The story of digital journalist Mat Honan, and how his nightmare could have been prevented with one simple security control.

1. Joel CardellaIT SECURITY

2. MAT HONAN’S RIDE THROUGH HELL

3. ABOUT.ME/MATHONAN

4.  “I realized something was wrong at about 5 p.m. on Friday. I
was playing with my daughter when my iPhone suddenly
powered down. I was expecting a call, so I went to plug it back
in.”
 “It then rebooted to the setup screen. This was irritating, but I
wasn’t concerned. I assumed it was a software glitch. And, my
phone automatically backs up every night. I just assumed it
would be a pain in the ass, and nothing more. I entered my
iCloud login to restore, and it wasn’t accepted. Again, I was
irritated, but not alarmed. ”
THE SYMPTOMS APPEAR

5.  “I went to connect the iPhone to my computer and restore from
that backup — which I had just happened to do the other day.
When I opened my laptop, an iCal message popped up telling me
that my Gmail account information was wrong. Then the screen
went gray, and asked for a four-digit PIN.”
 “I didn’t have a four-digit PIN.”
 “By now, I knew something was very, very wrong. For the first
time it occurred to me that I was being hacked. Unsure of exactly
what was happening, I unplugged my router and cable modem,
turned off the Mac Mini we use as an entertainment center,
grabbed my wife’s phone, and called AppleCare, the company’s
tech support service, and spoke with a rep for the next hour and
a half.”
FROM BAD TO WORSE

6.  His first call was to AppleCare – but according to them it was
not his first time calling!
 Someone had called at 4:33 claiming to be Mat, saying he
could not get to his Me.Com email
 In response, Apple issued a temporary password. It did this
despite the caller’s inability to answer security questions Mat
had set up. And it did this after the hacker supplied only two
pieces of information that anyone with an internet connection
and a phone can discover.
WHITHER GOES MAT?

7.  It turns out, a billing address and the last four digits of a
credit card number are the only two pieces of information
anyone needs to get into your iCloud account. Once supplied,
Apple will issue a temporary password, and that password
grants access to iCloud.
 Once someone has access to iCloud, they have access to your
AppleID
 A hacker, going by the name Phobia, was able to track down
this information easily
WHAT HAD HAPPENED

8.  “After coming across my account, the hackers did some
background research. My Twitter account linked to my personal
website, where they found my Gmail address. Guessing that this
was also the e-mail address I used for Twitter, Phobia went to
Google’s account recovery page. He didn’t even have to actually
attempt a recovery. This was just a recon mission.
 Phobia could view the alternate e-mail Mat had set up for
account recovery. Google partially obscures that information,
starring out many characters, but there were enough characters
available, m••••n@me.com. Jackpot.
 This was how the hack progressed. If I had some other account
aside from an Apple e-mail address, or had used two-factor
authentication for Gmail, everything would have stopped here.
 But using that Apple-run me.com e-mail account as a backup told
the hacker I had an AppleID account, which meant I was
vulnerable to being hacked.”
THE HACK

9.  All you need to access someone’s AppleID is
 the associated e-mail address,
 a credit card number,
 the billing address,
 and the last four digits of a credit card on file
 Phobia had gone to Google and requested a password
recovery
 Google had shown him that it was using a @me.com email
 Phobia knows Mat has an AppleID and now needs access
 So Phobia knew part of the email address – how did he get
the other pieces?
IT’S ALL YOU NEED!

10.  He got the billing address by doing a whois search on Mat’s
personal web domain. If someone doesn’t have a domain, you
can also look up his or her information on Spokeo,
WhitePages, and PeopleSmart.
 First you call Amazon and tell them you are the account
holder, and want to add a credit card number to the account.
 All you need is the
 name on the account,
 an associated e-mail address,
 and the billing address.
 Amazon then allows you to input a new credit card. (Wired
used a bogus credit card number from a website that
generates fake card numbers that conform with the industry’s
published self-check algorithm.) Then you hang up.
AMAZIN AMAZON

11.  Next you call back, and tell Amazon that you’ve lost access to
your account.
 Upon providing a name, billing address, and the new credit
card number you gave the company on the prior call, Amazon
will allow you to add a new e-mail address to the account.
 From here, you go to the Amazon website, and send a
password reset to the new e-mail account. This allows you to
see all the credit cards on file for the account — not the
complete numbers, just the last four digits.
 But, as we know, Apple only needs those last four digits!
MORE DATA THAN YOU CAN EAT

12.  Any waiter or waitress in a restaurant where you paid for your
meal
 Any cashier at any store who took your credit card as payment
 Any 16-year old kid working anywhere that accepts credit cards,
with enough sense to memorize 4 digits and a last name –
especially an easy one
 So Phobia calls AppleCare and gives them his name
 “Mat Honan”
 His billing address
 Found using internet search tools
 Last 4 of the credit card
 Found from the email from Amazon
 And now Apple resets Mat’s iCloud account, giving Phobia access
WHO ELSE HAS THE LAST 4 OF YOUR
CREDIT CARD?

13.  Phobia accesses Mat’s account, gets access to his @me.com
password- then a race ensues
 4:50 p.m., a password reset confirmation arrived in my @me.com
inbox. They then were able to follow the link in that e-mail to
permanently reset my AppleID password.
 4:52 p.m., a Gmail password recovery e-mail arrived in my me.com
mailbox. Two minutes later, another e-mail arrived notifying me that
my Google account password had changed.
 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone.
 5:02 p.m., they reset my Twitter password.
 5:05 they remotely wiped my MacBook. Around this same time, they
deleted my Google account.
 5:10, I placed the call to AppleCare.
 5:12 the attackers posted a message to my account on Twitter taking
credit for the hack.
PWNED

14. DONE AND DONE

15.  Mat says:
 They could have used my e-mail accounts to gain access to my
online banking, or financial services.
 They could have used them to contact other people, and
socially engineer them as well.
 As Ed Bott pointed out on TWiT.tv, my years as a technology
journalist have put some very influential people in my address
book. They could have been victimized too.
COULDA BEEN WORSE!

16.  Why did it happen?
 What was the reason he got hacked, his personal info erased,
moments from his life gone forever?
 What was the reason?
 He had a 3 character Twitter user name, and they thought it
was cool and wanted it
WHY?

17.  Mat was able to get some data back
 He sent his machine to a firm called DriveSavers, who have
custom hardware and software which can recover data from
hard drives (even SSDs)
 They recovered about 75% of the data, including most of his
digital pictures
 The cost: $1,690
HE GOT SOME DATA BACK

18.  2 factor authentication means you need 2 things to prove who
you are
 Something you know [a password]
 Something you have [a cell phone]
 If Mat had enabled Google’s 2nd factor authentication, this
would not have happened
 Duo Security makes a product which can be used for free –
you can get SMS, iPhone push, phone call, software token
generation
2 FACTOR AUTHENTICATION