Over the weekend, Wired reporter Mat Honan detailed the terrifying story of how someone managed to hack into his iCloud account and remote wipe his iPhone, iPad and MacBook Air, deleting precious files in the process.In a follow-up piece for Wired, Honan explains exactly how the hacker managed to get into his account and destroy his “entire digital life.”
As it turns out, hackers only need a few key pieces of information to wreak havoc:
[W]hat happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.
On top of this, Apple responded to Honan and admitted that it did screw up by noting that its “internal policies were not followed completely.” Here’s Apple’s full statement to Wired:
Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.