I went to connect it to my computer and restore from that backup—which I had just happened to do the other day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four digit pin.
I didn’t have a four digit pin.
By now, I knew something was very, very wrong. I walked to the hallway to grab my iPad from my work bag. It had been reset too. I couldn’t turn on my computer, my iPad, or iPhone.
Mat’s full explanation of how he was hacked is on Wired. This is pretty scary. Basically the hacker was able to hijack Mat’s iCloud account and remote-wipe all of his devices, using the last four digits of a credit card from his Amazon account, to “prove” to a customer support representative at Apple that he was Mat, and have them issue a password reset.
Immediately after reading this, I enabled two-factor authentication on my Google account (even though I don’t use Gmail), but both Apple and Amazon need to take action here to make their users more secure. Apple needs to both stop accepting the last four digits of a credit card as proof of identity and require correct answers to security questions, and Amazon needs to stop displaying these digits on their account page. (They can let users name their stored payment methods instead.)
It turns out that Apple is suspending password resets over the phone (temporarily?), but this isn’t the right way to address the issue in the long term. Apple needs to realize that security trumps usability more generally, and ensure that their systems and support procedures reflect this. They also need to start teaching their users how to protect themselves. For too long Apple touted the falsity that Mac OS and iOS were somehow inherently safer than Windows, but that’s not the case. For a very long time, they were much smaller targets because of the relatively small user-base, but that’s no longer the case. And just as online retailers have come to realize that iPad users are more likely to make more and larger online purchases, the hackers are coming to realize that these are high-value users, which makes them targets.
Suspending over the phone password resets is a start, but it sounds like if you have the serial number of a device, you can still get them to do this. So if your iPhone or MacBook are stolen, you’re still at risk.
(Via Marco Arment.)