Sharing details of the hack that “wiped his life” has earned Mat Honan a place in the annals of information system security; the specific inter-dependence of flawed authentication systems that cost him so dearly–encompassing Apple, iCloud, Amazon.com, Gmail and more–would probably still exist if Mat had not gone public. Wired has the full story here for those who have not been watching it unfold on Twitter.
As news spread last weekend about how much of Mat’s data the hackers had wiped out–by social engineering Apple Support into wiping his iPhone, iPad and MacBook–the company quickly moved to suspend over-the-phone resetting of Apple ID passwords. Amazon also reacted and, according to a follow-up report in Wired: “handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.”
While it is now impossible to replicate the exact hack that wiped Mat’s life–which is some comfort, I suppose–it is entirely possible that there are other ways to exploit weak links in authentication methods currently used by separate but inter-twined information systems. Based on several decades spent observing patterns of system abuse, I would say it is extremely likely that a. more hacks like this are possible, b. more people than ever are looking for them right now, c. not all of those people have honorable intentions.
In technical terms the online world currently suffers from an atrocious conflation of identifiers with authenticators (your phone number, email address, and Social Security number are identifiers, not authenticators). This situation is compounded by a widespread failure to implement shared secrets effectively (the name of your first pet is not a shared secret and asking for all the digits of my pin number is profligate and inviting of interception). Underlying all of this mess is an excessive reliance on single-factor authentication and an alarmingly widespread misconception that multiple authenticators = multi-factor.
Multi-factor authentication refers to the three factors: A. Something you know, like a password; B. Something you have, like a physical key, C. Something you are, like your face or your fingerprints or the veins in the palm of your hand. Asking me for two or three or more pieces of information that I know is not multi-factor authentication. Why large companies with big research budgets get things like this wrong is hard to fathom and it strikes me as unfair to force consumers to become security experts just to safely navigate services for which someone is paying (either the consumer themselves or the people paying for ads on ad-supported sites or within ad-supported apps and services).
The challenges of restricting access to online data and services are compounded by the shift to email+password for authentication instead of username+password (a person’s email is easier to guess or discover than a non-public username). Then there is the apparent inability of some organizations to keep passwords from prying eyes. As previously reported, millions of passwords were disclosed in June alone, from LinkedIn, eHarmony and Last.fm. Last month more than 400,000 usernames and passwords were stolen from Yahoo, while the social networking site Formspring, clothing company Billabong, gaming site Gamigo, and forums at Phandroid and Nvidia, all suffered similar breaches.
I’m sure regular readers of this blog are getting weary of the advice to change passwords, choose hard-to-guess passwords, and use different passwords for different services. To that we may have to add: use different email addresses for key services that employ email addresses as account identifiers. We might also add: let you frustrations be known to the major online players. There are better ways to do authentication and we need to let companies know we expect better of them.
How much will this incident impede adoption of consumer cloud services in general and Apple’s iCloud in particular? Well, until authentication services improve, I don’t see many security experts recommending you trust your data backup to general purpose cloud services such as those offered by Google, Amazon, Dropbox, Microsoft, and Apple. The news for providers of dedicated online backup services such as Mozy and Carbonite may not be as dim. If your entire business model is backup you are likely to be paying close attention to how you manage it.
In the meantime, there is likely to be renewed interest in offline backup, things like USB hard drive (ironically an area in which Apple has excelled in the past–Time Machine in OS X is my personal backup of choice). Here at ESET we have definitely seen increased readership of the article Options for backing up your computer by fellow blogger Aryeh Gorestsky (11-page .pdf file).
Author Stephen Cobb, We Live Security