Amazon, Apple Cork Security Holes
"Amazon's processes made it possible for these attacks to happen," said MAD Security's Michael Murray. "But a lot of companies have similar processes. We spend a lot of time and energy solving the technical security issues, but very few, comparatively, on the issues with business and human processes."
08/08/12 10:48 AM PT
Amazon and Apple changed some of their security policies this week after tech journalist Mat Honan claimed an identity theft incident involving the two companies allowed a hacker to wipe out much of his personal online data.
Both Amazon and Apple put an end to policies that allowed customers to change their account settings over the phone. Previously, Amazon customers could call and change data such as credit card information simply by providing their name, e-mail address, and mailing address.
Apple let users reset their AppleID passwords, which is the same password linked to iCloud and iTunes, over the phone by providing their name, e-mail address, mailing address and the last four digits of a credit card number that is linked to an AppleID.
As of Monday, however, Amazon changed its policy so that users cannot change account settings over the phone.
"We have investigated the reported exploit, and can confirm that the exploit has been closed as of Monday afternoon," Ty Rogers, an Amazon spokesperson, told the E-Commerce Times.
Apple also instituted a similar policy on Tuesday, although it is unclear how long the new regulations will stand. The company did not return our request for comment on the story.
Exploiting Human Holes
In his account of the security breach, Honan described how once the hacker had access to his Amazon account, they gained access to his Apple, Google and Twitter accounts, since they were daisy-chained together.
That such a data wipeout could happen to an informed user is something of a wake-up call to average Internet users as well as tech giants such as Apple and Amazon, although the online retailer alone isn't the only guilty party, said Michael Murray, managing partner of MAD Security. While the hack was initially Amazon's responsibility, the intelligence of hackers to get around technical security prevention can't be underestimated, he said.
"Amazon's processes made it possible for these attacks to happen," he told the E-Commerce Times. "But a lot of companies have similar processes. We spend a lot of time and energy solving the technical security issues, but very few, comparatively, on the issues with business and human processes. Attackers are learning that this is the easy way in and exploiting those processes rather than technical controls."
Good Enough Fix?
That human element makes lasting security fixes nearly impossible, said Larry Walsh, president of the 2112 Group. While technical means to bolstering online privacy exist, social engineering often makes it possible for hackers to be one step ahead of the game, he said.
"The truth is they will make it harder today, but not impossible tomorrow," he told the E-Commerce Times. "History has shown that hackers will always find ingenious means for defeating security systems. And when it comes to social engineering, you can never patch a human against security threats the way you can patch a piece of software."
The change to Amazon and Apple's customer privacy policies is an important step, said both Walsh and Murray. But any time a company has to react to a problem, it's most likely an indication that more work has to be done in order to ensure safety going forward.
"They're locking the barn door after the horse is stolen," Murray said. "And how many other issues do they have in business process security? If you're responding, it's always a little late."