The password worm hole

Marc Sanchez Aug 8, 2012

Earlier this week we told you about Mat Honan’s experience of getting all his Apple devices wiped clean by a hacker (iPhone, iPad, Macbook erased in a matter of minutes). The derelict hacker called Apple’s tech support and used Honan’s Apple ID – the username you use to log in and buy/download stuff on iTunes – to do his bidding. Honan has been writing about his wild ride on his blog and on Wired, where he is a reporter, and it turns out Apple isn’t the only one who had such an easy workaround. Amazon had a similar protocol, which is how the hackers initially spoofed Honan’s account.

From Wired:

The security gap was used by hackers, one of whom identified himself as a 19-year-old going by the name “Phobia,” to gain access to Honan’s Amazon account on Friday. Once Phobia and another hacker gained access to Honan’s Amazon account, they were able to view the last four digits of a credit card linked to the account.
The hackers then used those four digits to trick Apple customer service into thinking it was dealing with Honan. Apple customer service then gave the hackers a temporary password into Honan’s Apple ID, which the hackers used to wipe his iPhone, iPad and MacBook, and gain access to a number of email accounts as well as his Twitter account.

Both Apple and Amazon have shut down call-in access to their accounts, hopefully discouraging others from trying the same scheme.

There’s a lot happening in the world.  Through it all, Marketplace is here for you. 

You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible. 

Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.