Wonder what it's like to have malicious hackers get into every corner of your digital life -- not only your Twitter account, broadcasting embarrassing tweets in your name, but also seizing control of your Apple account and remote wiping your laptop, tablet and phone? Tech journalist Mat Honan outlined in chilling detail how his digital life was hijacked, from racist tweets being sent from his account to losing 18 months of photos he hadn't backed up.
What's especially scary is that the attack didn't require any virus or other devious software; it was all social engineering. Honan managed to make contact with one of the attackers; and in return for not pressing charges, found out how it was done:
1) Hackers scouted out his Twitter account -- they liked the short 3-letter handle -- which linked to Honan's personal Web site. There, they found his Gmail address.
2) Hacker guessed that the Gmail address was also linked to his Twitter account.
3) Hacker went to Google "lost my password" page, entered Honan's email address and saw a partially obscured alternate email address: m••••firstname.lastname@example.org.
"Jackpot," Honan writes. "This was how the hack progressed. If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here. But using the .Me e-mail account as a backup meant told the hacker I had an AppleID account, which meant I was vulnerable to being hacked."
4) With a billing address and last four digits of a credit card, anyone could call Apple and seek to reset an AppleID password. Billing addresses are pretty easy to find for all but the most security paranoid among us, as address information is available from a number of public records and Web sites. But how did they get the last four digits of the credit card?
This is often printed on receipts; but since Honan's hackers didn't have physical access to something like that, they called Amazon and said they wanted to add a credit card number to his account (all you need to do for that is give a name, email address and billing address). They later called back and told Amazon they lost access to the account; and by giving name, billing address and new credit card number they just added, they were allowed to add a new email address to the account. Then it's simple to reset the password by using that new email, log in and see the last four digits of all credit cards on file. Oops.
5) "And so, with my name, address, and the last four digits of my credit card number in hand, [the hacker] called AppleCare, and my digital life was laid waste," Honan writes, including remote wipes of his iPhone, iPad and Mac.
This saga shows some glaring security holes at both Amazon and Apple, although Wired reports that Apple has since suspended phone-request AppleID password resets, at least temporarily. While we users can't change how Apple, Amazon and Google conduct security, we can take steps to protect ourselves. Here are some ideas, ranging from easy to more complex:
* Don't use a public email address as a link to your other accounts. Have a private email address for password recoveries that you don't use for anything else -- even personal, non-public exchanges; and do not forward messages to that account to another email address. If you really want to be secure, use a different address for each account.
* Take it from Honan: Don't use the same user name for all your various email addresses. "I shouldn't have used the same e-mail prefix across multiple accounts — email@example.com, firstname.lastname@example.org, and email@example.com."
* Don't use the same password on multiple accounts. This doesn't seem to have been an issue in the Honan hack, but it has been for many others. Really, don't do this.
* Don't store credit cards at Amazon. Yes if you're a frequent customer it's annoying to have to enter a card number each time you want to make a purchase. But until we hear that Amazon has changed its policy of allowing phone calls to add credit card numbers to an account with just a name and billing address, allowing hackers to add a card to your account and then use that to gain access, it's simply not secure to store cards there.
* "Mostly, I shouldn't have used Find My Mac," Honan writes, having lost everything on his computer -- including photos from the first 18 months of his daughter's life, which were not backed up. I'm not sure I agree with this one: storing precious, irreplaceable photos on a laptop hard drive without any backup is ill advised for so many reasons besides risk from hackers that I'm hard pressed to blame Apple for this one. If you're an Apple user, the question to ask yourself is: Which poses more danger for you, having your laptop's hard drive fall into the wrong hands if the machine is lost or stolen? Or having a malicious hacker erase your drive by hijacking your AppleID account? If you're regularly backing up your system, the latter may be more of a large-scale annoyance than data catastrophe.
* Use Google's two-factor authentication (nice explanations here and here), something strongly urged by Google's Matt Cutts this week, as Gregg Keizer reports. This means you'll no longer be able to log into your Google account with a password alone; you'll also need a code that's either sent to your smart phone from Google, generated by Google's authenticator app or that you've stored from a batch of 10 codes generated when you first set this up.
While other safeguards above would have prevented the attack on Honan's account -- and given the wide exposure this has gotten on the Web, anyone with accounts on Twitter, Apple, Amazon and Google needs to be concerned about this -- Honan argues that passwords "no longer suffice in the era of cloud computing" since they can be "cracked, reset and socially engineered." If you really want your Google account to be secure, two-factor authentication is your best option.
"Yes, this is a pain in the ass. I'll fully acknowledge that," Stack Exchange co-founder Jeff Atwood wrote in his blog codinghorror.com after another hacking nightmare was recounted, this time by James Fallows in The Atlantic. "But you know what's an even bigger pain in the ass? Having your entire online identity stolen and trashed by a hacker who happens to obtain your email password one day."
For more, see Woz says the cloud is horrendous & Wired reporter's iCloud gets hacked hard by security blogger Darlene Storm.