Tjonge, dit is echt een horrorverhaal:
At 4:50 p.m., a password reset confirmation arrived in my inbox. I don’t really use my .Me e-mail, and rarely check it. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password.Het komt er in het kort op neer dat iemand jaloers was op het mooie, korte Twitter-account van Mat Honan (@mat) en om dat account te hacken heeft hij eerst via de recovery pagina van Google de Google-account van Honan overgenomen om daarna via een handige truc bij Amazon de laatste vier cijfers van zijn creditcard te achterhalen.
At 4:52 p.m., a Gmail password recovery e-mail arrived in my .Me mailbox. Two minutes later, another e-mail arrived notifying me that my Google account password had changed.
At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack.
First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.Met deze cijfertjes, het postadres en het e-mailadres van Honan kon hij daarna de AppleID overnemen en via iCloud de MacBook, iPhone en iPad van Honan wissen.
Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits.
Enkel en alleen om een twitternaam!
Wat had Honan kunnen doen om dit te voorkomen?
I should have been regularly backing up my MacBook. Because I wasn’t doing that, if all the photos from the first year and a half of my daughter’s life are ultimately lost, I will have only myself to blame. I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together. I shouldn’t have used the same e-mail prefix across multiple accounts — email@example.com, firstname.lastname@example.org, and email@example.com. And I should have had a recovery address that’s only used for recovery without being tied to core services.Maar natuurlijk gaan Apple en Amazon ook niet helemaal vrijuit in dit geval...
Gelezen: Jeffrey Deaver - The broken window