By Jay McCall, Networking and Managed Services Editor, Business Solutions Magazine
I read an interesting story recently about how an editor at Gizmodo had his digital identity stolen. The hacker gained access to his Twitter account, his Gmail account, and — with the help of a simple Amazon account hack — his Apple account. After the security breach, the hacker deleted the victim’s Gmail account, posted messages on his Twitter account, and even went so far as to remotely wipe out his MacBook, which contained more than a year and a half of family photos that weren’t backed up anywhere else.
Where was the point of vulnerability? According to the hacker, who messaged the victim after the attack, he started with the victim’s Twitter account, which was linked to the victim’s personal website, and that’s where he found the victim’s email address. Through a WhoIs domain lookup, he was able to get the victim’s mailing address. From there, he just needed one more critical piece of data: the last four digits of the victim’s credit card number. This was obtained in less than 15 minutes through a call to Amazon, pretending to be the victim. After providing the victim’s name, address, and email address, he was able to add a new credit card. Then, minutes later, he called back stating he had lost access to his Amazon account and needed to reset the password. After providing the same basic information along with the new credit card info, he was able to log in to the victim’s Amazon account, reset the password, and was able to see the last four digits of all of the victim’s credit cards on file with Amazon. Bingo. Now, he had all the info he needed to access the victim’s AppleID account.
Here’s the bottom line from the victim’s experience after contacting Apple and trying to regain control of his digital identity: There is a huge disparity between what Apple says it does to protect your account and what it actually does to protect you. Basically, if a hacker knows someone’s name, address, and the last four digits of their credit card, they have enough information to break into most Apple accounts, unless additional security measures are put into place. I think it’s important to share these kinds of stories with your customers who are bringing their consumer devices to work and intermingling corporate applications and data with consumer-based cloud backup services (e.g. SkyDrive, DropBox, iCloud). There is a big difference between storing data in iCloud and a business-class cloud data center.
As frustrating as it would be to lose a year’s worth of digital family photos, it’s a whole other matter to have customer or patient data get compromised. Besides the potential fines for not complying with industry regulations, your customer’s business reputation could be seriously tarnished, which means that not only could current customers leave in droves, but future customers will be much more difficult to attract. Those reasons alone should be enough to convince them that they need to entrust their data to a professional rather than taking matters into their own hands. And, paying for business-class cloud storage and monitoring is money well spent.