tried to restore via iCloud, but no success. Finally he connected it to the computer and tried to restore from his backup. While he was trying to initiate the backup restore, he got an iCal message that his Gmail password was wrong. Suddenly, the screen went gray and he was asked for a four digit PIN.

Matt had never created a four digit PIN. Someone took over his accounts, wiped the data off his equipment, and locked him out of all his accounts. Later, he would find out that what they did was so simple that anyone with the right knowledge could do it. One of the hackers eventually made contact with Matt and told him how and why he did it

Why did Matt get attacked? Random. The hacker just liked Matt’s Twitter name and decided it would be fun to take over the account. According to Matt, the hacker said, “I honestly didn’t have any heat towards you before this. i just liked your username like I said before” The hacker who called himself “Phobia” also claimed that he wanted to show how easy it is to break into online account and expose flaws in the Apple and Amazon security process. Since Matt’s attack both Apple and Amazon have made security changes to try and prevent a repetition of this attack.

Here is a bulleted list of the key steps the hacker followed:

• He followed the link from Matt’s Twitter page to his homepage.
• He discovered Matt’s Gmail on his homepage.
• The Gmail account was also the login name for the Twitter account.
• He made an initial attempt to recover the Gmail password on Google’s account recovery page.
• The recovery page listed Matt’s alternate email, which happened to be an Apple .me email account and Matt’s Apple ID. (Google didn’t reveal the whole email, but since Matt used the same name for most of his email accounts, the hacker could easily guess.
• In order to gain access to the .me account at Apple, he had to provide Apple with an email (which he had), an address (which he easily got by doing a whois search on Matt’s domain), and the last four digits of Matt’s credit card.
• He got the credit card number by calling Amazon Customer Service (posing as Matt) and claiming he wanted to add a credit card to the account. All he needed to verify that he was Matt was an email, address and name on account (and he already had these). Then he gave Amazon a new credit card number for the account and hung up.
• Later he called Amazon Customer Service claiming to be Matt. He provided name, address, email and the recent credit card number he gave them earlier. Then he added a new email address to the account.
• He went online to the Amazon password recovery, and entered the new email address. Then he logged onto the account and found out the four digit credit number that Apple had requested to access the account. Amazon shows four digits to each credit card on an account. It just so happens that these are the same four digits of a credit card that Apple requires to access the account (along with the email and the address).
• With the Apple ID, he gained access to Matt’s iCloud services, Matt’s Gmail, and finally Matt’s Twitter.

Since this attack Amazon closed the loophole that gave the hacker access to Matt’s account. They “no longer allowing Amazon customers to change account settings like email and credit card data over the phone.” [1] Apple is temporarily suspending the practice of resetting AppleID passwords by customers over the phone until a better security solution can be found. [2]

Matt’s nightmare raises vital questions about linking accounts online, security with various customer sites, and the dilemma of convenience vs safety. While this was primarily a prank, the same steps could have had even more serious implication when aimed at a business and their finances. With these questions in mind, my next post will offer some thoughts on assessing security for individuals and businesses in the online engagement.

[1] Chloe Albanesius. “Amazon Boosts Security After Journalist Hack.” PCMag, August 7, 2012
[2] Roberto Baldwin. “Apple Confirms Suspension of Over-the-Phone Password Resets.” Wired, August 8, 2012