iCloud password hack and why theVerge got it wrong.
I just finished to listen to the latest Vergecast and I want to add something to the conversation in regard of the stolen credential of iCloud that leaded to major data loss.
First of all, the train of events is the following:
1. The malicious guys called Amazon and added a FAKE Credit Card to the journalist account
2. They called back Amazon and providing the journalist account and the last 4 digit of the FAKE credit card they gained access to the legit account of the journalist
3. They acquired the 4 digits of the real credit card.
Since here we already see how Amazon really is loose on security, first of all I should not be able to add a credit card without having my identity verified, and most importantly, how on earth Amazon let add a random credit card number without verify even if it's a legit one?
Secondly, you need to know the Amazon account of the victim, so the brag about the pizza hut guy being able to erase your computer is a long shot in my opinion.
Now, we get to the Apple side of the story.
The bad guy call and providing correct informations (acquired true Amazon) was bale to have his iCloud password reset.
Now, Apple stated that the policies were not followed, and here everyone seems to miss a point that I would like to stress on: as far as I know when you reset a password on an AppleID you receive a reset link to your email, so, in this case or the Apple advisor agreed to send the reset link to a different email or even worst provided a temporary password.
This means that you need:
- Amazon account
- 4 digit credit card
- AppleID email
- an advisor who does not follow the Apple policies
Once this happen the bad guy can wipe your computer, and on the podcast I heard the most stupid arguments about how the wipe should work… the wipe has to work with ONE click no question asked, anything in between will weaken the wipe procedure and make it prone to fail.
The journalist guy in the end lost everything because is not smart enough to use an hard drive with Time Machine, if he had a backup the wiping of his computer would not lead to any data loss.
Lesson learned? Do backups.