Today's Opinions, Tomorrow's Reality
Beyond the Fancy Facade
By David G. Young
Washington, DC, August 7, 2012 --
A security breach shows that Apple's walled garden isn't so safe after all.
The First Citizen's Bank in Front Royal, Virginia is a handsomely impressive structure. The 1914 building along East Main Street1 is similar to those built throughout pre-depression small-town America. The stone facade and Corinthian columns imply strength and permanence. The carved details suggest wealth and sophistication. To the customer the message is clear: your money and valuables are safe here.
Today, the modern equivalent of the main street bank vault is to be found in the cloud services that lock away our precious photos, files and financial accounts. And like the small town banks of early 20th century America, these services have built up an impressive facade of security and trustworthiness.
No company has been more successful at building its facade than Apple, whose "walled garden" or "closed ecosystem" has been lauded as much safer than the chaotic free-for-all to be found in the digital worlds built by Google and Microsoft.
But Friday's hacking and digital destruction of a slice of the Apple ecosystem owned by Wired writer Mat Honan2 shows that the security systems of Apple are a facade as ephemeral as those of America's pre-depression era banks, which failed at a rate of 635 per year even in the booming decade before the depression.3
According to Honan, Apple provided the hacker full access to his digital account after being given just his email, mailing address, and the last four digits of his credit card -- all information obtained relatively easily. The hacker then was able to wipe out his iPhone and iPad using Apple's "Find My" tool, and proceed to use his Apple email account to obtain access to his Google and Twitter accounts. The hacker was able to do so because the author had linked his Google and Twitter password recovery features to his Apple email.4
Apple reportedly told Wired that the breech was the result of an internal failure to follow its sound security policies. (Basically Apple put the blame on an employee). But Wired's claim to have repeatedly replicated the hack by calling different Apple customer service agents on Monday makes Apple's pass-the-buck claims dubious at best.5
The truth is that this incident is a major failure for Apple that shows not only problems with customer service, but the inherent weakness of tight integration within the Apple ecosystem. This incident is getting attention because the victim is a technology writer. How many similar incidents has Apple swept under the rug because the victim had no voice or clout? Given how tight-lipped Apple has been about this incident and other incidents, we will probably never know.
To be sure, Apple is not the only company deserving of scorn. Similarly lax security at Amazon reportedly allowed the same hacker to call customer service and get access the writer's account there, and obtain the last four digits of his credit card. This info was used to get into the Apple account.
But the fact that two companies are at fault instead of one does not lessen the guilt of either. And the reputation of Apple's walled garden as a safe haven from the dangers of the digital world should be forever destroyed. One of the garden's guards effectively let in a marauding warrior who proceeded to digitally disembowel a paying member.
The answer to these problems is not necessarily more security -- it is better security. Both Apple and Amazon have committed the sin of using a non-secret piece of information as an access code. They did it with addresses and credit card numbers. Banks have been doing this with social security numbers for years, with similarly disastrous results for privacy theft.
The companies do this simply because it is cheaper for them than more secure alternatives. A better and simpler way to verify a caller's identity is to call the person back at a registered phone number. This won't help if the phone has also been physically stolen, but it would have prevented the breach in this case. The reason Apple and Amazon don't do this is simply because it is creates higher costs for their customer service centers. This is inexcusable and unacceptable.
For Americans, the lessons for digital world safety are similar to those our great grandparents might have learned about banking. Don't put all your money in one place. Don't put the keys to one safety deposit box inside another. And most importantly, don't let a fancy facade fool you into thinking an institution is worthy of your trust.
Related Web Columns:
Partners in Crime
1. LivingPlaces.com, Front Royal Historic District, 2010
2. Wired, How Apple and Amazon Security Flaws Led to My Epic Hacking, August 6, 2012
3. FDIC, Managing the Crisis: The FDIC and RTC Experience, January 5, 2005
4. Wired, Ibid.