It’s not everyday that a technology journalist’s email and social networking accounts are hacked. After all, we would expect these folks to be more technologically savvy than the rest of us mortals. But even with secure passwords, hackers can still find ingenious ways of running social engineering attacks. And it can sometimes involve your favorite service provider’s customer service department.
Mat Honan, who writes for Wired, details how his “entire digital life” had been wiped out by a hacker who wanted to deface his @mat Twitter account.
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
The hacker exploited the fact that Honan’s Gmail, Apple ID, Twitter and Amazon accounts were daisy-chained together using a mix of password-recovery emails, credit card information and even the use of the same user ID (the prefix that comes before the @ sign in your email address).
The hacker, who goes by the name “Phobia” was able to get the last four digits of Honan’s credit card number from Amazon. While that’s harmless in itself, these very digits are what Apple uses to verify user identity for password recovery, and Phobia was able to gain access to Honan’s Apple ID.
Phobia was then able to break into Honan’s Gmail account, and then Twitter. The hacker then defaced the @mat Twitter account with homophobic and racist messages. This was the exploit, and in a conversation, the hacker admitted that the remote wipe-out of Honan’s iPhone, iPad and MacBook were only just collateral damage.
The fact that Honan’s devices were remotely wiped added injury to the insult, since he said he had years of photos stored in those devices that could no longer be retrieved. There were no other backups, save for iCloud.
Using two-step verification
Honan now believes that “cloud-based systems need fundamentally different security measures.” With user information increasingly moving to the cloud, service providers will need to improve the way they verify identity. In fact, all providers in the cloud ecosystem should coordinate their security efforts. With user accounts being connected across different services, malicious hackers can easily find loopholes and exploit them to gain unauthorized access.
Google’s Matt Cutts has stressed that the use of two-step verification can provide an additional layer of security. Because two-step verification requires something you know (your password) and something you have (your mobile phone), hackers are less likely to be able to break in.
Here’s a video presentation for two-factor verification that the Matt Cutts published on his blog.
Fixing the breach
Apple has said that their own internal policies were not followed completely. As of writing, however, both Apple and Amazon have quietly changed their security policies to prevent a similar break-in from occurring. Amazon now disallows adding credit card information over the phone. Likewise, Apple will no longer give out temporary passwords the same way.
Still, this underscores the underlying issue in cloud computing. Our user information is increasingly moving toward the cloud, and we are increasingly dependent on the security policies of our service providers. But with more and more details — and personal files — on the Internet, it’s also easier for folks with malicious intent to cause damage, even without our intervention.
Word of advice: user more secure passwords, use different passwords across services, and enable two-step verification.