Wired journalist Mat Horan's hellish trip through the Internet's cloud technology could have happened to anyone. It could happen to you.
In the span of 15 minutes, Horan saw the contents of his iPhone, iPad and Macbook Air erased. His Gmail account was deleted and his Twitter account was hijacked. And his Apple and Amazon accounts were compromised by a hacker using a phishing scheme.
The hacker exploited security procedures at Amazon and Apple.
The hacker and his pals coveted Honan's Twitter handle because it used only one "T"
As the nightmare unfolded, Horan probably was not thinking about thinking about W.C. Fields misanthropic quote.
"Never mind what I told you -- you do as I tell you," Fields famously told an accomplice.
I've often said the only secure computer is one that is turned off and not connected to a local network or the Internet.
Now I'm not so sure.
It can happen to anyone. With enough preparation it's possible to change your accounts so a would-be hacker will move along to easier pickin's instead of making your life miserable.
Let's take a look at common sense ways to protect from an attack. Each can be completed in minutes.
Exploit: Use of public email addresses for account access and password recovery.
Defense: Set up email accounts to be used only for password recovery. Do not use those addresses for routine email. Create one for each of your major accounts. Use them only for password recovery. It's easy enough to setup forwarders so the recovery addresses popup in your inbox.
Exploit: Using multiple email addresses with the same user name.
Issue: Honan used the same prefix on two accounts - Gmail and Me.com
By trying to access the Gmail account -- even without the password -- the exploiters could see a partial recovery address. Because Honan used his first initial and last name, it was fairly easy to guess the partially obscured address on the Google password recovery page.
Defense: Vary your user name when setting up new accounts. For existing accounts use a very strong password of at least 13 digits.
Tips for remembering complex passwords.[link]
Exploit: Use of poor and insecure passwords.
Danger: The hacker team saw the partial address for password recovery when they attempted to recover the password to Honan's Gmail account. The password was not needed to get to that point, just the user name.
Defense: Download Google's free iPhone app or Android phone authentication app. If you don't use Gmail, consider switching just because of the two-factor authentication. It's free. For the whiners moaning about too many email addresses, quit whining.
Turn on Google's two-step verification. It requires entering an additional six-digit code code sent on your mobile phone before an account password can be changed -- or even for logging in from a new device or browser.
Cool Trick: The Google Authenticator can send the numeric code as a phone call to your cell phone or just send the number to the on your phone.
Any hacker trying to discover information about you will not see a partial password recovery address because of Google Authenticator.
Hacking into your alternate email address won't be enough to change your Google password and seize control of your account. Two-factor authentication makes your account safer from other kinds of hacks.
Typing in an additional code to get to your email is a royal pain. Want to trade places with Mat Honan? He lost photos of his newborn daughter, years of email and an entire collection of music and videos. Being forced to enter an additional code sent to a mobile phone is a very small price to pay. It's a lot less of a hassle than being hacked.
How to enable two-step authentication [link]
Exploit: Storing credit card numbers in online accounts.
Danger: It seems harmless enough to store credit card numbers in online accounts. In most cases, if that account is hacked the hacker will only see the last four number. But the last four numbers was all that was needed to hack another account. Both Amazon and Apple have changed procedures to help prevent that.
Defense: Delete the credit card number from each account. As a result, it's necessary to type in the credit card number for every purchase.
That can be another pain when using a credit card number of a recurring payment.
Cool Tip: Credit Card issuers have grown wise over the years when dealing with credit card fraud. Many companies will issue multiple credit card numbers for the same account. Use a different credit card number for each account. If hacker steals a unique number, potential damage is confined to one account.
Secret Tip: Credit card companies will issue special one-time credit card numbers that can only be used once. Unlike unique numbers for each account, That's a little different than using a unique number for each account. If a hacker breaks into an account with a one-time number, it can't be used for anything else.
If hacker breaks into an account with a unique credit card number, the credit card number will reveal the theft when the credit card company discovers it.
Exploit: Linking online accounts
Danger: Many social medial services like Facebook or Twitter allow using a Gmail or Yahoo account with a process known as OUAuth.
It's fairly safe unless one of your accounts is compromised. If one of the daisy-chained accounts is hacked, the others are at risk.
If your accounts share lots of common information it could be easy to get access to one account. The others could file like dominoes with unique email recovery addresses for each account.
Locking your car won't keep thieves out, but in the best circumstance it will annoy them enough to go elsewhere. That same could be true for less experienced hackers. By making it too much work for them, they may head for someone else's account.