I read about Mat Honan, the journalist who had his email hacked and his devices wiped. What should we all be doing to avoid this kind of thing?
For those who missed the story, Wired journalist Mat Honan had his Gmail and Twitter accounts hacked, which is not all that unusual. What made the story “epic” was that the hacker(s) used his Apple iCloud account to perform a “remote wipe” on his iPhone, iPad and MacBook, deleting all his data. Worse still, he didn’t have backups.
It was evident that something had gone wrong from the tweets the hacker sent from Honan’s Twitter account and Gizmodo’s account, to which it was linked. (He used to work there.) Honan went public on 3 August 2012 in a blogpost: Yes, I was hacked. Hard. At the time, he blamed his old seven-digit alphanumeric password.
Honan followed up on Monday 6 August with a full account in Wired: How Apple and Amazon Security Flaws Led to My Epic Hacking. It turned out that it was not a password crack but “social engineering”. The hacker had phoned AppleCare technical support and been given a temporary password to Honan’s .Me account. Honan says: “It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover … a billing address and the last four digits of my credit card.”
The billing address came from the Whois data that Honan had used to register his domain name, and the credit card numbers from Amazon. (See Apple and Amazon patch security flaws exposed by hack heard round the world for more details.)
Once the hacker had control of Honan’s email, he could get the passwords reset on other accounts, such as Twitter.
There are several things that will help prevent this from happening to you. These include: (1) use two-factor authentication; (2) don’t put all your eggs in one basket; and most of all (3) backup, backup, backup.
With two-factor authentication, security depends on two different things. Often these are something you have, such as a credit card, and something you know, such as a four-digit pin (personal identification number). The “something you have” could also be a dongle or, with biometrics, your face, fingerprints, or iris patterns. With online services, it’s usually a mobile phone. Set up two-factor authentication with Gmail, for example, and when you ask for your forgotten password to be reset, Google will send a verification code to your mobile.
Google’s Matt Cutts has posted a video on how to do this: Please turn on two-factor authentication.
Facebook introduced a similar system in May 2011. For instructions, see Introducing Login Approvals: “[It] requires you to enter a code we send to your mobile phone via text message whenever you log into Facebook from a new or unrecognised computer. Once you have entered this security code, you’ll have the option to save the device to your account so that you don’t see this challenge on future logins.”
But two-factor authentication can be somewhat tedious, and also there’s the risk of losing your mobile. Perhaps it might be worth using an old smartphone with a prepaid (PAYG or “pay as you go”) account for this single purpose.
Eggs in multiple baskets…
I’ve given this advice numerous times, but it’s risky to put all your eggs in one basket. Honan was an extreme case in his dependence on Apple’s iCloud, but many people are dependent on Google or Microsoft or even Yahoo. The question is, if you lost access to your account, would you also lose access to your calendar, contacts, online photos, documents, and other data?
Apple, for example, wants you to use a single ID (identity) for iCloud, its App Store, buying things from iTunes etc. This is a bad idea. As far as possible, you should use different IDs, passwords, and even different credit cards for different purposes. Google, Microsoft and Yahoo have also been pushing people towards using the same account for multiple services on multiple devices, and this will get worse when a Microsoft ID is used to log on to Windows 8.
Your stuff will be more secure if you spread it around.
If you must use a single supplier, make sure you have backups elsewhere. For example, most email services provide “mail forwarding”. Set this up so that every email that reaches (say) your Gmail inbox is automatically sent to a Yahoo, Hotmail or other inbox as well.
Microsoft has just launched an improved email service at Outlook.com to replace Hotmail. Register and you can get your new Outlook inbox to fetch all the emails from your Gmail or other account, providing a backup. You’ve missed the opening “land grab” but plenty of good outlook.com names should still be available.
… and multiple email accounts
I hadn’t considered this before, but Honan’s case also shows that there is a risk in using the same email address for all your online accounts, which is exactly what I do. I must have a couple of dozen accounts for Twitter, Facebook, LinkedIn, Quora, Bitly and so on, but all the password reset tokens would end up in the same email inbox.
It would be more secure, but not as handy, to use a different email address for each service. This isn’t impractical if you use a desktop email program such as Thunderbird, Windows Live Mail, or Microsoft Outlook, because a single “send/receive all mail” will collect email from multiple email accounts. If these addresses are only used for passwords and similar purposes, there should not be much email to collect. I’m now thinking about setting up WLM for this purpose.
Creating programmatic email addresses ([email protected], [email protected] etc) would make things simpler, but if you take this approach, think of a format that’s less easy to guess.
Backup, backup, backup
Schofield’s Second Law of Computing says data doesn’t really exist unless you have two copies of it. Preferably more. And the only person who can be held responsible for that is you.
A simple solution is to have a desktop or laptop PC backed up to an external hard drive and synchronised using a program such as FreeFileSync, which is what I happen to use. There are lots of alternatives. Ideally, you should also store copies of important things online, using a service such as Dropbox, Carbonite or Mozy.
Since your online storage can be hacked and deleted, it is vital to have physical backups on one or more external hard drives, thumb drives, SD cards, CD-Roms or DVDs. For more on this topic, see an earlier answer: CD, DVD or SD: what’s best for backups?.
One extra advantage of having 16GB of data on an SD card or USB memory stick is that you can keep it “off site” in a trusted friend or relative’s house. This provides some protection from physical threats such as earthquakes, flooding, fire and theft.
If you use a service that allows devices to be wiped remotely, this increases the need to have separate backups. Honan fell victim to Apple’s optional Find My Mac feature, which allows users to locate and wipe a stolen device. There are similar services such as Prey, which also works on Windows, Linux and Android. Use with care.
A cloudy future
There’s clearly a trend towards keeping data online (“in the cloud” is the new jargon) and accessing it from numerous devices including PCs, tablets and smartphones. While this can be convenient, it also brings risks. As Schofield’s Third Law of Computing states: “The easier it is for you to access your data, the easier it is for someone else to access your data.”
Strong passwords don’t protect you if someone using the same public Wi-Fi can easily hijack your session cookies with Firesheep and get instant access to your email and Facebook accounts. (See my previous answer, Using a VPN to protect your web use.)
Honan wrote: “My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms – which can be cracked, reset, and socially engineered – no longer suffice in the era of cloud computing.”
Until we come up with something better, always use secure https connections rather than http, when available. We now need all websites to support https all the time.