It used to be reasonably easy to defend yourself against the run-of-the-mill, hell-raising hacker. Pick a strong password — preferably a unique one — for each of your various accounts, don’t tell anyone and be careful not to get tricked into giving it up on a phishing site. But the recent multi-front assault on Wired writer Mat Honan is proof that things just aren’t the same any more. Even if you’re a tech journalist who randomly generates his passwords and avoids hackers’ cheap tricks, the companies that oversee your accounts can let you down.
Within a matter of minutes last weekend, hackers broke into Honan’s Gmail account, his Twitter account and his AppleID account, where they wiped all of the data from his iPhone, iPad and MacBook. All it took on their end, surprisingly, was a call to Apple’s support team. Funnily enough, the hackers targeted Mat not because he was a tech journalist with a well stocked Rolodex but rather because of his three character Twitter handle, @mat. The way they went about gaining access to the account was somewhat complex but required no special technical skills.
The hackers identified Honan as a target, then did some simple research that yielded his Gmail address. From Gmail, they hit up the password recovery page, where Google revealed that Honan’s backup email address was an Apple one. This is where things get a little bit complicated. In order to recover a password from Apple, all you need is a billing address and the last four digits of a credit card. To get this, the hackers just called up Amazon and, through some simple bait-and-switch tricks, gained access to Honan’s Amazon account where his billing address and credit card numbers were stored.
Bingo. Armed with Honan’s billing address and credit card numbers, the hackers got Apple to let them into his .me email account, where they picked up the new password for his Gmail. Once they logged in to Honan’s Gmail, they were able to do a password reset for his Twitter account, and that’s when they started to raise hell. In the span of about 20 minutes, they filled his Twitter stream with filth, deleted everything in his Gmail inbox and wiped his Apple devices. Honan caught them pretty quickly after they let loose, but the damage was done.
The frustrating thing about Honan’s hack is how helpless he was throughout the whole process. Rather than rendering himself vulnerable, Honan was actually let down by the companies that were supposed to be protecting his security. A lot of hacks like these come from people simple choosing a weak password or using the same password on multiple sites. As James Fallow points out in a piece detailing how hackers broke into his wife’s Gmail account, once hackers get ahold of the password, they can wreak havoc on your digital life, breaking into your bank account or deleting all of your data. And in most cases, companies like Google aren’t prepared to do anything to help you get that data back. It was inevitably weaknesses in Apple’s security system that led to Honan’s attack, though. Had they been more protective of his account information, Apple wouldn’t have inadvertently given the hackers free access to all his other accounts. And the way our accounts are daisy-chained together means that once one is breached, they’re all vulnerable.
Then, of course, there are the well-meaning services that become dangerous when in the wrong hands. For Honan, it was the Find My iPhone/iPad/MacBook app. This service can work wonderfully. New York Times writer David Pogue proved as much as last week when he lost his iPhone and then pinged his Twitter followers to help find it based on information that he’d gleaned from the Find My iPhone app. With their help, it was only a matter of hours before his phone was safely recovered. Unfortunately, this is the same app that gave Honan’s hackers the ability to wipe all of the data of all his devices. He lost years of documents and all of the photos of his daughter’s first year.
The lesson learned from all this is unfortunately a redundant one. In order to keep yourself safe from hackers, you should accept the fact that you’re never safe from hackers. Honan could’ve been more careful by, for instance, using Google’s two-step verification process for his Gmail account. He also could’ve backed up his devices on hard drives that weren’t accessible through the apps that doomed him. Obviously, Apple and Amazon could be a lot more diligent in protecting its customers. So the only way to keep something like this from happening to you is to do everything you can to lock down your accounts. Or just don’t use computers. That will work, too.