Apple end reporter's digital life with lousy security controls

8 August 2012

rotten appleApple are in a spot of bother after a reporter for Wired lost his digital life thanks to the company not being vigilant enough when it comes to thwarting ne'er-do-wells. What has been happening is that their support staff have been changing users passwords over the phone.

A hacker called Apple and, as a result, Wired's Mat Honan lost control of his Google, GMail, and Twitter accounts as well as losing his Apple ID. He was locked out of his iPhone and saw his laptop wiped.

The tech giant has now suspended all password changes over the phone while they get things sorted. Good thing too, because it seems you can change a password pretty easily.

Honan said: "It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud."

"My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms - which can be cracked, reset, and socially engineered - no longer suffice in the era of cloud computing."

In a statement to Wired, Apple spokesman Natalie Kerris said: "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected."

TOPICS:   Technology


  • Mr M.
    Couldn't of happened to a nicer "media type".
  • Steve
    Serves him right for being a crApple customer.
  • Spencer
    And he committed digital suicide thereafter... and his digital children attended his digital d funeral... and his digital soul floated up to the iClouds....
  • M4RKM
    why did you forget the part that amazon's security was first at fault before the hacker got the apple password reset? Because it isn't sensational? You're turning into the Daily Mail.
  • drjacko
    @M4RKM Geez, last 4 digit code on credit card accepted as ID by Apple? Have you looked at any credit card receipt. Amazon and credit card will refund any purchases made by hackers (and if they are stupid enough track them by addresses used) Apple will do sweet FA about Honan's loss.
  • M4RKM
    Of course I've looked at a receipt, but that's not the point. The hacker contacted Amazon by phone, to add a Credit Card onto that account. All they needed was Honan's name, email address and billing address. Then they phoned back up, saying they couldn't access the account, and were able to reset the password, thanks to the use of the new credit card. (same lax security as Apple there!). Then they could access the last 4 digits of the existing card, and pass those details to Apple, to hack into that account. My point isn't that it happened, or that security isn't lax, but the fact that there is NO MENTION of the other HUGE MULTINATIONAL COMPANY WORTH BILLIONS, that was integral to this scam and not even mentioned.
  • Raggedy
    Can't agree. Has to be down to Apple. Surely they had his mobile number on record? A simple text message asking for confirmation and the hack doesn't happen.

What do you think?

Connect with Facebook, Twitter, or just enter your email to sign in and comment.

Your comment