How Hackers Attack – Without Your Passwords

LockSo you’re a geek with tech and gadgets integrated into a large part of your life. And chances are that, even if you consider yourself tech-centric, you don’t consciously think much about them until something goes terribly wrong, and everything in your digital life is wiped out.

Your smartphone stops working. Turning to your computer for solutions, you realize that all of your data, which you never backed up, is completely wiped out. You head to Twitter to drop the F-bomb. Nope. Access denied. Google account. Nope. Access denied.

That’s a complete digital life meltdown. And it’s what happened to Mat Honan, a senior writer at Wired. Hackers were able to get into his most important accounts and devices — all without knowing any of his passwords. Even if he’d had the strongest passwords on Earth, it wouldn’t have mattered. The breach was enabled by the weakest link of all — humans.

More specifically, humans that are dedicated enough to dig up personal information about him, and humans working in Apple tech support who were happy to let anyone access his account by verifying two basic bits of personal information.

The Chain of Doom

The entire process can be summarized in one sentence: One thing led to another.

From Twitter, the hacker hopped to Honan’s personal website, obtained his Gmail address, and there learned about his Apple .me account. Gaining that would have enabled the hackers to reset his Gmail password, his Twitter password, and just about any accounts he’d registered with the Gmail address. To do that, the hackers collected Honan’s billing address and the last four digit of his credit card number.

The former was obtained by checking the whois data of Honan’s domain name. The latter was revealed by Amazon with a simple trick. Finally, the hackers placed a call to Apple’s tech support, and through them got access to Honan’s Apple account.

Having total control of Honan’s digital life, the hackers wreaked havoc by wiping out the data on his iPhone, iPad and MacBook using iCloud’s Find My Device service. His Google account was deleted, and his Twitter account was used to broadcast unpleasant messages. (Read Honan’s own revelation for more details. The link’s below.)

It Could Have Been Worse

Now Honan has to painstakingly recover and reconstruct his digital life, not to mention fortify his accounts. Bad as that is, it could be so much worse.

Every year, the iPhonegets more and more capable. iCloud and services like Find My iPhone make our lives more convenient. But they’re doubled-edged swords. On one hand, you can track the whereabouts of your device if it’s stolen, and have a chance of even recovering them.

On the other hand, hackers that have access to your account can track your whereabouts in real-time, without you knowing it. They can do it for weeks or months to learn your routine. The implications are huge.

So is your iPhone friend or for? While obviously the hackers get the biggest blame in this case, both Amazon and Apple should take it on the chin for the loopholes in their security systems.

Yes, it is almost impossible to build a system that’s 100 percent secure, but the companies aren’t doing their best to protect the customers. And for data as sensitive as real-time location, Apple has really no excuse. It’s time for companies to come up with better solutions — solutions that are both workable and secure.

Related Link

Comments

  1. BY David Strom says:

    Yes, and time for all of us to be more aware of this “chain of doom” and reusing common passwords, too.

  2. BY Steve says:

    Not only common passwords, there is all this insecure software built by the lowest bidder or the cheap security lax web hosting companies…..

  3. BY Jason says:

    friend or for -> friend or foe

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>