Skip the navigation

60-minute security makeover: Prevent your own 'epic hack'

August 23, 2012 06:02 AM ET

Issue: Having multiple email addresses with same user name

Threat: Using the same prefix -- mhonan@gmail.com and mhonan@me.com -- was one factor that led to hackers knowing Honan's Apple ID user name. (Me.com is an Apple service.) Because they knew his Gmail address, they were able to see a partially blacked-out me.com address on the Google password reset page and guessed the rest.

Defense: It's easy enough to vary your email user names across domains going forward; this makes it less likely that someone can social engineer a password reset for your account. It may be tough to change your email user name on addresses you already use, however.

Time: 5-10 minutes to change an existing address that you're not using much, but significantly more if you have to notify (and perhaps remind) people who know the old address. Best to keep this rule in mind for the private address you're setting up in the step above.

Issue: Using lax Google authentication

Threat: Hackers saw the partial information for Honan's me.com address when entering his Gmail address into Google's password reset page because he hadn't turned on two-step verification. They were also able to reset his Google password after hacking into his Apple account because access to his me.com address was the sole thing anyone needed to change his Google password.

Defense: Turn on Google's two-step verification, which requires entering an additional code sent to your mobile phone before an account password can be changed -- or even for logging in from a new device or browser. Plus, anyone trolling for information won't be able to see even part of your recovery email address. In addition, hacking into your alternate email address wouldn't be enough to change your Google password and seize control of your account. This type of two-factor authentication makes your account safer from other types of hacks as well, such as a compromised password.

While having to enter an additional code sent to your mobile phone may sound onerous, it's a lot less of a hassle than being hacked.

To enable two-step verification, go to the drop-down menu at top right under your email address to get to Account settings, then select Security from the left navigation and click the Edit button next to "2-step verification." Google provides more information on two-step verification here.

Google two-step verification
Google's two-step verification requires you to enter a special code sent to your mobile phone before you can log into your account from a new device or change your account password.

Time: Enabling two-factor authentication from your browser: 2-3 minutes. Signing in using new authentication with other browsers, devices and mobile apps: 1-2 minutes each. You'll need to do this once every 30 days on each desktop/laptop browser you use with your Google account.

Issue: Storing credit cards at online retailers

Threat: It seems harmless enough to store your credit cards on a site where even if someone breaks into your account, only the last four numbers are visible. But it turned out that the last four digits of the credit card stored in Honan's Amazon account was the last piece of ID hackers needed to breach his Apple account. While it appears that Apple has since suspended this policy and Amazon has changed its credit-card security policies as well, the last four digits of a credit card on file is probably a key piece of identification at other online destinations.

Defense: Don't store credit cards anywhere you don't have to, even if it takes some time to type in the number for each purchase.

Time: Deleting already-stored cards: 2-3 minutes per account.



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!