Technology Journalist is Hacked and Suffers Serious Identity Theft

The technology journalist Matt Honan, who writes for Wired magazine and the technology website Gizmodo, found recently that a hacker had gained access to a large portion of his digital identity, and had succeeded in taking it over, with highly damaging personal consequences.

In a detailed analysis of the exploit (original story here), Matt Honan described the damage that was done. In purely technical terms, the hacker (a 19-year-old youth known only as “Phobia”) first viewed Honan’s Twitter page and hence learned the URL of Honan’s personal website. From the personal website, he learned Honan’s Gmail (Google) address. The hacker then browsed to Google and began the account recovery process, entering Honan’s Gmail address. The resulting page disclosed Honan’s alternate email address, which Honan had specified for password recovery purposes. Although the alternate address was partly obscured, the hacker was able to guess the complete address, as it followed the same pattern as his Gmail address. In addition, the alternate address was a “me.com” address, which disclosed the fact that Honan had an AppleID. This tipped off the hacker as to the next avenue to explore.

To gain access to Honan’s AppleID and iCloud account, the hacker first needed to find out the personal details that would allow him to pose as Honan to the Apple support helpline. For this purpose, he needed to be able to supply the helpline with Honan’s name, email address, credit card billing address, and the last four digits of the credit card known to Apple. The hacker knew Honan’s name, and had already discovered Honan’s Gmail email address from his website. To find out the billing address, he carried out a “Whois” search on the domain name for Honan’s personal website, and found that the relevant address was exposed to public view. As it happens, as of 17th August 2012, both Honan’s personal website and the Whois entry for that domain both still display his Gmail email address and his home mailing address.

The final piece of information needed was the last four credit card digits. This information was discovered by means of “social engineering.” First, an accomplice of the hacker phoned the Amazon telephone helpline masquerading as Honan, and added a false credit card number to Honan’s account. The card number was added to the account without first being authenticated. Later, he phoned the helpline again, claiming to have lost the password to the account. After he had supplied Honan’s name and email address, plus the last four digits of the false credit card, the helpline allowed him to add a new email address to the account. The hacker then used the “Forgot password” link at Amazon’s website. As a result, a password reset message was sent to the new email address (which was, of course, controlled by the hackers). The hacker “Phobia” used this new password to gain access to Honan’s Amazon account, which disclosed to him the last four digits of all the credit card numbers on file for the account. One of these was the credit card number held by Apple for Honan’s iCloud account.

The start of the attack proper occurred when the hacker contacted Apple’s support helpline masquerading as Honan, supplying Honan’s name, Gmail email address, billing address, and the last four digits of a credit card number. He requested a password reset, which was carried out there and then over the telephone with the verbal issue of a temporary password. This happened despite the fact that the hacker was unable to answer the security questions that Honan had originally set up. The hacker used the temporary password to gain access to Honan’s iCloud account, from where he deleted the password reset notification email (sent to Honan’s “me.com” address) that might have alerted Honan to what was happening. The hacker then reset the temporary password to a permanent one of his choosing, and went on to carry out a remote deletion of all material on Honan’s iPhone, iPad, and MacBook.

Having gained control of Honan’s AppleID and corresponding “me.com” email address, the hacker used the email-based password recovery method to gain access to Honan’s Gmail account and his Twitter account. The hacker then used Honan’s Twitter account to send offensive Twitter “tweets,” posing as Honan: this was his ultimate objective. Finally, the hacker deleted the Google account completely.

The remote deletion proved to have the most devastating impact of all on Honan’s personal life, since his MacBook contained all the photos he had taken of his eighteen-month old daughter from her birth onwards -and these had not been backed up.

Since Honan’s publication of these events, Apple have revised their helpdesk security procedures so that, at least temporarily, passwords are no longer reset over the phone. In addition, there has been much online discussion and analysis of the situation, and many security flaws have become clear. As Honan points out, his description of this identity theft has clearly been in the public interest, and it is possible that many security improvements will come about because of this incident.