Tweet
Connectedness runs both ways...
http://www.sfgate.com/technology/art...le-3770521.php
http://www.sfgate.com/technology/art...le-3770521.php
There's only so much you can do to protect yourself online. You can practice safe computing, not clicking on bogus links in e-mails or social media; by using strong passwords; by not giving out personal information to strangers.
You can do all these things and still be a digital victim if the processes and practices of the companies with which you do business are lacking.
And judging from the terrifying tale of Mat Honan, the security practices of two of the biggest need a lot of work.
Honan, a writer for Wired, found his digital world turned upside down one day last week. Hackers got into his Gmail, iCloud, Amazon.com and Twitter accounts and wreaked havoc. On Monday, he wrote a lengthy piece on Wired.com describing exactly what had happened to him. You can find it online at tiny url.com/c2ao8ur.
If you use online services, you should read it carefully - particularly if you're an Apple or Amazon.com customer. It's long, but well worth your time.
Honan's first paragraph lays out a summary of what happened:
"In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook."
Amazon changes
Since his account appeared, Amazon has apparently changed its policies for customer service, no longer allowing people to call in and make changes to their account settings.
But Honan's experience is a real wake-up call to the possibilities available to hackers. Step by step, here's what happened to him:
-- The hackers began by going to his personal website, which was linked from his Twitter account. Honan's Gmail address was there, and they used Google's automated password-recovery setup to get a glimpse at his guessable alternative e-mail address, which happened to be an Apple .me account.
-- Next, they looked up the information on Honan's Web domain, which yielded his billing address.
-- A hacker then called Amazon and said he wanted to add a credit card number to Honan's account, pretending to be him. Amazon only requires the account holder's name, billing address and an e-mail address associated with an account to make this change.
And you can generate fake credit card numbers with online tools, which the hackers did. The hackers were then able to call back and add a new e-mail address, because they could accurately give out associated credit card information.
Once the new e-mail was in place, they requested a password reset, which gave them access to Honan's account details - including the last four digits of Honan's credit card.
-- Next, they called Apple tech support, where you can bypass security questions to access an account by giving out a customer billing address and the last four digits of an associated credit card. They now had control of Honan's iCloud account, to which his iPhone, iPad and MacBook Pro were linked.
-- The hackers used Find My iPhone and Find My Mac to wipe his devices.
-- Once the hackers had control of Honan's iCloud account, they also controlled his .me e-mail address - which was the backup to Gmail. They were then able to enter his Gmail account and send a password reset request to Twitter, which then gave them access to his@mat Twitter feed.
Quick work
In a timeline of the episode, Honan estimates the entire enterprise took less than 40 minutes.
"By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access. And crazily, in ways that I don't and never will understand, those deletions were just collateral damage.
"My MacBook data - including those irreplaceable pictures of my family, of my child's first year and relatives who have now passed from this life - weren't the target. Nor were the eight years of messages in my Gmail account. The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in."
Clearly, weak processes at Amazon and Apple enabled this disaster, but Honan also lays part of the blame on himself:
"In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it's possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc."
Safety feature
Two-factor authentication is a simple but generally effective method of defeating would-be hackers. Essentially, it requires a user to provide two bits of information that only he or she should know to make changes to any accounts.
Honan's been in touch with Apple and Amazon, and hopefully this episode will cause both companies to tighten their procedures. He's also been in touch with one of the hackers, who provided him with the details about how it was done.
Again, read the whole thing. It may cause you to make some changes in the way your own digital life is constructed.
You can do all these things and still be a digital victim if the processes and practices of the companies with which you do business are lacking.
And judging from the terrifying tale of Mat Honan, the security practices of two of the biggest need a lot of work.
Honan, a writer for Wired, found his digital world turned upside down one day last week. Hackers got into his Gmail, iCloud, Amazon.com and Twitter accounts and wreaked havoc. On Monday, he wrote a lengthy piece on Wired.com describing exactly what had happened to him. You can find it online at tiny url.com/c2ao8ur.
If you use online services, you should read it carefully - particularly if you're an Apple or Amazon.com customer. It's long, but well worth your time.
Honan's first paragraph lays out a summary of what happened:
"In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook."
Amazon changes
Since his account appeared, Amazon has apparently changed its policies for customer service, no longer allowing people to call in and make changes to their account settings.
But Honan's experience is a real wake-up call to the possibilities available to hackers. Step by step, here's what happened to him:
-- The hackers began by going to his personal website, which was linked from his Twitter account. Honan's Gmail address was there, and they used Google's automated password-recovery setup to get a glimpse at his guessable alternative e-mail address, which happened to be an Apple .me account.
-- Next, they looked up the information on Honan's Web domain, which yielded his billing address.
-- A hacker then called Amazon and said he wanted to add a credit card number to Honan's account, pretending to be him. Amazon only requires the account holder's name, billing address and an e-mail address associated with an account to make this change.
And you can generate fake credit card numbers with online tools, which the hackers did. The hackers were then able to call back and add a new e-mail address, because they could accurately give out associated credit card information.
Once the new e-mail was in place, they requested a password reset, which gave them access to Honan's account details - including the last four digits of Honan's credit card.
-- Next, they called Apple tech support, where you can bypass security questions to access an account by giving out a customer billing address and the last four digits of an associated credit card. They now had control of Honan's iCloud account, to which his iPhone, iPad and MacBook Pro were linked.
-- The hackers used Find My iPhone and Find My Mac to wipe his devices.
-- Once the hackers had control of Honan's iCloud account, they also controlled his .me e-mail address - which was the backup to Gmail. They were then able to enter his Gmail account and send a password reset request to Twitter, which then gave them access to his@mat Twitter feed.
Quick work
In a timeline of the episode, Honan estimates the entire enterprise took less than 40 minutes.
"By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access. And crazily, in ways that I don't and never will understand, those deletions were just collateral damage.
"My MacBook data - including those irreplaceable pictures of my family, of my child's first year and relatives who have now passed from this life - weren't the target. Nor were the eight years of messages in my Gmail account. The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in."
Clearly, weak processes at Amazon and Apple enabled this disaster, but Honan also lays part of the blame on himself:
"In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it's possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc."
Safety feature
Two-factor authentication is a simple but generally effective method of defeating would-be hackers. Essentially, it requires a user to provide two bits of information that only he or she should know to make changes to any accounts.
Honan's been in touch with Apple and Amazon, and hopefully this episode will cause both companies to tighten their procedures. He's also been in touch with one of the hackers, who provided him with the details about how it was done.
Again, read the whole thing. It may cause you to make some changes in the way your own digital life is constructed.
Comment