on mat honan's "hacked" AppleID

So, Mat Honan had his AppleID account hacked (or "hacked"), and the attacker then nuked his devices using the "remote wipe" feature. Some scary stuff. He says he lost a year's worth of photos, and a bunch of other stuff.

Turns out, this wasn't a technical hack, but a social one. The attacker simply called Apple Support, claimed to be Mat, and provided the Super Secure Information That Only The Real Account Owner Could Possibly Have: his address and phone number.

My AppleID account is basically the second highest risk online service account that I have, after my online banking account. Yes, AppleID is used for email. So what? But, it's also used for Remote Wipe. Backups. iTunes - wanna buy a bunch of stuff on my account? That's how you'd do it.

Scary stuff. And I hope Apple gets their stuff together. The best technical security is absolutely worthless if someone can just phone someone in a callcenter and convince them to reset a password based on info that is usually available to the general public.

Mat's social hacking was a well executed, directed attack. Anyone could have been just as susceptible, given a motivated attacker. The technical security blocks brute force attacks, but not a clever attacker that is able to use the policies of the service provider to have the keys to your account handed over to them.

And, yet another reminder to backup your stuff. There's no reason for a renegade remote wipe to cause you to lose more than a few days worth of photos, and some inconvenience.

comments powered by Disqus