Tuesday, August 7, 2012

Hack! Slash! Burn! Crush!!

The big tech news story of the weekend was the hacked account of Mat Honan. As documented in his posting on Wired.com, in the space of a few hours his digital life was in shambles. And as much as we always talk about strong passwords, etc., this was not a case of password failure. It was a case that shows just how our desire for on-demand, cloud based services that are convenient can come back to haunt us.

I highly suggest you go read all 4 pages of the article, but the quick summary is that a hacker wanted control of Mr. Honan's Twitter account. In order to get it, they started with basic social scouting, and proceeded to use all of the built-in tools of Google, Amazon and Apple to gain access to his accounts without ever needing to crack a single password. At Google they discovered what his Apple ID e-mail address was when they did a simple "Forgot my password" query. Then at Amazon, they called up customer service and game'd the system to get access to the last 4 digits of his credit cards he had on file there. Once they had that info, they were able to call Apple and convince the support person that he needed to have his password reset. They had the last 4 digits of his credit card, which was all Apple required to validate the account. At this point they were able to remote wipe his iPhone, iPad and Mac Book Pro. Since they already had his Google account, they didn't need to get his Apple account to find his twitter password, but they destroyed his Mac so that he would be delayed in getting back in.

First, it's important to realize that he made a tremendous error in judgement by not having a backup of his laptop. He lost years and years of data in one fell swoop, and there's only a remote chance that he'll be able to get it back. In this day and age, backups are cheap and easy, and online providers provide a great way to store your data somewhere safe with only a small impact. I HIGHLY recommend going and getting an account at CrashPlan and start feeling safer.

Apart from that faux pas the bigger issue comes in how much data we all have online, and how it can be used to manipulate us, no matter how safe we think we are. In fact, even I was recently targeted with some sort of Skype attack that took over my account and charged up a bunch of international calls before it was caught and turned off. I utilize strong passwords, so I'm not sure how they got in, but my big mistake was letting Skype have a credit card number for no good reason. I almost never use their service for anything but toll-free calls, but I got lazy.

One thing we have very little control over is how businesses handle our account data. As shown in this hacking case, both Amazon and Apple had major holes that only took a phone call to break through. Why do these holes exist? Because companies don't ever want a lost password to impede your ability to spend money. By the same token we don't ever want a lost password to ever stop us from getting what we want. I remember many years ago I had forgotten my eBay password, and despite continuously hitting the "Send me a new password" button, their system was too slow and overloaded, and I missed out on an auction because I couldn't get in to the system in time.

On the flip-side, something we DO have a lot of control over is how much data we let companies, that we do business with, have access to. Sometimes this requires us to give up some speed and convenience, but if it protects us in the long run, isn't it worth it? So here's a couple of tips that you can consider using for your online security. I'll admit that some of them I'm not good at following myself, but even acting on some of these can help prevent getting your digital life compromised.

  1. Have a strong password strategy. If you have a common password you use on bulletin boards and other simple sites, DON'T use it on any site that has access to any of your financial information.
  2. Think twice about clicking the "save my credit card" button. How much time do you really save by not having to enter your credit card every time you want to make a purchase?
  3. Consider using something like PayPal. This shields your bank and credit card information with another layer of access. Many sites, and even iTunes will accept a PayPal account as a method of payment, and you can link your PayPal account to any number of bank accounts and credit cards.
  4. Backups, backups, backups. I know of many people who utilize the Find My Mac feature that allows you to locate and wipe your Mac if it's stolen. This is all well and good, but if you don't have a way to get your data back, what are you going to do then? Seriously. CrashPlan. Get it. 
So there are a few tips to help navigate this new reality that we live in. Even doing a couple of these things can help make your online experience much safer and secure.