Social Engineering your way into someone else's iCloud

[Martin Manjak <mmanjak () ALBANY EDU>]

> From the Aug. 15 issue of Crypto-Gram, with an appended update.
=========================================================
Yet Another Risk of Storing Everything in the Cloud

A hacker can social-engineer his way into your cloud storage and delete
everything you have.

   It turns out, a billing address and the last four digits of a
   credit card number are the only two pieces of information anyone
   needs to get into your iCloud account. Once supplied, Apple will
   issue a temporary password, and that password grants access to
   iCloud.

   Apple tech support confirmed to me twice over the weekend that
   all you need to access someone's AppleID is the associated e-mail
   address, a credit card number, the billing address, and the last
   four digits of a credit card on file.

Here's how a hacker gets that information.

   First you call Amazon and tell them you are the account holder,
   and want to add a credit card number to the account. All you need
   is the name on the account, an associated e-mail address, and the
   billing address. Amazon then allows you to input a new credit
   card. (Wired used a bogus credit card number from a website that
   generates fake card numbers that conform with the industry's
   published self-check algorithm.) Then you hang up.

   Next you call back, and tell Amazon that you've lost access to
   your account. Upon providing a name, billing address, and the new
   credit card number you gave the company on the prior call, Amazon
   will allow you to add a new e-mail address to the account. From
   here, you go to the Amazon website, and send a password reset to
   the new e-mail account. This allows you to see all the credit
   cards on file for the account -- not the complete numbers, just
   the last four digits. But, as we know, Apple only needs those
   last four digits. We asked Amazon to comment on its security
   policy, but didn't have anything to share by press time.

   And it's also worth noting that one wouldn't have to call Amazon
   to pull this off. Your pizza guy could do the same thing, for
   example. If you have an AppleID, every time you call Pizza Hut,
   you're giving the 16-year-old on the other end of the line all he
   needs to take over your entire digital life.

The victim here is a popular technology journalist, so he got a level of
tech support that's not available to most of us. I believe this will
increasingly become a problem, and that cloud providers will need better
and more automated solutions.

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
or http://tinyurl.com/c2ao8ur

The victim's initial post:
http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard

Update: Apple has changed its policy and stopped taking phone-based
password reset requests, pretty much as a result of this incident, and
has beefed up security:
http://www.networkworld.com/news/2012/080812-apple-stops-password-resets-after-261496.html
or http://tinyurl.com/9h7bn42


-- 

Martin Manjak
CISSP, GIAC GSEC-G
Information Security Officer
University at Albany
MSC 209 518/437-3813

The University at Albany will never ask you to reveal your password.
Please ignore all such requests.