It doesn't matter how strong your passwords are if people can bluff their way in.
By now most of us have heard the story of US tech journalist Mat Honan, whose digital world was wiped out by a hacker last week. The hacker remote wiped his iPhone, iPad and MacBook Air, as well as their backups in iCloud, and then deleted his Google account and took control of his Twitter account. What's most incredible is that Honan wasn't hacked due to weak passwords or security flaws, instead the perpetrator used an elaborate social engineering scheme. It involved gleaning details from Honan's personal website, web host, Gmail and Amazon accounts in order to trick Apple's tech support people into granting him access to Honan's iCloud account. From there the hacker had full access to Honan's Apple gadgets and iCloud backups as well as the Gmail and Twitter accounts linked to the iCloud account.
Honan's first mistake was only backing up the files on his MacBook Air to iCloud and not also to a second location. As a result he lost a year's worth of files including his daughter's baby photos. That's probably the biggest lesson here; it's vitally important to make multiple backups. Had Honan backed up his files to disc, USB drive or a network attached storage drive then he'd still have those photos today.
Even backing up files to a separate cloud storage service would have kept Honan's photos safe. When you think about it, his big mistake was to put all his eggs in the one digital basket. Trusting absolutely everything to one vendor is a significant risk, regardless of who that vendor is. Apple's tight ecosystem is appealing but Honan would have been safer if he'd used a mix of services for his email, calendar, backup and sync needs. A best-of-breed approach makes life a little more complicated, but it reduces the impact of vendor lock-in and offers extra layers of protection against outages and hacking attacks.
When you study the social engineering attack closely, it's the digital equivalent of the long con. Honan's biggest vulnerability was the fact that he'd used publicly available email addresses for his Amazon and iCloud accounts. The hacker wouldn't have got far without knowing these. Honan would have been much safer if he'd created email aliases such as email@example.com and firstname.lastname@example.org and only used them for those services (although preferably something not so easy to guess). Some email services, including iCloud, make it easy to create multiple aliases and have the messages delivered straight into your main inbox so you don't need to check multiple accounts. Using these publicly available email addresses as the backup email address in case of a password reset also left him vulnerable.
Another precaution Honan could have taken was adding two factor authentication to his Google account, which sends a code to your mobile phone when you try to login. Even after the password reset the hacker wouldn't be able to get into his Google account unless they had his phone. Two factor Google authentication sounds like a hassle, but you don't need to do it every day. Once your computer is authenticated is remains authorised for 30 days. But if you sit down at a different computer you'll need to enter both your Google password and the code sent to your phone. Twitter, Facebook and Yahoo also let you add extra phone-based security features.
It's also worth asking yourself if you need to associate all your accounts. For example it's possible to associate your Google account with your Twitter, Yahoo, Facebook and Hotmail accounts. It's also possible to log into a wide range of services with your Facebook details rather than creating a separate login and password. It's really not that much of a hassle to create an extra password. Certainly not as much hassle as trying to reclaim your digital life after you've been hacked.
Honan's horror story should prompt all of us to do a quick security audit of our digital lives. Play devil's advocate and think about the easiest way you could be hacked. Do you have weak passwords? Do you reuse passwords? Which services offer two factor authentication? Is it easy to discover the answers to your fallback security questions? Are all your eggs in the one basket? Do you lock your devices with passwords? Have you linked your online accounts unnecessarily? Have you left a paper trail for hackers to follow if they want to bluff their way past security measures? These are the questions you should ask yourself before it's too late.
What kinds of security precautions do you take to stay safe in the digital age?