Last week I read the horrifying story of how an otherwise tech-savvy guy got hacked. Big time. The hackers compromised a number of his accounts and he lost tons of files. The good news is that there’s a lot we can all learn from his experiences.
For a bit of background, the entire process started when his iCloud account was compromised. They then used his iCloud account to remotely wipe his Macbook, iPhone, and iPad — effectively cutting him the outside world. The associated dot mac (.mac) e-mail address serves as the backup for his main Gmail account, so they were then able to reset his Gmail password.
Once your primary e-mail account has been exposed you are, for lack of a better term, screwed. The hacker can mine your mail for services that you use, and use that very same account to receive and act on password reset requests. In this case, it appears that they were mostly focused on gaining access to his Twitter account, but things could have been much, much worse.
Think of everything you do online nowadays. And think of how badly you could be hurt if someone managed to take control of it all. As it turns out, this whole episode was touched off by a bit of clever social engineering. Details on this aspect of the story aren’t available, but…
Apparently the hacker didn’t break into the victim’s (Mat Honan’s) account the old fashioned way. Instead, he talked his was past Apple customer service and managed to get the iCloud password reset. Sadly, Mat wasn’t in the habit of backing up his data so he lost all kinds of things, including a year’s worth of photos, e-mails, documents, etc.
There are, of course, some lessons to be learned here.
- Use strong passwords. No, Mat’s accounts weren’t compromised via brute force hacking, but they could have been. And once someone gains access to your primary e-mail account, all bets are off.
- Beware of unsecured wifi networks. Here again, his login info wasn’t compromised per se, but this is another easy way for people to get that information.
- Beware of public computers. As above, it’s all too easy for someone to grab your login credentials using key logger software (or something similar) on a public internet terminal.
- Use two-factor authentication. If available and not switched on by default, be sure to activate two-factor authentication. Here is a good overview.
- Encrypt sensitive information on your hard drive. I’ve talked about this before, but tools like TrueCrypt are great for protecting your secrets on your hard drive.
- Don’t share personally identifying information. Yes, I know that social networking is all the rage, but… Over-sharing of your personal information is a great way to give hackers critical information that could facilitate any attempts at social engineering (not to mention password-guessing if you ignored #1 above).
- And finally, backup your data! I use a combination of TimeMachine for local backups to an external hard drive and an online backup service for off-site backups.
Given our heavy reliance on the internet for everything from simple communication to the management of our financial lives, you owe it to yourself to be as cautious as possible.
Oh, and before you lay this all at the feet of iCloud, keep in mind that the “Find My iPhone” feature was instrumental in recovering tech writer David Pogue’s stolen iPhone at just about the same time the system was being used to destroy Mat’s online existence.
Ironically, Pogue pointed to that same “remote wipe” functionality that was used against Honan as an important security feature that he could use to prevent the thieves from accessing anything on his phone (once they got past the PIN code).
Hopefully Apple (and others) will revisit their customer service policies and put better protections against whatever sort of social engineering tricks were used in the first place.
Update: Mat has written an article on Wired explaining exactly how the hack went down, complete with details ont the “social engineering” aspect. Fascinating and scary all at once.
Quality articles is the important to invite the visitors to visit the site, that’s what this web site is providing.
Maury: With two-factor authentication enabled on Gmail, it won’t show you the backup e-mail address. Technically, even without it you don’t get the full address, but he hacker was able to see m••••[email protected] and could fill in the blanks given the victim’s name and his Gmail handle. This is what tipped them off to dot me address in the first place, which is how this whole thing got started. Also, with two-factor authentication enabled, they wouldn’t have been able to login to the Gmail account without access to the victim’s cell phone — thus, the trail would’ve stopped with the hacking of the iCloud (dot me) account. This is detailed in the followup article on Wired (linked above).
Scary, scary, scary stuff here. I think we all need to be careful about what types of information we give out. Also, I think it’s probably wise not to set “security questions” if you don’t have to – they just give a hacker another opportunity to gain access to your account if they know the answers.
… 2-factor ID would not have helped in this case.
AMAZON customer-service revealed the victims Credit-Card last 4-digits to the hackers thru ‘social-engineering’ (human deception). The hackers obtained the victims correct name & address from public-records/internet and used that to deceive an AMAZON rep.
Then with victim’s correct name/address/CreditCard ID from AMAZON –they fooled APPLE customer-service into revealing the victim’s full APPLE account info. The rest was easy.
All your private internet accounts info is only as safe as the competence & honesty of low-wage customer-service employees.
Your name & address alone … is enough to initiate a successful hacker attack. Do you safeguard that info ?
Your name & address is routinely open to the world on all sorts of documents from personal checks, retail purchases/deliveries, government records, phone books, etc. Many states ‘sell’ your basic drivers-license information to advertisers and databases. The US Post Office ‘sells’ your new address to advertisers when you file an official change-of-address form with them.
Rest easy.
Ahhh… that’s way to simple for me to think of! 🙂 Seriously, what percentage of dummies like me just gave their cc #s to Apple? Which makes them one of the more tempting targets.
Back to the post, though, I just wanted to validate your basic point: people who thought they were safe are at risk.
I have heard more than one Applehead smirk that they’re not at any security risk, because “that only happens to Windows.”
William: That’s not entirely true. It may not be obvious how to do this, but my kids have iPods (and iTunes accounts) without an associated credit card. They put money in by buying iTunes gift cards. Details on setting up an account without a credit card can be found here:
http://support.apple.com/kb/HT2534
Wow. Gone are the days of the “Oh, that’ll only happen to Windows users!”
Here is something even more scary: in order to unlock their iPhones and iPads, each and every user has to provide their credit card number to Apple. How? You can’t operate an iOS device without an iTunes account, and you can’t have an iTunes account without giving Apple a credit card number. Doesn’t matter if I say I will never buy anything – I can’t operate my iPad without giving Apple my credit card number. (How powerful is a company when they can tell you you can’t even use your own machine until you give them a credit card, just in case one day you might think of buying something from them? And nobody questions that?)
So there is iTunes with tens/hundreds of millions of our credit card numbers.
And Apple has never been accused of being a humble company.
To hackers I can’t imagine a juicier target: an arrogant company with the mother lode of credit cards.
Should I feel nervous?
I know you mentioned this, but I just wanted to agree with you about Two-factor authentication. That should probably be listed as the #1 most important thing in your list.
I have totally different passwords for every site on the internet, but if my Gmail account is broken into, none of that will matter since the hacker can simply reset all of my passwords. Two factor auth gives me comfort that even if someone gets my Gmail password they won’t be able to access my account.