Apple and Amazon review security after hack

Apple and Amazon are overhauling their security procedures after hackers were able to trick call centre staff into handing over passwords that allowed them to destroy a journalist's "entire digital life".

The Apple logo hangs outside of an Apple Store in New York
Apple. Credit: Photo: Reuters

Apple has suspended a policy that meant users could reset their Apple ID password over the phone in exchange for relatively easy-to-obtain personal details: the email address, billing address and the last four digits of the credit card number associated with the account.

Hackers exploited the system to gain full control of Wired journalist Mat Honan's iCloud account and wipe his iPhone, iPad and Mac, including precious photographs of his young daughter that he had not backed up.

They obtained the last four letters of his credit card from Amazon, which has also tightened procedures following the high-profile incident.

Amazon's call centre allowed customers to call in to change their password as long as they could identify themselves with their name, email address and mailing address. Once the hackers had gained control of Mr Honan's Amazon account, they were able to view the last four digits of his credit card number, which Apple required to give them control of his Apple ID.

"Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number - that Apple used to release information," said Mr Honan in a detailed account of the online identity theft, which took place on Friday.

"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification," he added in criticism of the two firms' security procedures.

Amazon has now banned callers from making changes to account settings, Wired reported based on conversations with call centre staff. The firm has not officially commented on the changes.

Apple admitted its staff had granted hackers control of Mr Honan's Apple ID.

"In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer," a spokesman said.

"We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected."

It was still possible to reset Apple ID passwords over the phone on Monday, but on Tuesday call centre staff reported they were no longer able to issue new passwords. It is unclear what long-term security policy will emerge.

One of the hackers responsible for the attack, calling himself "Phobia" and saying he was 19 years old, told Mr Honan via instant messenger that their goal was to highlight security flaws "so eventually every1 can over come hackers".

"Phobia" said he had targeted Mr Honan because he liked his Twitter username, @mat. The hackers took control of he account and tweeted homophobic and racist messages.

Mr Honan said he was "not even especially angry at Phobia, or his partner in the attack".

"I’m mostly mad at myself. I’m mad as hell for not backing up my data," he said.

"But I’m also upset that this ecosystem that I’ve placed so much of my trust in has let me down so thoroughly. I’m angry that Amazon makes it so remarkably easy to allow someone into your account, which has obvious financial consequences.

"And then there’s Apple. I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life."