Hack of tech journalist reveals flaws in cloud security

By Byron Acohido, USA TODAY

SEATTLE – The security community is on alert for hackers who might try to emulate the simple trickery used to breach a prominent technology journalist’s Amazon, Apple, Google and Twitter accounts. That hacking caper has rekindled concerns about whether Apple’s iCloud, Google Apps, Amazon’s Cloud Drive, Microsoft’s Windows Live and other Internet-delivered services do enough to authenticate users, security analysts say.

“People are being urged to trust their data to the Internet cloud, but then you find that the operational security is alarmingly lax,” says Stephen Cobb, security analyst at anti-virus firm ESET.

Hackers devastated Wired reporter Mat Honan’s digital life. In doing so, they highlighted how Web companies have been slow to embrace more robust systems for ensuring that users who log into online accounts are who they say.

Merchants, banks, media companies and social networks require varying amounts of information to open and access online accounts. Many ask for only a few bits of information to make changes, such as resetting a password. That makes it easy for hackers to abuse the prevailing systems, which rely on asking users to answer questions.

Many banks and Google Gmail offer an optional service that sends to your cellphone a single-use PIN code that you must enter at their websites, along with your username and password, before you can complete certain transactions.

Such multifactor authentication systems are considered more difficult for the bad guys to subvert but less convenient for account holders to use. Yet the need for wider deployment of stronger systems is intensifying, argues Todd Feinman, CEO of database security firm Identity Finder.

Honan detailed how hackers tricked an Amazon rep over the phone into revealing the last four digits of his credit card number. Next, they used that information to persuade an Apple rep to reset his Apple ID password, which enabled them to wipe clean Honan’s iPhone, iPad and MacBook, destroying all of his files, including irreplaceable photos of his daughter. Apple has suspended its phone password-reset service and launched a security review, says spokeswoman Natalie Kerris. Amazon did not respond to interview requests.

Web firms are unlikely to switch to one-time PIN systems anytime soon. “Many … are expensive and difficult to manage,” says Chris Brennan, CEO of security firm NetAuthority. “And companies are concerned they could frustrate the user.”

Meanwhile, consumer awareness remains low, says Gregg Martin, FishNet Security’s directory of mobile security. Consumers will have to demand stronger authentication systems and be prepared to accept “a slight level of inconvenience,” Martin says.

ESET’s Cobb argues that Web companies should take the initiative. “Improving security is 100% the responsibility of the cloud service providers because they are the ones trying to sign people up to the cloud model.”