A targeted attack will be successful no matter how well you guard your privacy.
That is a conclusion Wired technology writer Mat Honan could easily conclude as he found out how attackers broke into his iCloud account and remotely wiped his iPhone, iPad and MacBook.
In a Wired story, Honan gave a cautionary tale on how the attackers used flaws in Amazon’s and Apple’s customer service lines to expose his iCloud password. iCloud customer support requires a user’s residential address and the last four digits of the registered credit card to generate a new password.
The hackers got Honan’s residential address from whois records for a personal domain he had registered. The last four digits of the credit card came via Amazon. The technique involves first contacting Amazon and saying you are Honan and you want to add a credit card to an Amazon account. They gave the false credit card details and the hackers then hung up.
The hackers then called Amazon again, this time saying the system locked them out of their account and they needed to add a new email address to the account, presenting the newly added bogus credit card details as identification verification. This gave the attackers access to the Amazon account, but as Amazon users know the site does not show full credit card numbers, only the last four digits. It was those last four digits that Apple customer service used to verify the identity of an iCloud user and so, using this, they took over the account.
The last four digits of a credit card account usually are on receipts, although you cannot obtain them remotely as you can an Amazon account.
Once breached, Honan said the attackers quickly trashed the password reset email messages from the services and within forty minutes of the call to Apple they had reset his Twitter password, posted a claim to the hack on his Twitter account, deleted his Google account and sent wipe commands to Honan’s iPhone, iPad and MacBook. The hackers have since been in contact saying they were only attempting to “grab” his three character Twitter id and the account deletions and device wiping were collateral damage.
Apple said it made a mistake when resetting the password, and they did not completely follow protocols in this case.