Wired mentions Apple 46 times in the article (including twice in the title)... and Amazon 3 times. In fact, most of the public and HN outrage about this incident has been directed at Apple.
That's the downside of Apple being so close to perfect. We expect perfection from them at all times. And when they make a mistake, it seems 100x more outrageous than if it were any other company.
Don't get me wrong, they made a terrible mistake in this case, but Amazon has gotten off lightly in comparison.
The bulk of the damage was done as a result of the breach in Apple's security - all the Amazon breach did was give the attacker the last 4 digits of a card, which is not super private anyway. It isn't 100% fair - and to be clear, processes at both companies were pretty poor - but I don't think people are out to get Apple here.
And, while Apple is very good, they are nowhere near perfect - especially when it comes to online services. Apple fans playing the victim card for them is just as tiring as people jumping all over them when they slip up.
> all the Amazon breach did was give the attacker the last 4 digits of a card, which is not super private anyway.
Precisely. Go to any mall, restaurant, or shopping center in the U.S. and you're bound to find at least one discarded receipt with the last four digits of the shopper's credit card number on it, possibly with their name and/or signature.
But that's the fault of the shopper for not policing their information properly, in this case it wasn't Honan's fault that his last 4 leaked. The last 4 still shouldn't be given out over the phone, ever, most companies have a policy of not confirming any card detail on their system on the phone in the UK.
No, I'm arguing that Amazon is at fault for handing out card details willy nilly, Apple is at fault for not training their CS staff to, in the word's of House, assume everybody lies.
This is crazy and creepy, but during weekends, one could possibly stalk out at malls looking for people discarding receipts. Pick it up and hurry towards them. When you accost them, mention in no unclear terms "Sir/Ma'am, with this receipt I'll be able to wipe your iDevice".
The subways I worked at in college had the full credit card number on the store duplicate that all the clerks were required to collect. We dropped a couple dropbags full of these little receipts into the safe at the end of the day.
People expect security measures to be correlated to
potential damage. Articles are focusing on Apple because
they exhibited the largest gap between expected and actual
security measures.
Using nearly-public information, the attacker was able to
convince a human to grant access to the victim's account,
and therefore to destroy the victim's data.
If the compromise of an iCloud account had merely given the
attacker access to the @me.com address, I don't think Apple
would be receiving nearly as much bad press. Email accounts
are compromised all the time, usually with no more damage
than some spam mail sent to friends.
Similarly, if the attacker had gained remote-wipe ability by
some elaborate deception, customers would be more willing to
cut Apple a break. Suppose Apple accepted passports as a
recovery mechanism, and the attacker showed up to an Apple
store in person with a forged US passport. That would sell a
lot of newspapers, sure, but Apple would be blameless.
I'm sorry I thought that you were going to link to ads where Apple touts the security of it's iCloud platforms and its over the phone support service. Claiming to be immune to viruses that ran on windows and claming to be secure against social engineering are two very different things. The first poster is correct, Amazon needed less information to do things over the phone than Apple did. All Amazon wanted was your billing address and they would let you add emails to the accounts and then who knows what you could do. Both companies are at fault here.
Don't get me wrong, I agree with your sentiment. However, I think in this case, it is about the fact that the stakes were much higher with the iCloud account.
Yes, I would be very annoyed if an account which had personal information, a history of purchases, and was linked to my credit got hacked (e.g. by social engineering). However, I would be even more annoyed if my laptop and phone got remote-wiped due to the same type of hacking.
But to be honest, I haven't been following the story that closely, so I am happy to be proven wrong on the perceived difference between the social engineering of Amazon vs Apple support .
Did you read the full article? Didn't you notice how the attacker got the last 4 digits?
### Amazon actually gave the attacker full control of the Amazon account. ###
All the attacker had to do was simply call amazon and ask to add a new credit card, the only verification was billing address. The attacker called back in 5 mins asking to change the email account on file, which required the last 4 digits of the fake card just added. The attacker then did a password reset.
Basically, most people don't realize Amazon had a HUGE GAPING wide whole in their security. Any attacker could steal any ones Amazon account! These are accounts that have thousands of dollars of affilate money, AWS servers running major web sites, credit cards on file, etc.
So yes, the fact that Amazon gave the last 4 digits out isn't a big deal, you are right. These numbers are printed on receipts. However, the fact that they gave the whole account away is a big deal.
At the very least, he system needs to raise big red flags if a CC added very recently is used for validation. A system I built a few years back would alert customer service if any of the validating data was less than a month old, and would let them use it if it was less than a week old. (So yeah, if you forgot your password in the week after you changed address, you were locked out for a week. That was a business risk deemed "acceptable" by the client.)
This is such a great point. Deceiving others to obtain certain information could have happened anywhere. The fact that Apple is recognized on such a large scale would most certainly make a situation like this get blown way out of proportion. I doubt this would make headlines to the same degree this has if it was a smaller less-known organization. These kinds of attacks on victims like Honan happen all the time, but why do we only hear about it the most when it involves a large reputable company.
That's the downside of Apple being so close to perfect. We expect perfection from them at all times. And when they make a mistake, it seems 100x more outrageous than if it were any other company.
Don't get me wrong, they made a terrible mistake in this case, but Amazon has gotten off lightly in comparison.