Helping people with computers... one answer at a time.
Mat Honan is a reporter for Wired magazine that had his digital life effectively destroyed due to account hacks and lax security policies. There are important lessons here.
Start with this article on wired.com: How Apple and Amazon Security Flaws Led to My Epic Hacking.
It's a tale of a series of account hacks, lax security on both the authors part and by major services – all of whom ought to know better – that led to the compromise of several accounts and ultimately, the irretrievable destruction of precious data (including photos of the author's infant daughter) as well as other documents and email.
And the author was watching it all as it happened and was ultimately nearly powerless to stop it.
It makes for some chilling reading and I strongly recommend that you review it to see how horribly things can go wrong.
I don't want to dwell on what went wrong. Instead, let's focus on some lessons learned, and some of the steps you and I (yes, I've been lax as well) can take to avoid ever experiencing something similar, or at least minimize the risk and potential for damage.
You knew this was coming, but I really want to drive it home with this quote from the Wired article:
Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location.
For even more empasis: "... that I had stored in no other location."
I say it again and again. If there's only one copy, it's not backed up. I don't care if it's on your hard disk, your backup drive, some kind of cloud thingamjig. If there's only one copy, that one copy can disappear in an instant.
As I've said at either the beginning or the end of my Answercasts, if you take away only one thing from anything I ever say, write, or do, please let it be about backing up. Nothing can save you from almost any possible disaster than a proper and current backup.
Learn from Mat Honan's loss. Had he had a backup, his story would have been about a major inconvenience, but nothing more. As it is, some of his most precious data is gone – quite possibly forever.
Again, quoting the victim:
My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter.
We often talk about how important it is to have different passwords for different accounts. That's absolutely still true – if a hacker manages to get your password at service "A," then he may well be able to log in to services "B", "C", and "D", if you used the same passwords at all four.
However, that's not what happened here.
In this case, using email addresses that were common between the accounts allowed the hacker to exploit vulnerabilities in the "I lost my password" recovery process that was enough to gain them access.
So, how do you "isolate" your accounts from each other?
Use different email addresses as login IDs at different services.
Don't use the primary email for one service as the recovery or alternate address at another.
The problem? Each of those guidelines are very inconvenient.
Using different email addresses for each account prevents a hacker from using "common" information about you – like a single, primary email address – as a foot in the door to compromise one or more of your services.
Unfortunately, managing multiple email addresses can be mildly annoying to a downright pain.
If you own a domain – say "yourveryowndomainname.com" – then you can certainly have an unlimited number of email addresses on that domain. You can set up a separate email addresses for each of the services that you would want to isolate.
You might set up "email@example.com" and "firstname.lastname@example.org" and so on.
Each would be configured to automatically forward to your "real" email address, so you're not having to actually manage multiple accounts and inboxes, only email addresses that all forward to a single destination.
Some services, including Gmail, support a technique known as "subaddressing" which lets you set up unique email addresses that automatically land in your single inbox. You can simply use the "+" sign to add a unique identifier to your email address.
If your email address is email@example.com, then you might use firstname.lastname@example.org as your Amazon.com email address.
Some services support creating aliases to additional email addresses, which work very much like the two examples above – the aliases are all different email addresses that all deliver to a single email account.
And of course, many email services may not support a convenient solution at all. Your only solution there is to create more email accounts or use a provider that has the functionality I've listed above.
Mr. Hanan's hack actually begins with the hackers discovering that the recovery email address for his Gmail account is an Apple ".me" account. Even though Gmail's "I forgot my password" page obscured the email address as "email@example.com" knowing that .me accounts are usually firstname.lastname@example.org, the hackers were able to decypher it.
Normally, that alone wouldn't be enough, but if you read the account of what progressed, you can see why it was.
One thing, quite literally, led to another.
One fairly simple solution to at least some of this "daisy chaining" of accounts is to set up a separate recovery email address and use that rather than any email address that's actually associated with an online service.
The victim put it perhaps even more clearly:
And I should have had a recovery address that’s only used for recovery without being tied to core services.
So, rather than using your Facebook login email address as your Gmail alternate account, use a separate email address dedicated to account recovery as that alternate for Gmail. That way, compromising either can't act as a stepping stone to compromising the other.
Once again, this calls for a new email address. Perhaps "email@example.com", or "firstname.lastname@example.org", or some other email account or alias. Just make sure that the recovery email address is not itself dependant on the service that it might be used to recover (meaning: don't set up email@example.com to recover your firstname.lastname@example.org account – you may not have access when you need it most).
And if it is a separate account, make sure to maintain it – login periodically to make sure it's not closed for lack of use.
In reality, aside from backing up, nothing I've discussed should be required.
Ideally, account recovery procedures would allow the legitimate account holder and only the legitimate account holder to recover their account credentials. The problem is that it's a customer service nightmare:
Make the recovery rules too easy, then account breaches like this can happen.
Make the recovery rules too hard and you run the risk of preventing legitimate account holders from regaining access to their account if they lose even one small detail of required information.
As a result, many companies set up policies that try to make the recovery process both secure and customer-friendly. Unfortunately, those two are often at odds. And as I've said before, people forget their passwords much more often than we might expect.
The recovery process that was exploited in this case relied on fundamentally bad policies, not bad technology. Policies that made it too easy for accounts to be recovered and therefore, too easy for the recovery process to be exploited. And as of this writing, both Apple and Amazon have changed their policies. I expect legitimate customers who are trying to recover their accounts to have a more difficult time as a result.
Which, to be blunt, is probably how it should be. Don't forget your password.
While it's great for Apple and Amazon that they've improved security, it's too bad it took this very public and embarrassing episode to cause that change.
But what about all of the other services that we use and rely on every day? How do we know that their account recovery processes can't be exploited or circumvented?
Ultimately, we can't.
And that means that it's up to us to take on a little more of the responsibility ourselves to stack the deck a little more in our favor and minimize whatever damage that might result.
Even if it does add a little inconvenience.
That little inconvenience is nothing compared to the massive inconvenience of account loss, data loss, or even identity theft.
One of Mr. Honan's comments was:
"Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened..."
Google's two-factor authentication means that knowing the email address and the password is still not enough to gain access to an account. When enabled, two-factor authentication requires not only the standard username/password information, but you must also enter information from a device or mobile phone application, proving that you are in possession of that particular device at the time you login.
I highly recommend it.
Unfortunately, two-factor authentication hasn't been widely adopted, and in some cases where adopted, it was not sufficiently implemented (I recently backed out of two-factor authentication on one of my other accounts because the recovery process after losing that required device was suspect).
While it doesn't solve every possible security problem, like using separate email addresses, it makes hacking your account significantly more difficult and therefore, less likely.
I sincerely hope that other online service providers provide it as an option in the future.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.