I talked about backups in my last post about Mat Honan's awful experience of being hacked. This week he went into detail about the hack and how it happened. It took a lot of work between him and Apple customer service but he finally got all of the pieces in place. This time I'm going to go into the prevention part of the hacking defense.
Essentially, they followed Mat from his twitter to his personal site where they got his Gmail address. They did a whois lookup on his website and got his billing address. They also went to Amazon to get the last four digits of his credit card. They used those three pieces of surprisingly easy to obtain information to call Apple and get into his iCloud account. He didn't notice anything was wrong until his iPhone and iPad were remotely reset.
Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••email@example.com. Jackpot.
This was how the hack progressed. If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here. But using the .Me e-mail account as a backup meant told the hacker I had an AppleID account, which meant I was vulnerable to being hacked.
But even scarier to me than the ease with which they did this is the why. He was able to find the hacker and find out some of the details. 'Phobia' told him:
I asked him why. Was I targeted specifically? Was this just to get to Gizmodo’s Twitter account? No, Phobia said they hadn’t even been aware that my account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy. He said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted. They just wanted to take it, and fuck shit up, and watch it burn. It wasn’t personal.
“I honestly didn’t have any heat towards you before this. i just liked your username like I said before” he told me via Twitter Direct Message.
That scares the crap out of me. That some kid just on a whim decides that tonight is the night to fuck shit up and that your, or my, twitter handle looks like a fun target.
Short of deleting all of these accounts there is no way to guarantee that this won't happen to you. But... You can take a lot of steps to make your accounts look way less attractive to hackers.
You probably don't want to change your twitter handle or your email address. So if you have a cool twitter name like @mat or @darth or @hack_me then you'll have to take some more serious steps. Steps which you should take anyway.
Steps to take.
Turn on whois domain privacy. I turned on whois privacy for this website domain when I bought it. It's the only one I own but you should do it for any and all domains you own. Because I use hover.com this was as simple as checking a checkbox in my domain settings. If you look this site up on whois it says I live in Toronto (where Hover is based). Go to your domain registrar's website and do this right now.
The Amazon part shouldn't be too much of a concern because they have closed the loophole that let the hackers access the account. But you should still be extremely careful with your Amazon account. Use a unique password for each service you use online. You could also use different credit cards for Amazon and Apple.
Turn off Find my Mac/iPhone/iPad for any device that you don't take away from your home. You aren't very likely to misplace an iMac in a taxi, so go into Settings > iCloud and turn it off. If you don't have Find My... on for a device it cannot be remotely wiped. We only have it on for our iPhones now. If Honan had turned this off for his Macbook he would have only been inconvenienced with some bricked iOS devices. He wouldn't have lost all of the photos of his daughter.
Use 1Password. It didn't help in Honan's case, because they didn't attack his passwords1 but it's a great way to generate strong passwords and store them securely. I run it on OS X and iOS (it syncs through Dropbox) and I absolutely love it. It is truly one of my must-have apps. And it's even available for Windows.
Turn on Google's 2-step verification. Setting up 2-step verification can be a pain in the ass for sure. But it's really the only way to really secure your Google account. For most of us this is the real vulnerability because it's our Gmail address that really links all of these different accounts and services together. Honan said rightly that if he had 2-step on the hack would have stopped right there. If someone can get into your Gmail, they can send password resets from your other services and really start to do a lot of damage. With 2-step, not only would someone have to get your password, they would have to physically have your phone with them as well. Seriously. Go to Google Accounts and set it up. Now.
There isn't much you can do about the Apple part of Honan's hack. It was apparently a loophole in the security policy that allowed anyone with the last four digits of a credit card on file, the .mac or .me email address, and a billing address to be issued a password reset over the phone. Apple is addressing this with a freeze on over-the-phone password resets until a better security policy can be put in place. Just in case, though, you can limit exposure of your home address and use a different credit card for your Apple ID than for Amazon.
BACK UP ALL OF YOUR STUFF. I talked about this before but it's really that important. PLEASE back up your computer(s). You will really miss all of that stuff when2 its gone.
If Mat Honan had done just a few things (turn on 2-step, turn on whois privacy, turn off unnecessary Find My Mac) this wouldn't be a story at all. It would have been an inconvenience. But it did happen to him. Take some proactive steps to make sure that it doesn't happen to you.
1He called it a 'social engineering' hack because they didn't break his passwords. They used loopholes and gaps in security (Mat's and Amazon's and Apple's) to have his passwords reset or revealed.
2Not if. When.
More relevant links: