Joel CardellaIT SECURITY

MAT HONAN’S RIDE THROUGH HELL

ABOUT.ME/MATHONAN

“I realized something was wrong at about 5 p.m. on Friday. I was playing with my daughter when my iPhone suddenly powered down. I was expecting a call, so I went to plug it back in.”

“It then rebooted to the setup screen. This was irritating, but I wasn’t concerned. I assumed it was a software glitch. And, my phone automatically backs up every night. I just assumed it would be a pain in the ass, and nothing more. I entered my iCloud login to restore, and it wasn’t accepted. Again, I was irritated, but not alarmed. ”

THE SYMPTOMS APPEAR

“I went to connect the iPhone to my computer and restore from that backup — which I had just happened to do the other day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four-digit PIN.”

“I didn’t have a four-digit PIN.”

“By now, I knew something was very, very wrong. For the fi rst time it occurred to me that I was being hacked. Unsure of exactly what was happening, I unplugged my router and cable modem, turned off the Mac Mini we use as an entertainment center, grabbed my wife’s phone, and called AppleCare, the company’s tech support service, and spoke with a rep for the next hour and a half.”

FROM BAD TO WORSE

His fi rst call was to AppleCare – but according to them it was not his fi rst time calling!

Someone had called at 4:33 claiming to be Mat, saying he could not get to his Me.Com email

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions Mat had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.

WHITHER GOES MAT?

It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.

Once someone has access to iCloud, they have access to your AppleID

A hacker, going by the name Phobia, was able to track down this information easily

WHAT HAD HAPPENED

“After coming across my account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.

Phobia could view the alternate e-mail Mat had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot.

This was how the hack progressed. If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here.

But using that Apple-run me.com e-mail account as a backup told the hacker I had an AppleID account, which meant I was vulnerable to being hacked.”

THE HACK

All you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file

Phobia had gone to Google and requested a password recovery

Google had shown him that it was using a @me.com email

Phobia knows Mat has an AppleID and now needs access

So Phobia knew part of the email address – how did he get the other pieces?

IT’S ALL YOU NEED!

He got the billing address by doing a whois search on Mat’s personal web domain. If someone doesn’t have a domain, you can also look up his or her information on Spokeo, WhitePages, and PeopleSmart.

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account.

All you need is the name on the account, an associated e-mail address, and the billing address.

Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

AMAZIN AMAZON

Next you call back, and tell Amazon that you’ve lost access to your account.

Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account.

From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on fi le for the account — not the complete numbers, just the last four digits.

But, as we know, Apple only needs those last four digits!

MORE DATA THAN YOU CAN EAT

Any waiter or waitress in a restaurant where you paid for your meal

Any cashier at any store who took your credit card as payment

Any 16-year old kid working anywhere that accepts credit cards, with enough sense to memorize 4 digits and a last name – especially an easy one

So Phobia calls AppleCare and gives them his name “Mat Honan”

His billing address Found using internet search tools

Last 4 of the credit card Found from the email from Amazon

And now Apple resets Mat’s iCloud account, giving Phobia access

WHO ELSE HAS THE LAST 4 OF YOUR CREDIT CARD?

Phobia accesses Mat’s account, gets access to his @me.com password- then a race ensues 4:50 p.m., a password reset confirmation arrived in my

@me.com inbox. They then were able to follow the link in that e-mail to permanently reset my AppleID password.

4:52 p.m., a Gmail password recovery e-mail arrived in my me.com mailbox. Two minutes later, another e-mail arrived notifying me that my Google account password had changed. 

5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone.

5:02 p.m., they reset my Twitter password. 5:05 they remotely wiped my MacBook. Around this same time,

they deleted my Google account. 5:10, I placed the call to AppleCare. 5:12 the attackers posted a message to my account on Twitter

 taking credit for the hack.

PWNED

DONE AND DONE

Mat says:

They could have used my e-mail accounts to gain access to my online banking, or financial services.

They could have used them to contact other people, and socially engineer them as well.

As Ed Bott pointed out on TWiT.tv, my years as a technology journalist have put some very influential people in my address book. They could have been victimized too.

COULDA BEEN WORSE!

Why did it happen?What was the reason he got hacked, his personal info

erased, moments from his life gone forever?What was the reason?

He had a 3 character Twitter user name, and they thought it was cool and wanted it

WHY?

Mat was able to get some data backHe sent his machine to a fi rm called DriveSavers, who

have custom hardware and software which can recover data from hard drives (even SSDs)

They recovered about 75% of the data, including most of his digital pictures

The cost: $1,690

HE GOT SOME DATA BACK

2 factor authentication means you need 2 things to prove who you are Something you know [a password] Something you have [a cell phone]

If Mat had enabled Google’s 2nd factor authentication, this would not have happened

Duo Security makes a product which can be used for free – you can get SMS, iPhone push, phone call, software token generation

2 FACTOR AUTHENTICATION