Helping people with computers... one answer at a time.

Mat Honan is a reporter for Wired magazine that had his digital life effectively destroyed due to account hacks and lax security policies. There are important lessons here.

Start with this article on wired.com: How Apple and Amazon Security Flaws Led to My Epic Hacking.

It's a tale of a series of account hacks, lax security on both the authors part and by major services – all of whom ought to know better – that led to the compromise of several accounts and ultimately, the irretrievable destruction of precious data (including photos of the author's infant daughter) as well as other documents and email.

And the author was watching it all as it happened and was ultimately nearly powerless to stop it.

It makes for some chilling reading and I strongly recommend that you review it to see how horribly things can go wrong.

I don't want to dwell on what went wrong. Instead, let's focus on some lessons learned, and some of the steps you and I (yes, I've been lax as well) can take to avoid ever experiencing something similar, or at least minimize the risk and potential for damage.

Back up. Seriously: BACK UP!

You knew this was coming, but I really want to drive it home with this quote from the Wired article:

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location.

For even more empasis: "... that I had stored in no other location."

I say it again and again. If there's only one copy, it's not backed up. I don't care if it's on your hard disk, your backup drive, some kind of cloud thingamjig. If there's only one copy, that one copy can disappear in an instant.

Account Hacked!

As I've said at either the beginning or the end of my Answercasts, if you take away only one thing from anything I ever say, write, or do, please let it be about backing up. Nothing can save you from almost any possible disaster than a proper and current backup.

Learn from Mat Honan's loss. Had he had a backup, his story would have been about a major inconvenience, but nothing more. As it is, some of his most precious data is gone – quite possibly forever.

Isolate your accounts from each other

Again, quoting the victim:

My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter.

We often talk about how important it is to have different passwords for different accounts. That's absolutely still true – if a hacker manages to get your password at service "A," then he may well be able to log in to services "B", "C", and "D", if you used the same passwords at all four.

However, that's not what happened here.

In this case, using email addresses that were common between the accounts allowed the hacker to exploit vulnerabilities in the "I lost my password" recovery process that was enough to gain them access.

So, how do you "isolate" your accounts from each other?

  • Use different email addresses as login IDs at different services.

  • Don't use the primary email for one service as the recovery or alternate address at another.

The problem? Each of those guidelines are very inconvenient.

Multiple email accounts

Using different email addresses for each account prevents a hacker from using "common" information about you – like a single, primary email address – as a foot in the door to compromise one or more of your services.

Unfortunately, managing multiple email addresses can be mildly annoying to a downright pain.

If you own a domain – say "yourveryowndomainname.com" – then you can certainly have an unlimited number of email addresses on that domain. You can set up a separate email addresses for each of the services that you would want to isolate.

You might set up "amazon@yourveryowndomainname.com" and "apple@yourveryowndomainname.com" and so on.

Each would be configured to automatically forward to your "real" email address, so you're not having to actually manage multiple accounts and inboxes, only email addresses that all forward to a single destination.

Some services, including Gmail, support a technique known as "subaddressing" which lets you set up unique email addresses that automatically land in your single inbox. You can simply use the "+" sign to add a unique identifier to your email address.

If your email address is example@gmail.com, then you might use example+amazon@gmail.com as your Amazon.com email address.

Some services support creating aliases to additional email addresses, which work very much like the two examples above – the aliases are all different email addresses that all deliver to a single email account.

And of course, many email services may not support a convenient solution at all. Your only solution there is to create more email accounts or use a provider that has the functionality I've listed above.

Recovery email addresses

Mr. Hanan's hack actually begins with the hackers discovering that the recovery email address for his Gmail account is an Apple ".me" account. Even though Gmail's "I forgot my password" page obscured the email address as "m******n@me.com" knowing that .me accounts are usually firstname.lastname@me.com, the hackers were able to decypher it.

Normally, that alone wouldn't be enough, but if you read the account of what progressed, you can see why it was.

One thing, quite literally, led to another.

One fairly simple solution to at least some of this "daisy chaining" of accounts is to set up a separate recovery email address and use that rather than any email address that's actually associated with an online service.

The victim put it perhaps even more clearly:

And I should have had a recovery address that’s only used for recovery without being tied to core services.

So, rather than using your Facebook login email address as your Gmail alternate account, use a separate email address dedicated to account recovery as that alternate for Gmail. That way, compromising either can't act as a stepping stone to compromising the other.

Once again, this calls for a new email address. Perhaps "recovery@yourveryowndomainname.com", or "example+recovery@gmail.com", or some other email account or alias. Just make sure that the recovery email address is not itself dependant on the service that it might be used to recover (meaning: don't set up example+recovery@gmail.com to recover your example@gmail.com account – you may not have access when you need it most).

And if it is a separate account, make sure to maintain it – login periodically to make sure it's not closed for lack of use.

None of this should be neccessary

In reality, aside from backing up, nothing I've discussed should be required.

Ideally, account recovery procedures would allow the legitimate account holder and only the legitimate account holder to recover their account credentials. The problem is that it's a customer service nightmare:

  • Make the recovery rules too easy, then account breaches like this can happen.

  • Make the recovery rules too hard and you run the risk of preventing legitimate account holders from regaining access to their account if they lose even one small detail of required information.

As a result, many companies set up policies that try to make the recovery process both secure and customer-friendly. Unfortunately, those two are often at odds. And as I've said before, people forget their passwords much more often than we might expect.

The recovery process that was exploited in this case relied on fundamentally bad policies, not bad technology. Policies that made it too easy for accounts to be recovered and therefore, too easy for the recovery process to be exploited. And as of this writing, both Apple and Amazon have changed their policies. I expect legitimate customers who are trying to recover their accounts to have a more difficult time as a result.

Which, to be blunt, is probably how it should be. Don't forget your password.

While it's great for Apple and Amazon that they've improved security, it's too bad it took this very public and embarrassing episode to cause that change.

But what about all of the other services that we use and rely on every day? How do we know that their account recovery processes can't be exploited or circumvented?

Ultimately, we can't.

And that means that it's up to us to take on a little more of the responsibility ourselves to stack the deck a little more in our favor and minimize whatever damage that might result.

Even if it does add a little inconvenience.

That little inconvenience is nothing compared to the massive inconvenience of account loss, data loss, or even identity theft.

Postscript: Two-factor authentication

One of Mr. Honan's comments was:

"Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened..."

Google's two-factor authentication means that knowing the email address and the password is still not enough to gain access to an account. When enabled, two-factor authentication requires not only the standard username/password information, but you must also enter information from a device or mobile phone application, proving that you are in possession of that particular device at the time you login.

I highly recommend it.

Unfortunately, two-factor authentication hasn't been widely adopted, and in some cases where adopted, it was not sufficiently implemented (I recently backed out of two-factor authentication on one of my other accounts because the recovery process after losing that required device was suspect).

While it doesn't solve every possible security problem, like using separate email addresses, it makes hacking your account significantly more difficult and therefore, less likely.

I sincerely hope that other online service providers provide it as an option in the future.

Article C5675 - August 8, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

26 Comments
scuttled
August 9, 2012 12:26 AM

Thanks Leo. I've read a lot of good info on your site. This one is quite an eye opener, and might be the most important for my personal situation.

Bob
August 9, 2012 7:57 AM

Leo, the word you want is 'breaches' not 'breeches'!

Mark J
August 9, 2012 11:07 AM

@Bob
Yes, it's breaches. The error is now fixed. Leo is a computer geek, not a grammar geek. But I'm quite impressed with his use of English. As Leo himself said The one thing that I wished I'd done differently.

Kevin
August 10, 2012 8:36 AM

Bit of a common repeat this Leo, but still just to be sure just backed up all again outside comp.

Doclocke
August 10, 2012 9:20 AM

Definitely some timely information here; however, as long as we're commenting about English usages, how about learning the difference between "lead" and "led."

Rod
August 10, 2012 9:31 AM

Amazon and PayPal both allow a serious gap in their security. Neither requires an on-line purchaser to provide the security code found on the back of a credit card when making a purchase. If a hacker can somehow get into your account with either of these two companies (s)he can easily make a purchase using your card. I have had a charge made to my PayPal account by a person simply using my name. Needless to say I have had to set up my own security measures to prevent this happening again via these two companies.

Bonita
August 10, 2012 9:44 AM

Thank you for this article. I now appreciate even more the very inexpensive Yahoo Mail Plus which provides 500 disposable email addresses. I set a different address for every business, service, contact etc., along with a unique password for each one.

Several times, a contact was hacked and it was just a matter of deleting that address and creating a new slightly different one.

CH
August 10, 2012 9:52 AM

I have so many accounts and passwords that I finally bought a telephone address book with the tabbed pages for each letter and put all my account names in there with a 1 or 2 letter code to my passwords in it and it is also hidden away. Some places I only log into once or twice a month and I seem to always forget, or I change a password and forget what I changed it to. Sometimes my code to the password is so cryptic even I can't figure out what I meant, though!

Casey
August 10, 2012 1:00 PM

Storing files on Dropbox can be helpful. I found when a check writing DB was corrupted I could restore any changes made to the file in the last 30 days. I also have carbonite, but this was easier.

Johnny
August 10, 2012 2:06 PM

First & foremost, anyone who has read this article and only comes away with snide comments regarding grammar, will probably be the next one in line to experience a catastrophe such as stated.
Aside from that nonsense, I myself have recently become the target of a relentless nuisance rather than hacker. I don't believe this individual has enough brains to be a "hacker"
In any event, said individual has gained access to my uTube account, leading to my gMail account, which was "hacked" granting "them" access to my contacts. I was verbally/physically threatened with unannounced beatings and enough abuse over the internet by way of slander to want to make me "kill myself" (His Words)
I have different email accounts for different online blogs, forums, etc... this is how this "individual" latched onto me.
The only way I've been able to deal with it, since the authorities want nothing to do with it even with many contacts to the law enforcement community that I have, (they just don't have the time or resources) Is to delete all my accounts to the best of my ability & start over again with new email addresses, accounts and such. It is a very time consuming process, and one that I will never be %100 sure of having rid myself of this #$@&*^(@#+ individual.
If you thought reformatting/re-installing was bad, sheeshhh this has nothing on that!
Yes I back up. to see how much so read my comments to Leo's @ http://ask-leo.com/will_windows_8_overwrite_my_system_restore_partition_and_if_so_how_do_i_restore.html
Thanks again, Leo & never mind those OCD gRAMMAR gEEKS!!!
Johnny.

DMM
August 10, 2012 2:08 PM

Excellent article, but it seems that it would be too easy for hackers to figure out your actual email address if you use the gmail "+" method of adding characters to your address. Your actual email address would be the characters before the "+" sign.

The scenario at play in this case where someone correctly guessed the email address from only the first and last characters of the email - a*******b@me.com was displayed, and knowing that it was typically a firstname.lastname email address that was enough. When the email address is display obfuscated like that there's no way to know if there's a + in there or not. Making sure it's not a pointer to another important account (as happened in this hack) is also part of the solution.
Leo
11-Aug-2012

Nigel
August 10, 2012 11:00 PM

I back up every couple of months, because
idiots with time on their hands exist. I have had to verify my account. I have learned heaps from your pages and will continue reading.BACKUP PEOPLE. Thanks Nigel

Hilary
August 11, 2012 4:37 AM

Leo, Please expand on this mysterious sentence from the above article: 'I recently backed out of two-factor authentication on one of my other accounts because the recovery process after losing that required device was suspect.' Google and Craigslist are the only two major site I deal with that require two-factor identification including phone contact. What about the phone contact is suspect? Thank you.

Amazon Web Services - if you set up two factor authentication and you then loose your phone or device then the only solution is to call Amazon support for assistance. Now realize that the whole Mat Honan experience is, in part, due to failings in Amazon customer support with respect to security. Google and LastPass allow you to take proactive steps by generating a set of one-time use passwords that you can keep in a secure place that will allow you to login without the device.
Leo
11-Aug-2012

ausGeoff
August 11, 2012 6:17 AM

I must be missing something bleedingly obvious in Mat Honan's hacking saga.

Why didn't (or can't) he simply recover his child's photos etc from his external backup device? How did the hacker(s) get access to a disconnected device? And of course I'm assuming that being a professional IT journalist advising less-talented folks about security he would in fact have such a device.

That's part of the point. He did not have any kind of backup whatsoever.
Leo
11-Aug-2012

Mark J
August 11, 2012 8:45 AM

@Geoff
The bleeding obvious is that in spite of being an IT professional, Matt Honan didn't have a backup.
'Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location.'
The wise learn from the mistakes of others.

geoff
August 11, 2012 1:39 PM

It's very interesting and downright scary to realize how easily complex data and identity protocols can sometimes be undone by basically leaving out the human interaction factor. I have had a personal experience with my online banking account that perfectly illustrates this. This bank employed a password system which required customers to change passwords every 90 days , and actually required a fairly complex password, along with an assigned numerical user id. Occassionally I would find myself locked out for no apparent reason other than a glitch in their system, so I would call a very friendly and helpfull customer service rep who would reset the password. On one particular occasion I misrememmbered my user id, replacing one digit with another. Since no other information was required my password was reset ("abcd" was the temp password I was always given ha-ha). I logged into what I thought was my account (hadn't realized I was using the a the wrong user ID yet), an found most of my money had disappeared. It took me just a few moments to realized I had accidently hacked into someone else's account! I remember reading an interesting article by a security research expert who made the point that very often the weakest link in security is a very well meaning customer service person or even in large companies where persons in a far flung department who will divulge security information under the impression he's just helping an unfamiar fellow employee who forgot his ID or password. This researcher was really quite amazed to find that he could find these weak links created by by individuals just trying to be really helpfull and literally talk his way through all the layers of security designed to stop brute force entry .
In my own case with my bank I was not even asked for the last four digits of my ss let alone the whole thing, which I would think is the usual minimum. They have since implemented a two factor authentication but that incident has always stuck with me and I think this article well illustrates how seemingly minor overlooked human interaction factors (i.e. when the security passes from software to interacting people) the whole process can be unravelled.

Nan Mac
August 13, 2012 5:58 AM

Leo...
I'm another idiot who, while happily gleaning all kinds of pertinent info from your newsletters - allowed your constant 'back up' warnings to go in one ear and out the other...for years. Two weeks ago my laptop crashed. A computer tech said all was lost. Later, having a light bulb moment, she popped my PC hard drive into her Mac and was able to recover my photos, for which I was extremely greatful. However, all else was lost. I feel for Mr. Honan and everyone who has lost all their data. It is SO disconcerting.....like having part of your brain's memory wiped out. I am currently shopping for an external back up system. Nan

Reid
August 13, 2012 9:50 AM

Very interesting stuff. This really got me wondering what to do if, heaven forbid, my LastPass account got hacked somehow. URLs and passwords galore in there -- keys to my kingdom. Scary.

Andrew
August 13, 2012 7:11 PM

That's why the cloud is dangerous.

I disagree. Is the Cloud Dangerous?
Leo
15-Aug-2012

Simon H
August 15, 2012 4:45 AM

I have my own domain and already use a separate email address for each service for the reasons Leo describes in this article. I also use disposable email addresses for forums etc.

I am now wondering is this actually enough. Take Amazon as an example, someone who knows my domain name could very easily guess that I use amazon@mydomain.com. Then using my name and address (easily accessible and included on all my business emails) they could gain access.

From there they could guess that I use the same format on other services e.g. paypal@mydomain.com facebook@mydomain.com etc etc.

Feels like I am patting myself on the back for being so clever and security conscious when any second all my efforts and minimum 16 digit passwords could be shot down in flames.

Am I being too overcautious and is there anything we can do to fully protect ourselves.

One thing I did was not to use "amazon@" simply because it's too obvious. I use something else. Yes, if Amazon's customer service screws up they can hand your account to anyone regardless of what we do, but the goal then is to minimize the damage.
Leo
16-Aug-2012
Mark J
August 15, 2012 9:05 AM

@Simon
A strong unique password, along with security questions with obscure answers, should be enough to protect you against your accounts being hacked. However, if you feel your email adress names are too easy to guess you can add numbers or text to the site name, for example facebook_login@mydomain.com, hotmail_8997, twitter_safe etc. Of course using a unique suffix for each account. This is probably overkill, but if you're really paranoid it's better than underkill.

Eric Brightwell
August 16, 2012 2:32 AM

Hold on a minute - we really have no way of knowing that this was not all a pre-meditated stunt to gain a lot of publicity for the journalist wishing to expose security shortcomings without risking any liability himself. If so it has obviously worked.

Nevertheless, the principles highlighted are all valid, so it has been of benefit to us either way.

Simon H
August 16, 2012 4:01 AM

Thanks Mark,

Great idea about the prefix especially if I can come up with a formula to work out each random prefix. Being pedantic I know they wouldn’t be truly random but they would be easy to remember and hard to guess.

Fortunately I don’t have to worry about my bank as they use 2 factor authentication requiring a username, password, key fob and a PIN entered into the key fob before it displays the code. Not sure if 2 factor is an accurate description of this process but I’m happy with it.

And as a long time reader of Ask Leo I have everything backed up with offsite copies.

So at least I am as safe if not safer than most, even if my impregnable digital bunker was nothing more than a complacent perception.

Earl Boyer
August 23, 2012 3:45 PM

Thanks Leo, I will learn to back up or store pics on CD's ; your articles are very helpful, I bookmarked this one to reread . Thanks Earl : )

Bill
August 24, 2012 6:54 AM

As an experiment I went to another website that I do business with. I called them told them I was having trouble getting into my account. Hey, no problemo!
The CS guy reset my password after getting my name and address. He actually volunteered my email address, as in: "Your email is Bill@dumbo.com?" (though my email address is very easy to find.)
"Voila!" as they say in France, there was the last 4 of my credit card. Oops.

Does anyone know if Apple, or any other major sites, are still using this number as an I.D. validation?

At a minimum anyone who did what I did could have ordered product using my card and changed my email address so that I wouldn't get a notification. BTW the product is instantly consumable and re-saleable.

ps I didn't even know that Apple used those numbers as authentication until Honan's disaster.

GREG JACKSON
August 24, 2012 6:30 PM

Moving a little off topic....
RE: "PayPal allows a serious gap in security. Neither requires an on-line purchaser to provide the security code found on the back of a credit card when making a purchase."

My experience [past and present] indicates that my payment will not be processed when the security code IS required, and requires a call to the seller to submit my payment....then it goes through.
Why? Because I use the PayPal Student Debit Card [I'm not really a student]. For this reason, and the fact that my financial liability is limited to the existing balance, I use their Student Debit Card . Also, transfers are immediate, and no fees [except $1.00 for ATM w/d]. Also, PayPal's CSR's wont give out any information on your account if you forget the PW. I had transposed the last 2 characters of a PW....no dice, open a new account.

I'm guessing the student financial relationship with a main account [parent] is a bit more secure, for the students benefit. Oh those kids.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.