The big story this week comes from Wired Magazine’s Mat Honan who was one of the high profile victims of an Amazon and Apple account hack that cost him pretty much all of his personal pictures and work for the past year. “How Apple and Amazon Security Flaws Led to My Epic Hacking” tells the whole story of the Amazon and Apple account hack. Believe me, you’ll never look at storing your stuff “in the cloud” quite so innocently ever again. The hack attack used against Mat and other victims relied on not one, not two, but three flaws authentication systems used at Amazon and Apple and they all stem from the same basic flaw: confusion about the difference between an identifier and a credential.
Go read the article for all the details, or you can also read Bruce Schneir’s “Yet Another Risk Of Storing Everything In The Cloud.” The gist of the attack relies on these three flaws:
- When adding a credit card to an Amazon account by phone, all you need is the name on the account, the account email address, and the billing address to authenticate your identity to the customer service rep.
- You can add a new email address to an Amazon account by phone if you claim the account has been orphaned and that you can’t get access to it any more. The customer service representative will add another email address to the account if you give him or her the name on the account, the billing address, and one of the credit card numbers on the account.
Once you’ve used the above flaws to add a new (possibly fake) credit card and email address to the account, you can use Amazon’s password reset feature to have a password reset link sent to the new email address and you can get complete access to the Amazon account. That leads to the third failure, this one at Apple:
- You can access someone’s Apple ID using the associated e-mail address, the billing address, and the last four digits of a credit card on file. You might think that the last four digits of a credit card number are difficult to obtain, but they aren’t because once you have access to the Amazon account you can use Amazon to list the last four digits of every credit card associated with the account.
Guiding Principle in the Amazon and Apple Account Hack
When incidents like the Amazon and Apple account hack make the news, I don’t believe in shaking my fist in a faux-rage and yelling, “You should have known better!” These complex schemes are difficult to predict ahead of time. There are a myraid of potential hack scenarios that go cross-company that would be virtually impossible to think up ahead of time.
But you can learn from history and identify the principles that guide your actions going forward. The Amazon and Apple account hack shows us in three separate ways this core principle:
Information about you cannot be used as a credential.
Any business process that claims to authenticate your identity using only information about you is fundamentally flawed. And the corollary to the above principle is:
The only thing that can be used to secure a credential is another credential.
In the world of public-facing cloud services, that typically means knowing a password or proving your ability to access another email account, or the ability to receive a text message at particular telephone number. Until we see sign up processes at public cloud services that require that people set up alternate e-mail addresses and/or verify telephone numbers for future password resets, I’m afraid we’ll continue to see stories like the Amazon and Apple account hack.