Last week, tech reporter Mat Honan was sitting at home, playing with his daughter, when all of a sudden he noticed something strange happening on his iPhone.
The gadget had switched off, and rebooted itself. Honan didn’t take any notice of this – iPhones can sometimes recharge unexpectedly – until something even stranger occurred: it asked him for a four-digit PIN.
Honan had never used a four-digit PIN on his iPhone before.
Unbeknown to him, moments earlier a hacker had called up Apple tech support, and through a clever series of statements actually convinced the tech giant he was Mat Honan. He was able to change his iCloud password over the phone, right then and there.
After gaining access to his account, the hacker then started deleting. He wiped Honan’s iPhone, iPad and MacBook clean. He also gained access to Honan’s Google account, and changed the password on that too. Then he started tweeting via both Honan’s account and the account of his former employer – Gizmodo.
Honan’s life was completely digital. And it was destroyed.
“Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location,” he said in a confession on Wired.
“Those security lapses are my fault, and I deeply, deeply regret them.”
But there’s a bigger question here – how did the hacker gain access to this information in the first place?
As it turns out, it’s a mystery that involves both Apple and Amazon – and exposes damning security flaws.
“What happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s,” Honan says.
As it turns out, you don’t need a lot of information to get access to an iCloud account over the phone to tech support. All you need is a billing address, and the last four digits of a credit card number – Wired tried to do this to someone else as an experiment, and it was successful.
The hackers had done some research. They knew Honan’s Twitter account linked to a personal website, where it found a Gmail address. They could then use that Gmail address to find out an alternate email Gmail requires for security purposes.
That email account was an @me account – distributed by Apple.
All the hacker needed was a billing address, and the last four digits of a credit card number. And where did they get this information?
Amazon.
The hacker, known as “Phobia”, actually told Honan they called Amazon, and said they wanted to add a number onto the account. This act requires only a name, email address, and billing address.
“Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new email address to the account.”
“From here, you go to the Amazon website, and send a password reset to the new email account. This allows you to see all the credit cards on file for the account – not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.”
From there, the rest is clear.
“And so, with my name, address, and the last four digits of my credit card number in hand, Phobia called AppleCare, and my digital life was laid waste. Yet still I was actually quite fortunate.”
Honan takes full responsibility for the hack. But this extensive piece serves as a reminder that tech companies can have holes in their systems as well.
After all, yesterday Amazon said it had found a security plug and fixed it as a result of this. And Apple put a 24-hour ban on giving out iCloud passwords over the phone until it sorted something else out.
This isn’t just a lesson in backing up data. It’s a testament to how far hackers are willing to go to disrupt your digital life – and just because you’re not famous doesn’t mean you’re not a target.
This is an essential story for any entrepreneur using a digital service. Read it, and smarten up your online lifestyle.
The iPhone analysis Samsung doesn’t want you to see
And speaking of Apple, you may have been following the trial between itself and Samsung in the United States.
Both companies are suing each other for patent infringement, with Apple claiming that Samsung copied its design of the iPhone for its own devices, including the popular Galaxy smartphones.
It’s been a fascinating trial with Apple executives already taking the stand. But yesterday a new piece of information was brought into court that places Samsung in a damning light.
This report shows a feature-by-feature analysis comparing the iPhone and the Samsung Galaxy. In many cases, not only does the report show how the iPhone is superior in many ways, but that Samsung engineers should adopt these features to make them more like Apple’s iconic device.
It may not be the piece of evidence that hands Apple a victory, but it’s damning nonetheless – and a revelation Samsung certainly isn’t happy about.
The new breed of security start-ups
With all the hacking in this day and age, businesses are keen to protect themselves. But in a market cornered by giants Symantec and McAfee, there have been few start-ups willing to offer anything new.
However, that may be starting to change.
This piece on The New York Times shows there are security firms managing to create a buzz – and they are doing quite well on the stock market too.
Data security company Imperva filed last year, and its shares remain about 37% above its trading price, while Splunk’s shares have risen over 65% since its listing in April.
Palo Alto Networks’ shares have also increased 26% since its July IPO.
“People are starting to realize that the billions of dollars that have been invested into traditional network security is not working for them anymore,” Ted Schlein, a partner at Kleiner Perkins Caufield & Byers, told the publication.
Last year, venture capitalists put $US935 million into tech security companies, the publication notes, nearly double the amount in 2010.
So, why the rush?
It’s a combination of factors – more sophisticated hackers require more sophisticated protection.
After all, huge companies such as RSA and Sony are becoming victims. This criminal warfare requires a new, more advanced, approach. And that means security start-ups are living it up.
“The thing about security investments is that sometimes you don’t know where you’re going to land in terms of attracting attention from the bad guys,” Venrock partner Ray Rothrock said. “Security is a growing market and it will grow forever.”
ABOUT THE AUTHOR
COMMENTS
SmartCompany is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while it is being reviewed, but we’re working as fast as we can to keep the conversation rolling.
The SmartCompany comment section is members-only content. Please subscribe to leave a comment.
The SmartCompany comment section is members-only content. Please login to leave a comment.