You wouldn't expect a tech journalist to be the victim of hackers, but it happened to Mat Honan. His tale is a cautionary one that provides real insights into what you can do today to prevent a similar fate.
On Aug. 3, Honan's Apple, Gmail, Amazon and Twitter accounts were compromised in a matter of an hour. His hackers weren't looking to buy movies or music. Instead, they wanted his Twitter handle. How did the hackers do it? By taking advantage of the fact that Honan's accounts were "daisy-chained together." As Honan explains it:
"Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter."
We often hear that by creating complex passwords for our various online accounts that we'll ensure our online safety. Truth is, it might not be that complicated for hackers today. Picking up the phone and calling tech support for Amazon and Apple set off a series of a events that would earn them easy access into Honan's other accounts:
"Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information -- a partial credit card number -- that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."
So what can we learn from this? What steps should you take to prevent this from happening to you?
- Avoid using similar naming conventions on your online personas. For example, avoid using: firstname.lastname@example.org AND email@example.com. Instead, create variations like firstname.lastname@example.org and email@example.com
- Create a separate email address for services tied to payment methods or other accounts to prevent a "daisy-chain." Also consider creating a single email account for data recovery.
- Reconsider using a single credit card for your online purchases. Instead, use a third party service such as PayPal or multiple credit cards. Then, monitor their use closely.
- When possible, utilize any additional authentication systems available to you. In Honan's case, he could have used Google's two-factor authentication.
- Create a reminder on your calendar to change passwords every 6 months. While it wouldn't have prevented this type of hacking, it will create an extra barrier.
- Use multiple types of security questions. Most customer service or password retrieval systems require you to answer a series of security questions and many utilize the same types of questions. For example, "where was your mother born?" When possible, don't use the same question and answer on all services.
Honan also cautions against using "Find My Mac," which is a service that allows you to remotely log into your computer and allowed his hackers to wipe his hard drive. Anyone can be a target of this kind of attack, which is why regularly backing up your photos, videos and documents is so critical.
You can read Honan's entire account of his hacking on Wired.
(Image: Ariel Zambelich for Wired)