If you haven't read Mat Honan's Wired article yet, you should. In the span of half an hour, he lost access to his email; his iPad, iPhone, and MacBook were erased remotely; and his Twitter account was hijacked to spout a bunch of offensive nonsense. His eight years' worth of email and, even more devastatingly, all of the pictures he had taken of the first year and a half of his daughter's life.
The question for the rest of us is: how can I make sure this doesn't happen to me?
What's most interesting about Honan's story is that he was hacked over the phone. It wasn't a weak password that did him in - it was weak security policies at Apple and Amazon. The hackers were able to add a fake credit card number to his Amazon account by calling Amazon and providing a name, email address, and mailing address - all of which is pretty easy to find online for just about anyone. They then called back to Amazon, saying they couldn't get into the account, and had a new email account added to the Amazon account. Using that email, they reset the password to the Amazon account. From there, they could see the last four digits of every credit card Honan had ever used to purchase items through Amazon. And with the last four digits of a credit card, they were able to call Apple support, reset Honan's password for his Apple accounts, and it was all downhill from there. Using iCloud features meant to find and disable stolen devices, they wiped out all the data on his iPhone, iPad, and MacBook.
After the article was published, Apple stopped resetting passwords over the phone, and Amazon has stopped allowing adding credit cards over the phone. That doesn't mean someone won't figure out a similar way to exploit a security loophole, and there are a lot of things that Honan did - that many of us do - which you can avoid doing, and thus make yourself more secure. Here's what I learned from Honan's story:
- Avoid using the same prefix over multiple accounts: it may be easier to remember, but if you're always "swagga_mcgee" - email@example.com, firstname.lastname@example.org, email@example.com - you're making it easier for people to find every account you have.
- Back up important data outside of the cloud: when his Apple account was hacked, Honan lost not only the information on his MacBook, but also the backups he had been making in iCloud. If he had been backing up his MacBook to a portable hard drive, he wouldn't have lost so much.
- If you have a Mac, don't use Find My Mac: at least until Apple changes the way it is implemented. As it's currently set up, if someone gains access to your iCloud account, they can remotely wipe all your data. You can recover your data with a four-digit PIN, but guess who set that PIN number? The person who just hacked your account.
- If an account offers two-step verification, USE IT: two-step verification requires you to enter something besides a password to enter an account. Gmail, for instance, can be configured for two-step verification so that, when someone tries to access your account from a new computer, they have to provide both a password and a numeric code sent to the cell phone you have associated with the account. This means that if someone wants to get access to your account, they have to get your password and steal your phone, which is impossible for someone states or continents away. This type of process can be cumbersome, but it's the only way to ensure your account is really secure.
This kind of thing - hacking, whether through cracking code or social engineering - will keep happening, and as more and more of our lives is pushed into the cloud (it's not just Apple users - Windows 8 will be even more intensely tied to the cloud than any other OS before), we'll need more than just a clever password to protect ourselves.
What do you do to stay safe online? Share it with us in the comments...
Great blog, Nate! I remember reading that article and FREAKING OUT (yes, caps lock freakout).
Another thing I'd recommend: delete all of your credit card info off of accounts like PayPal, Amazon, Xbox Live, PlayStation Network (PSN), and Apple. After last year's PSN hack, I've stopped listing all of my credit card info online. For Xbox Live, iTunes and the PSN, I purchase single use payment cards at the store and for Amazon I enter my card info, pay, and then go back and delete. It's a few extra steps, but worth it, in my opinion. Also, having to go out and buy money for the Internet really cuts down on impulse purchases.
That's great advice. If I have to choose between safety and convenience, I'm going to go with safety every time. Even if it means it takes an extra 5 minutes to buy a game on Steam. Which is probably a good thing.
ALSO: Lifehacker just posted an article on the Epic Hack story and how you can protect yourself, with even more great tips.
also use gift cards whenever possible