Hacker convinces Apple support to change user password allowing access.
We all want to believe that our online accounts are safe and as long as we put up good passwords, we can reasonably be protected. That works on the assumption that things are secure on the front end to stop hackers from attempting to figure out our passwords and account names. And for the most part, we are protected. The whole idea seems to run into trouble when hackers are able to gain access through the back end. This is the case when they are able to hack into a server which opens doors to other information. But we so often forget about the human element in our security. And that is exactly what broke down at Apple when they provided a password to a hacker pretending to be someone else.
This is action by Apple which points out the need for companies to protect themselves from Social Engineering where they convince a support person to give them access to someone’s account. This is being reported by Forbes, PC World, Gizmodo and many others. It is making the rounds because of how a company which has been considered to be secure and secretive opened the door for unauthorized access of an account.
As is being reported, the iCloud account for Mat Honan was accessed after Apple provided the ability for the hacker to change the password. This has been documented on Mat’s blog where he documents what happened. At then end of the post, he says that Apple tech support has admitted to giving the hacker access to his iCloud account. The hacker has actually contacted him to let him know what he was able to do. With these two pieces of information, he is convinced that Apple tech support succumbed to Social Engineering on the part of the hacker. In reality, this should have never happened because Apple did not force the hacker to confirm the two levels of authentication. They did not get any other information to confirm that the person on the phone was in fact Mat Honan. This is a huge break down in how security is handled.
We noticed that there was a problem with the @Gizmodo account in Twitter when we started seeing posts which in a lot of cases were inflammatory in nature. We wondered whether Gizmodo had been hacked at the time. And they were, but it was only a single account which was compromised. They were able to determine that fairly quickly and had Twitter block the account. But for Mat, the consequences of the hack were far worse.
The hacker wiped his iPhone, iPad and MacBook Air which presented some big problems for him. He was backing up everything to iCloud which he could not get into in order to recover the wipes. They got into his Google account as well making things very problematic for him. At this point, his ability to recover all the data is not looking good for him. He had done everything that he should have done to set things up with the appropriate security. He had relied on Apple and their iCloud service to protect his data. Those are the things that we all would consider and do. Not too much more any of us could have done.
We are all vulnerable to this kind of hacking effort. Having everything in a single location, such as with Apple, you could be subject to the same kind of situation as Mat. Apple wants you to have them back up all your Apple devices to iCloud. If someone can gain access, all of your information is now open to a hacker. In light of this security lapse by Apple, do we all now need to reconsider how we backup our information? Should we have one automated backup, such as iCloud, and another that is a manual process we instigate for backup to a different provider that cannot be accessed by a hacker? The answer to that is probably Yes given what has happened to May Honan.
It is time to reevaluate our backup strategies.