¶ A Terrifying, Nightmarish Lesson on Security

Over the past three decades, more and more of our lives have transitioned from analog to digital. First, paper and typewriters yielded to word processors. Next, music went from albums, to cassettes, to CDs, to files on an iPod. Then our photos went from film to JPGs.

It used to be, in the analog, the only ways you’d really lose something is if your home were hit by a natural disaster, or you were burgled.

Not anymore. Mat Honan found this out the hard way. He was hacked. Hard.

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password (see update) and then reset it to do the damage to my devices.

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

[…]

I still can’t get into Gmail. My phone and iPads are down (but are restoring). Apple tells me that the remote wipe is likely irrecoverable without serious forensics. Because I’m a jerk who doesn’t back up data, I’ve lost at more than a year’s worth of photos, emails, documents, and more. And, really, who knows what else.

This is horrifying. A nightmare. As I read Mat’s post this weekend, I could feel a sense of dread creeping on me. I knew I had vulnerabilities to some of my accounts, where I had traded some security for convenience. It’s no excuse. I’m a faithful user of 1Password on all my devices. I have no excuse for not having great passwords.

Except, in this case, not even the strongest password would have helped. The hacker didn’t even try to figure out the password. They had a back door.

From Mat’s follow-up piece on Wired (emphasis mine):

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

[…]

On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. We were successful. This means, ultimately, all you need in addition to someone’s e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file.

If you lost your wallet, let’s say it contained your driver’s license, your credit card, and a business card with your iCloud email address. That is all someone would need to destroy your digital life.

Thankfully, Apple and Amazon have, for now, closed the loophole while they tighten security.

Here’s the thing: what happened to Mat has been going on for a while. These loopholes have existed for quite a while. Mat was just the first person to get hit that had a significant audience.

Unfortunately, that’s usually how these things are discovered.

I’d love to see Apple take Marco Arment’s advice on how to make password resets a better:

And ideally, before resetting a password by phone, they’d send a forced “Find My”-style push alert to all registered devices on the account saying something like, “Apple Customer Service has received a request to reset your iCloud password. Please call 1-800-WHATEVER within 24 hours if this is unauthorized.”

Then make the person call back the next day. If you forget your password and the answers to your security questions, it’s not unreasonable to expect a bit of inconvenience.

Marco is right. If you forget how to access your account, a little inconvenience of waiting a day to get back in is okay.


I am largely sympathetic to Mat. What he went through sucks. But I can’t get past his one blunder. He didn’t have a backup of his Mac.

How does a technology writer not keep backups? Heck, he uses a Mac. OS X has had backup built-in for 5 years. Here’s a free tip, folks: go learn about Time Machine and then use it.

For even better backup practices, go read Shawn Blanc’s backup tips.

Macworld’s Dan Moren & Lex Friedman have some security tips, as well.

As for me, I’ve disabled Find My Mac on iCloud. The Find service is more practical for devices like the iPhone and iPad, but the idea of someone being able to remote wipe my Mac gives me the willies. I keep backups, but the whole idea just doesn’t sit right with me right now. Anything on my iPhone or iPad already exists on my Mac, so I’m not worried about those devices ever being wiped.

I’ve lost some trust in Apple and Amazon. It was ridiculous how easy Amazon let someone into the account.

And Apple? Well, they deservedly bear the brunt of mistrust. Why? Because they have been asking us to trust them more and more over the years.

I created an Apple ID for the iTunes Store in 2003. Back then, it was only for music. But over the years, it has grown to house music, movies, apps, and now my email, contacts, calendars, notes, reminders, my location, and the keys to wipe my devices.

I’ve realized many of us have a lot of our eggs in one basket. A basket we trust not to tip over.

My advice? Use the basket, but don’t trust it entirely. Keep backups. Use really good passwords (and go buy 1Password for all your devices). And, since 1Password can help you fill in credit card info on a site in a couple clicks, consider not storing credit card info on the web.