2nd factor: the story of mat honan
DESCRIPTION
The story of digital journalist Mat Honan, and how his nightmare could have been prevented with one simple security control.TRANSCRIPT
Joel CardellaIT SECURITY
MAT HONAN’S RIDE THROUGH HELL
ABOUT.ME/MATHONAN
“I realized something was wrong at about 5 p.m. on Friday. I was playing with my daughter when my iPhone suddenly powered down. I was expecting a call, so I went to plug it back in.”
“It then rebooted to the setup screen. This was irritating, but I wasn’t concerned. I assumed it was a software glitch. And, my phone automatically backs up every night. I just assumed it would be a pain in the ass, and nothing more. I entered my iCloud login to restore, and it wasn’t accepted. Again, I was irritated, but not alarmed. ”
THE SYMPTOMS APPEAR
“I went to connect the iPhone to my computer and restore from that backup — which I had just happened to do the other day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four-digit PIN.”
“I didn’t have a four-digit PIN.”
“By now, I knew something was very, very wrong. For the fi rst time it occurred to me that I was being hacked. Unsure of exactly what was happening, I unplugged my router and cable modem, turned off the Mac Mini we use as an entertainment center, grabbed my wife’s phone, and called AppleCare, the company’s tech support service, and spoke with a rep for the next hour and a half.”
FROM BAD TO WORSE
His fi rst call was to AppleCare – but according to them it was not his fi rst time calling!
Someone had called at 4:33 claiming to be Mat, saying he could not get to his Me.Com email
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions Mat had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
WHITHER GOES MAT?
It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.
Once someone has access to iCloud, they have access to your AppleID
A hacker, going by the name Phobia, was able to track down this information easily
WHAT HAD HAPPENED
“After coming across my account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.
Phobia could view the alternate e-mail Mat had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••[email protected]. Jackpot.
This was how the hack progressed. If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here.
But using that Apple-run me.com e-mail account as a backup told the hacker I had an AppleID account, which meant I was vulnerable to being hacked.”
THE HACK
All you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file
Phobia had gone to Google and requested a password recovery
Google had shown him that it was using a @me.com email
Phobia knows Mat has an AppleID and now needs access
So Phobia knew part of the email address – how did he get the other pieces?
IT’S ALL YOU NEED!
He got the billing address by doing a whois search on Mat’s personal web domain. If someone doesn’t have a domain, you can also look up his or her information on Spokeo, WhitePages, and PeopleSmart.
First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account.
All you need is the name on the account, an associated e-mail address, and the billing address.
Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
AMAZIN AMAZON
Next you call back, and tell Amazon that you’ve lost access to your account.
Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account.
From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on fi le for the account — not the complete numbers, just the last four digits.
But, as we know, Apple only needs those last four digits!
MORE DATA THAN YOU CAN EAT
Any waiter or waitress in a restaurant where you paid for your meal
Any cashier at any store who took your credit card as payment
Any 16-year old kid working anywhere that accepts credit cards, with enough sense to memorize 4 digits and a last name – especially an easy one
So Phobia calls AppleCare and gives them his name “Mat Honan”
His billing address Found using internet search tools
Last 4 of the credit card Found from the email from Amazon
And now Apple resets Mat’s iCloud account, giving Phobia access
WHO ELSE HAS THE LAST 4 OF YOUR CREDIT CARD?
Phobia accesses Mat’s account, gets access to his @me.com password- then a race ensues 4:50 p.m., a password reset confirmation arrived in my
@me.com inbox. They then were able to follow the link in that e-mail to permanently reset my AppleID password.
4:52 p.m., a Gmail password recovery e-mail arrived in my me.com mailbox. Two minutes later, another e-mail arrived notifying me that my Google account password had changed.
5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone.
5:02 p.m., they reset my Twitter password. 5:05 they remotely wiped my MacBook. Around this same time,
they deleted my Google account. 5:10, I placed the call to AppleCare. 5:12 the attackers posted a message to my account on Twitter
taking credit for the hack.
PWNED
DONE AND DONE
Mat says:
They could have used my e-mail accounts to gain access to my online banking, or financial services.
They could have used them to contact other people, and socially engineer them as well.
As Ed Bott pointed out on TWiT.tv, my years as a technology journalist have put some very influential people in my address book. They could have been victimized too.
COULDA BEEN WORSE!
Why did it happen?What was the reason he got hacked, his personal info
erased, moments from his life gone forever?What was the reason?
He had a 3 character Twitter user name, and they thought it was cool and wanted it
WHY?
Mat was able to get some data backHe sent his machine to a fi rm called DriveSavers, who
have custom hardware and software which can recover data from hard drives (even SSDs)
They recovered about 75% of the data, including most of his digital pictures
The cost: $1,690
HE GOT SOME DATA BACK
2 factor authentication means you need 2 things to prove who you are Something you know [a password] Something you have [a cell phone]
If Mat had enabled Google’s 2nd factor authentication, this would not have happened
Duo Security makes a product which can be used for free – you can get SMS, iPhone push, phone call, software token generation
2 FACTOR AUTHENTICATION