You wouldn't expect a tech journalist to be the victim of hackers, but it happened to Mat Honan. His tale is a cautionary one that provides real insights into what you can do today to prevent a similar fate.
On Aug. 3, Honan's Apple, Gmail, Amazon and Twitter accounts were compromised in a matter of an hour. His hackers weren't looking to buy movies or music. Instead, they wanted his Twitter handle. How did the hackers do it? By taking advantage of the fact that Honan's accounts were "daisy-chained together." As Honan explains it:
"Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter."
We often hear that by creating complex passwords for our various online accounts that we'll ensure our online safety. Truth is, it might not be that complicated for hackers today. Picking up the phone and calling tech support for Amazon and Apple set off a series of a events that would earn them easy access into Honan's other accounts:
"Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information -- a partial credit card number -- that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."
So what can we learn from this? What steps should you take to prevent this from happening to you?
- Avoid using similar naming conventions on your online personas. For example, avoid using: egiorgi@gmail.com AND egiorgi@me.com. Instead, create variations like elizabethgiorgi@gmail.com and eagiorgi@me.com
- Create a separate email address for services tied to payment methods or other accounts to prevent a "daisy-chain." Also consider creating a single email account for data recovery.
- Reconsider using a single credit card for your online purchases. Instead, use a third party service such as PayPal or multiple credit cards. Then, monitor their use closely.
- When possible, utilize any additional authentication systems available to you. In Honan's case, he could have used Google's two-factor authentication.
- Create a reminder on your calendar to change passwords every 6 months. While it wouldn't have prevented this type of hacking, it will create an extra barrier.
- Use multiple types of security questions. Most customer service or password retrieval systems require you to answer a series of security questions and many utilize the same types of questions. For example, "where was your mother born?" When possible, don't use the same question and answer on all services.
Honan also cautions against using "Find My Mac," which is a service that allows you to remotely log into your computer and allowed his hackers to wipe his hard drive. Anyone can be a target of this kind of attack, which is why regularly backing up your photos, videos and documents is so critical.
You can read Honan's entire account of his hacking on Wired.
(Image: Ariel Zambelich for Wired)
Jessica's Crafted Space
Ana Creates a Community at Home
Good Food to Share 
The Big Book of Small, Cool Spaces 
Apartment Therapy Presents 
The Eight-Step Home Cure 
Ercol Bar Stool
True Greek Recipe: Paximadi Bread Salad with Tomatoes, Feta and Capers
You can also try using google's two step verification, which the original article notes, would have stopped most of the issues Mat had. Additionally, you can use gmail's + convention to create website specific addresses without making new accounts. for example use something like email+auctions@gmail.com. The nice thing about this is that you can use it to automatically sort incoming emails too. The only problem is that not all sites will accept the + sign in a email form.
But his single biggest mistake of all? Not backing up anything from his computer. He mentions that the #1 thing he's upset about losing are the photos of his child's first and only year on this planet. It's such a simple thing to do. Go and buy an external hard drive (they're relatively cheap these days) and back up EVERYTHING you wouldn't be ok with losing (photos, documents, etc).
A heads up on using Paypal with a credit card: any consumer guarantees you have with your card are undone by PayPal. I purchased something online and paid through PayPal, which charged my credit card. The item was was lost/stolen in transit, seller claimed I got it (no proof, of course), I reported the non-receipt to the credit card company...which reversed the charge. PayPal noted that reversal as a debit to my PayPal account and froze my account pending reimbursement! I challenged it and won (eventually). However, I would never have my PayPal account linked to a credit card. You should link it directly to a bank account with limited funds and -- this is crucial -- no overdraft protection. And CHECK your PayPal transaction record religiously.
@Corey.B, I agree. Every "cloud" file I have is uploaded from a hard drive.
Both articles note the 2-step Google verification. Here is the link to the how-to.
This article has motivated me to back up my computer and turn on Google's 2-step verification.
I personally would consider this social engineering, not hacking. He must not be too great of a tech blogger if he doesn't know the difference between hacking and social engineering.
Or perhaps he just doesn't understand the way you personally define words...
@RURAL AND RUEFUL, how do you change your Paypal settings to no overdraft protection?
Don’t settle for anything less the Two-factor authentication. I have two-step authentication on my email and I like the extra security it offers. You just telesign into your account and it’s good to go. I'm hoping that more companies start to offer this awesome functionality. In reality this should be a prerequisite to any system that wants to promote itself as being secure. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection.
@Jose A How do you create the "+ convention" email addresses in Gmail that you mention?
@lisaeeeee, no setup required. Youremailaddress+anyword@gmail.com will arrive to the youremailaddress@gmail.com inbox automatically.
@ELYSSAALBERT, I think @RURAL AND RUEFUL is saying your PayPal should be linked with an exclusive-to-PayPal bank account containing limited funds, enough to cover all expenses, and no overdraft protection, so that a reversal from PayPal cannot cause major loss of funds, overdraft charges, or a negative balance on your primary household account.
For the very risk-averse, caution dictates that the paypal-linked bank account should be at a different institution, to prevent a large PayPal transaction (or several) gone wrong from royally disrupting the household cashflow.
When I get paid for larger items sold on Etsy, I leave the funds in my PayPal-linked bank account for a few weeks until I feel reasonably sure the buyer is not going to throw me some jibber-jabber. When you search online, stories abound about headaches caused by con-man deceit achieved/attempted through the venerable PayPal.
This sounds just awful. My credit card info and ebay and twitter accounts have been hacked (some multiple times). Why can't these people do constructive things for the betterment of society with their technological prowess?