During my original dig into identity theft I was surprised that many of the thieves would actually manage to get the credit card companies to issue a new card with a simple phone call. In one case a thief was able to gathering mail from a person’s trash to get enough background information to call a credit card company and get two new accounts opened. They had the cards sent to a P.O. Box (which most companies will no longer allow) and started their spending spree. This was back in the mid-1990s when we were not posting every detail about our lives on the internet for the world to see.
Now a would-be thief can create a fake Facebook account (remember there are about 80 Million of those) and start cursing for their target. Once you find a nice target you can dig through their timeline and find out a wealth of information about them. From there it would be pretty simple to contact a company and use the details you have to get through the security questions they ask.
This is probably what happened with former Gizmodo journalist Matt Honan. Many news sites have reported on the details of the attack and how Honan had his iPhone, iPad, Macbook Air all remote wiped when someone managed to gain access to his iCloud account through Apple’s own tech support. They have also covered the fact that the attacker deleted Honan’s Gmail account as well as accessed hi personal and Gizmodo Twitter feed (because all of the accounts were linked). This event left Honan feeling helpless and frustrated. Fortunately for him his status as a popular technical journalist enabled him to get Google, Twitter and even Apple to get the ball rolling to restore his information. Although we are happy for Honan that he is getting the assistance he is, this type of help is not likely to be given to a regular customer though.
This type of incident illustrates perfectly what we have been talking about for months now. It shows exactly how dangerous the reliance on the Cloud can be. A Malicious individual was able to call Apple tech support and bypass all security simply by stalking their target and gathering information on them. They did not even need to try and brute force the password; they simply had tech support reset it for them. This issue is not just an Apple problem either; it can be done with almost any company because too many people feel safe on the web (and on their social sites).
Cloud services are being presented as a safe and secure environment with access to your data and services anytime, anywhere. People are buying into this marketing hype because of the perceived security and convenience of these services. Who would not like to have access to their documents, pictures, videos and everything else from any of the multiple devices they own? Well, hackers out there love it when you do this. It puts everything in one nice big basket that is much easier to hit than millions of individual homes. Additionally as these services become more and more linked together the potential for collateral damage to all of your services is greater. Just look at Facebook and the number of APIs and Apps that ask you to allow access into your Facebook accounts. We recently covered that fact that Digg was requiring a Facebook Login for now (which means it one if compromised both are). Linked in has APIs that let you share across multiple services making a single hack much more profitable for the attacker and damaging to the user.
The scariest part about all of this is that thanks to our habit of oversharing we have opened a brand new vector of attack on the information we chose to put in the cloud while sites like Facebook are only helping the would be thieves with the way they increase the amount of information that is public with each new upgrade to their service (all on be default of course). Sadly the companies that run these services are not going to do much to change this (Facebook surely is not) as it will cost too much money. Remember the cloud is supposed to have a high return on investment and provide a stable revenue stream. Why would these companies mess with that by spending money to fix an issue like this after all it is not their data that is at risk.
Discuss this in our Forum