Hackers wanted access to technology journalist Mat Honan’s Twitter account. It doesn’t just have 16,000 or so followers, but was tied to Gizmodo’s account, allowing for exponentially more mischief and, above all, lulz. So how did they get access to his account and destroy most of his digital life in the process? Knowledge of how different companies confirm customer identities and how their password retrieval systems work are all that a determined person needs to get into your life and mess everything up. The weakest links in this rather insecure chain? Apple and Amazon.
If you only click through and actually read one article that Consumerist links to this year, please let it be this one. Honan’s article about the incident for Wired details what happened to him, how he experienced it, the aftereffects, and how he could have prevented the whole mess.
Setting up strong passwords is important, but it’s not enough. As former Alaska governor and Republican VP nominee Sarah Palin learned during the 2008 campaign season, someone can reset your password with very little effort and some pretty basic information about you.
From the article, here are the bare facts of what happened. The ball got rolling when the hacker called up Amazon, pretended to be him, and obtained the last four digits of his credit card number on file. When the hacker (presumably a he) turned around and called AppleCare to reset Honan’s iCloud password, these four digits served to confirm the caller’s identity, verifying the card on file with Apple for iTunes purchases.
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me e-mail — which, of course was my .Me e-mail.
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
At 4:50 p.m., a password reset confirmation arrived in my inbox. I don’t really use my .Me e-mail, and rarely check it. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password.
At 4:52 p.m., a Gmail password recovery e-mail arrived in my .Me mailbox. Two minutes later, another e-mail arrived notifying me that my Google account password had changed.
At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack.
His key recommendations:
- Don’t link together key services, like Honan linked his iCloud and Google accounts.
- Don’t use the same e-mail prefix or login for every service that you use.
- Back up your computer(s).