The billing address and the last four-digit of the credit card is all it takes for AppleCare to issue a temporary password on an Apple ID account (aside from the e-mail address of course). This is how a couple of hackers got into Wired.com’s senior writer Mat Honan’s digital life and took over his Twitter account, deleted his Gmail, and nuked the contents of his iPhone, iPad, and MacBook via Find My Iphone and Find My Mac.
According to Honan’s story over at Wired.com, the hackers got the last four-digits of his credit card from Amazon’s account maintenance. His .Me account was gleaned from his Gmail’s recovery page. Then the billing address was scraped from his domain registration records via WHOIS.
Part of the blame falls on Honan too, the way he daisy-chained his accounts together but I’m sure a lot of people are practicing that as well. Using one primary e-mail to connect other accounts doesn’t require hackers to acquire passwords anymore. Still, he was relieved that the hackers stopped there as they can still push to see what financial accounts are connected to the e-mail they took over and wreck much havoc.
As for Apple, they need to revisit their security policy since that last 4-digit of a credit card is not truly a secure information. Remember giving those charge slips to that Starbucks cashier for your free latte? The last 4-digit of your credit card is shown there.
Anyway, here are a few security measures we can learn from Mat Honan’s experience:
- Don’t use your Apple ID e-mail as password recovery for other e-mail accounts. In fact, set up a separate e-mail for the sole purpose of recovery.
- Don’t use the same username for your primary and sensitive accounts (e-mail, social networks, bank logins, etc.)
- If you’re using G-mail, turn on the two-factor authentication
- Backup your data to an external drive. Honan lost all his family photos when his MacBook was wiped using Find My Mac.
I suggest you read the full account of his experience. He even got to talk with the hacker who’s sole purpose was to take his 3-character Twitter handle. The others are just collateral damage.