We often talk about a "connected life." But is it possible to have a "too
The web was abuzz this week after Wired writer Mat Honan published a detailed description
of how hackers were able to exploit holes in the security procedures of Amazon and Apple customer service. His piece is well worth reading, as it includes information provided by the actual hackers who hijacked his life and destroyed his data. In order to take control of Honan's Twitter handle, these digital hooligans compromised his Amazon, Apple and Gmail accounts and wiped the data from his iPhone, iPad and iBook. Among the data he lost was all of the photos he had ever taken of his young daughter, which for some reason he had never backed up.
According to reports, both Apple and Amazon have quietly changed the policies that led to the epic hack. But for everyone who is a true technophile—everyone whose entire life now resides online—it's certainly a cautionary tale.
Here are a few lessons to be learned from Honan's ordeal:1. Our security is only as good as the companies that protect it.
Amazon's security processes allowed basically anyone to add a new credit card to a user's account without verification. The protocols then allowed a password reset based on the recently added credit card, which gave access to the entire account (including the last four digits of all other cards associated with the account).
Apple admitted, when pressed, that their own employees didn't follow their security rules. Whether or not that's true, their customer support agents allowed the hackers to get access to Honan's apple accounts using the last four digits of the primary credit card, which of course the hackers knew because of Amazon's security flaw.
When you think of the vast amounts of information that we put in the hands (and databases) of our banks, credit card companies, employers, government agencies, and all of the other entities with which we do business, the overall picture is staggering. Identity theft is made ridiculously easy by this proliferation of connected data. Remember: as this case has proven, it's much easier to "socially engineer" data out of a gullible customer service agent than it is to hack into a system through brute force.2. If you don't use a backup service, get one now.
Whatever it costs, it's a small price to pay. When you eventually need it, if it's not due to hacking, it'll be due to loss or hardware failure. Do you know what the most common cause of cell phone damage is? Dropping the darned thing in the toilet. How many photos are on your mobile phone? Have you backed them all up?
And make sure you use a remote, offsite service. One of my favorite security stories is told in a 20-minute clip from DefCon (an underground hacking conference), in which an accomplished hacker describes his experience when his own computer was stolen. He had dutifully made multiple redundant backups but had kept them in the same room as his computer. When the computer was stolen, the backups were too. (Google "don't mess with a hacker's computer" if you want to listen to the hacker tell his story, but be forewarned—the language is pretty salty.)3. If you use a Mac, log into iCloud and turn off the "Find My Mac" feature.
Being able to wipe your computer drive in case it's stolen is a great idea in theory. But the same "feature" allows someone who gains access to your accounts to wipe your computer, tablet and phone remotely. The benefits just don't out weigh the risks.4. Reduce your data footprint and eliminate daisy-chaining of accounts.
Do what you can to prevent someone who gets access to one account from getting access to another. When it's an option, choose NOT to allow a company to keep your credit card on file. Turn off "one-click" shopping. If a site offers two-factor authentication
by all means, turn it on and use it.
Never use the same password for critical online accounts. I know people who use the same password for everything they do online. It's not like they're using "password" or their birthday or anything; they have a solid password, but use it everywhere. A good rule of thumb is to have unique passwords for the critical stuff you do (places you habitually shop and important services you use). You can feel okay about having a single "throwaway" password for certain other sites that require a login. Just make sure that you don't have any personal information in those accounts that would allow a hacker to gain access to other accounts (with more sensitive information) if they get compromised.
The more we do business and live our lives in a virtual world, the more vulnerable we are to people who want to take our identities, our money and our peace of mind.