As digital horror stories go, Mat Honan’s is a doozy.
The Wired reporter had his iCloud account hacked and had his digital life wiped from cyberspace.
Honan’s attackers used a combination of tech savvy and social engineering. They used his public LinkedIn page to obtain his Gmail address.
Then they used Gmail to display his account recovery page. That’s when they hit gold.
The recovery page contains an email address — albeit studded with asterisks — where account access information is sent when you lose or forget your password. Despite the asterisks, the email address was relatively easy to guess. Better yet, it was an Apple address.
Key Info Easily Obtained
The hackers knew they needed three pieces of information to gain unauthorized access to Homan’s Apple account: a postal address, an email address and the last four digits of the credit card number associated with the account.
They already had the Apple email address.
They discovered that Honan had a registered domain — it’s listed on his LinkedIn page — and used that information to obtain a postal address from WHOIS, an online directory of domain owner data.
Finally, with a clever bit of social engineering, they were able to break into Honan’s Amazon account and obtain the credit card number they needed.
Since Honan made his tale of woe public on Monday, Amazon and Apple have acted quickly to saw off the levers the hackers used in their attack on the journalist. Amazon no longer allows you to change your account settings by phone. Apple has put a freeze on giving out Apple ID information on the phone.
While Amazon and Apple have closed two of the key attack vectors in the Honan case, there are a number of measures security experts recommend consumers take to prevent, or at least mitigate the damage, of similar attacks in the future.
Back Up Data
By storing all his data in Apple’s cloud, Honan created a single point of failure for himself. That’s why it’s wise to have at least one backup of your cloud data. The backup can be elsewhere in the cloud — you could store one backup in iCloud and another in SkyDrive, for example — or on a hard drive attached to a home network or computer.
“Trust no one,” Sophos Security Advisor Chet Wisniewski told TechNewsWorld. “The cloud is convenient for certain things, but having a backup is important.”
Don’t Link Accounts
By tying together a number of his online accounts, Honan made it easier for his attackers to compromise those accounts once they gained initial entry to one of them.
“Daisy-chaining all these accounts can have some negative implications,” Bit9 Director of Mobile Products Anand Sundaram told TechNewsWorld.
“Sometimes you have to stop and reflect on what it means to have everything linked together,” he observed. “One person, in very short order, can get control of a bunch of other things.”
That’s a major problem with single sign-on products, added Wisniewski, of Sophos. Those products store login credentials for multiple accounts but are activated by a single username and password.
“Single sign-on is a pretty bad idea when it comes to security because that means that means there’s one set of credentials that I compromise and I own them all,” he reasoned.
Implement Two-Factor Authentication
Honan’s attackers were able to exploit his Gmail account because he hadn’t activated two-factor authentication.
The two factors in Google’s case is something you know, like your username and password, as well as something you have — your cell phone.
With two-factor authentication enabled, when you try to recover your account, Google will send a code to your cell phone that can be used to log into the account.
When access to an account is lost, heightened security measures must be taken, maintained McAfee Senior QA Engineer Vikas Jain. “Two-factor authentication is definitely one mechanism of heightening security so it’s not just about what you know but what you have,” he told TechNewsWorld.
Dedicate an Email Account for Recovery
When Honan’s attackers saw the email account he was using to recover the credentials to his accounts, they salivated. Not only was it an Apple email address that they knew they could penetrate, but it was child’s play to crack.
“People should have one account for recovery options,” Bit9’s Sundaram recommended. “That way not all your critical stuff is going through the same account.”
“And you shouldn’t make the name of the recovery account easy to guess,” he added.
Privatize WHOIS Information
If you own a domain name, you should use WHOIS’s privacy controls to mask your address.
In fact, it’s a good idea to mask your address wherever you have an Internet presence, such as on Facebook and LinkedIn.