As users sign on to more and more services online, the opportunity for someone to steal some of their personal information increases all the time. Every few weeks, another website announces they’ve been hacked and encourages users to change their passwords. Just in the last few weeks, online storage site Dropbox, videogame company Blizzard, and social media network LinkedIn have been hacked, giving up e-mail addresses, answers to personal security questions, and passwords.
But one of the largest profile hacks wasn’t of a whole network, but a pinpoint attack earlier this month on WIRED’s senior writer Mat Honan. In an hour, his e-mail, social networks and computer had been compromised and his “entire digital life was destroyed.”
The hackers were after Honan’s Twitter account, which was just three letters -- @mat. To get there, they took advantage of security flaws in major companies, including Amazon and Apple, and of what Honan says were personal security lapses.
But those lapses are not uncommon among Internet users. Ars Technica’s senior Apple editor Jacqui Cheng joins us on Chicago Tonight at 7:00 pm with tips to protect your digital life.
Honan’s hack was a complicated process, but two of the most crucial steps, he says, are flaws in Apple and Amazon’s security checks. The hackers needed to get into Honan’s Apple account, and they called Apple to ask for a password reset. The only thing Apple asked for was Honan’s billing address and the last four digits of his credit card number.
The hackers got that number by getting access to his Amazon account. First, they called Amazon claiming they were Honan and asked to add a new credit card to his account; all they needed was Honan’s billing address. Then they placed a new call, saying they’d forgotten their password and asking for it to be reset. Amazon reps asked for a credit card associated with the account—and all the hackers needed was the card they’d just added. With access to his Amazon account, getting the last digits of Honan’s real credit card was easy.
Honan was amazed that the four digits Apple thinks secure an account are the same four that Amazon displays on receipts and in user profiles.
“The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected services,” Honan wrote.
In the days since Honan’s article, Apple and Amazon have stopped allowing users to change passwords with a phone call, though Apple says the change is temporary and the lapse was due to their own protocols not being “completely” followed.
But even if those holes are plugged, Honan says he made mistakes that others should avoid.
Backup your computer: One of Honan’s most devastating losses were personal photographs that he never backed up. Once hackers wiped his computer, those photos were gone forever. That all could have been avoided if he had set up an external hard drive to copy his files. Cheng says if you’re constantly backing up your files, you can prevent “your entire life from being taken down.”
Set up two-factor authentication: Some services, like Gmail and Facebook, give users the option of two-factor authentication. If you log in from a new computer, Google, for example, will send a text to your cell phone with a string of numbers for you to enter.
“If someone’s posing as you, they probably don’t have your phone,” Cheng says. If Honan had set up the feature, the hackers wouldn’t have been able to get into his Gmail account, which was a nexus of his online identity.
Don’t “daisy chain” accounts: Speaking of Gmail, Honan had many of his accounts daisy-chained together. His Apple account led to Gmail, which led to Twitter and others.
“This was largely facilitated because the hackers could reset everything through one e-mail address,” Cheng says.
She recommends setting up three different e-mail accounts to link to password resets, each for different levels of security. So in addition to a personal and work e-mail, she has one e-mail for bank accounts, one for low-security accounts like Twitter, and one for medium-security passwords.
Use unique passwords: Passwords are everywhere in your life, Cheng says, and even at they’re best they aren’t secure. The industry should move towards a new standard, according to Cheng, like biometrics, or using physical characteristics like your fingerprint or voice, to grant access to accounts.
But until that happens, Cheng says having complex and unique passwords for your online accounts is key.
“Passwords, as we use them now, are not that secure, but they’re the only standard we have across the entire Internet,” she says.
Cheng uses the program 1Password, which can randomly generate complicated passwords that are hard to crack—and hard to remember. That’s why the program can also remember them for you and automatically log you into sites on your computer.
“In lieu of having something more secure than passwords, random generation is the best we can get,” she says.
Taken together, having a secure digital persona can be a lot of work—setting up new e-mails, using new passwords, and having a two-step log in—but given Honan’s extreme attack, the work is worth it.
“Managing a million different e-mails can be overwhelming even to geeks like us [at a technology website],” Cheng says. “That’s why Mat didn’t do all of those things. But an incident like this makes everybody think about what’s really important to them.”