How Hackers Gained Control Of Reporter’s iCloud Account
On Sunday Wired reporter Mat Honan
He said that apparently users are only required to tell Apple Support last-four digits of their registered credit card and their billing address in order to get a temporary password, which grants unrestricted access to the user’s iCloud account. Natalie Kerris, Apple spokesperson, made a statement, claiming that in Honan’s case internal policies were not completely followed.
“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
Wired has successfully confirmed the reported internal policy themselves by gaining access to another iCloud account using only last-four digits of the credit card and a billing address.
Honan noted that a billing address is easy to know by public database of white pages. As for determining the last digits of Honan’s credit card, hackers exploited a loophole in Amazon’s security system. The hack requires two phone calls to Amazon. The first call allows you to add a second credit card to your account on Amazon by offering the email address, name and account's billing address. In the second call, you can add an additional email address by verifying the second credit card. The previously added email address has access to account data including the last four digits of the user’s original credit card.