You've probably seen the story by now, but Wired's Mat Honan was attacked this weekend. To say it was really bad is an understatement. The attack is well-documented at Wired and Mat's personal blog, but the impact was massive. The individuals responsible deleted his Google account, hijacked his AppleID, took over his Twitter, deleted the backups of his iPad and iPhone, wiped his iOS devices, and erased his MacBook. The people responsible claimed they did it all because they liked his 3-character Twitter handle.
But that isn't what left me terrified, reading Mat's story. Mat wasn't vulnerable because he did something dumb--like use the same password on all his accounts or share it with the wrong person. While he is responsible for some dumb behavior, notably not backing up his PC, the attack took advantage of gaping security holes at massive companies--Amazon and Apple. On its own, neither attack would be particularly bad, but together they were disatrous.
It worked like this: the malicious party first obtained the name on the account, a likely email address, and Mat's billing address. This information is readily available for most people--for Mat it was all in the WHOIS database, attached to his personal domain registration. Armed with this info, the attackers called Amazon and were allowed to add a new credit card to his account.
After the first call, they called Amazon again and said they'd lost access to the account. To change the email address on the account, Amazon just requires your name, billing address, and a credit card number attached to the account. Using the card they just added, the attackers gained access to Mat's Amazon account.
If the email address associated with your Amazon account, your billing address, and your name are public info, anyone can gain access to your Amazon account in just a few minutes. Edit: Amazon has since changed their tech support policy so you cannot add a credit card to an account over the phone.
Once the attackers gained access to Mat's Amazon account, they could see the last four digits of every credit card he had on file. With that info, their next call was to Apple--Apple's tech support issued a temporary password to the attackers because they knew his name, his email address, his billing address, and the last four digits of the card attached to the account. The attackers didn't even have to correctly answer the personal questions Mat set up when he created his AppleID. Because his Amazon and Apple accounts shared info, the attackers were able to access his AppleID with nothing more than his home address, his name, and his email address.
At this point, the attackers only have access to Mat's AppleID and Amazon account. Unfortunately, Mat had set his @me.com address as the recovery address for his Google account. The attackers were able to use Google's lost password mechanism to compromise his Google account. That gave them access to every other account with a lost password function connected to either of his email addresses. The attackers took over his Twitter account, deleted his Google account, wiped his iPhone, iPad, and MacBook using the Find My Device function of iCloud, and deleted his iCloud-based backups for his iPhone and iPad. In the space of an evening, Mat lost access to his main online accounts and his smartphone, tablet, and main PC.
I'm going to say this again, because it's important. If your name, home address, and email address are public, and you use the same email address and credit card for your iTunes and Amazon accounts, it's trivial for anyone to gain access to both of those accounts. Once they have that access, they can wipe any Apple device that has Find My iPhone/iPad/Mac turned on. Obviously, this is something you want to avoid.
What can you do to protect yourself against both this specific attack and other, similar threats? Unfortunately, there isn't an easy fix. Data one company considers insecure may be used as an auth token by another, and there isn't much you can do about their data policies, unless you opt out of their services. You can insulate yourself from this type of attack by following best practices and setting up your Apple and Amazon accounts to avoid the established holes in those services. We'll start with best practices:
Back Up Your Computers
Backing up won't prevent an attack, but it will make recovery easier. When the attackers wiped his MacBook, Mat lost all of the digital photos and video from the first year of his child's life because he hadn't backed up. Hard drives are cheap and backup utilities are built into Windows and OSX, so there's really no reason not to back up your machine daily.
Use Unique Passwords for Every Site
All the security in the world won't do you any good if you use the same password for insecure sites--like messageboards--that you use for your important accounts. How you do that doesn't matter, whether you use mnemonics or rules to create a unique password for each account or use a password manager like 1Password or LastPass. With different passwords attached to each account, the liklihood that an attacker can get access to one account and then use that info to compromise all your other accounts goes down considerably.
Don't Use Apple's Email
If Apple is going to give access to your account to anyone with your email address, home address, and last 4 digits of your credit card--information that your pizza delivery guy has--you shouldn't use that email address for anything important. Apple will likely fix the problems with their tech support, but at this point anything that relies on the security of a single password feels risky to me. Which brings me to my next point...
Turn On Two-Factor Authentication for Your Primary Mail Account
You probably have one email address that you use to sign up for pretty much every other account you create online. That email account is the biggest weak point in an attack like the one Mat suffered. To better protect yourself, you should enable two-factor authentication on that email account. Providers that support two-factor authentication require both your username and password and a second token to access your account. Typically that token is delivered via phone or SMS. Without the token and the username/password combo, an attacker can't access your account. Google
, Hotmail, and Yahoo all support two-factor auth at this point.
For apps that support two-factor authentication, the process is simple. You log in with your normal username and password, then Google sends you a text with a single-use, 6-digit code, and you type that into the site to complete the login. The bad news is that two-factor authentication isn't supported by many apps natively, and the work-around is a pain in the ass. You have to create a series of single-use passwords for each app.
I didn't think the single-use passwords would be that big of a hassle until I actually started creating them--each machine I have is connected to the same Google account in at least three places, my main laptop was connected in six places. Multiply that by the number of PCs, tablets, and phones I use regularly, and it became a job that took all evening.
Once you've enabled two-factor authentication, it's important to ensure your account recovery info is up to date and secure. Make sure the recovery email address you've configured is a safe account. After you enable two-factor authentication, you should also print a pre-set list of authentication codes and store them in a safe place, in case you lose your phone and need to access your accounts. Finally, you should add a backup number for authentication in case the main number associated with your Google account is lost.
Hindsight is always 20/20, but had Mat enabled two-factor authentication on his Google account, the hack would have stopped there before the attackers were able to delete his Google account.
Funnel All Your Accounts Through the Two-Factor Authenticated Account
Don't use insecure accounts for lost password requests. Instead of creating a chain of potential failures by connecting your Twitter to your @me.com email to your Gmail, direct all lost password requests to the most secure email address--the one that uses two-factor authentication.
The scary thing about the attack on Mat was that following best practices wasn't enough to protect his Apple and Amazon accounts. The attackers found holes with both Amazon and Apple and were able to use them to gain access to both accounts. Here is what you can do to protect yourself:
Disable Find My Mac
If someone gains access to your iCloud account and nukes your iPhone it's a hassle, but the phone is rarely full of irreplaceable data. For that reason, I've left Find My iPhone on--the benefit of finding a lost phone outweighs the potential risk of a malicious user deleting the contents of my phone. On the other hand, my computer contains much more precious data. Yes, it's backed up, but the risk that my pizza delivery guy can remotely wipe my machine is too great to stomach. To disable Find My Mac, open your iCloud system preferences pane and uncheck the box next to Find My Mac.
Create Secret, Separate Email Addresses For Your Apple and Amazon Accounts
Had the email address associated with Mat's Amazon and Apple accounts not been public information, it would have been more difficult for an attacker to access his Amazon account. If he hadn't used the same email address for both Amazon and Apple, they wouldn't have been able to use the Amazon breach to access his Apple account. It also seems wise to not use a publicly available email address for your Amazon and Apple accounts. If you want to take safety one step further, you may not even want to use the same email address for the two services.
Don't Use the Same Credit Card for Apple and Amazon
If the credit card you use for the iTunes Store isn't on file with Amazon, an attacker wouldn't be able to use that information to compromise your Apple account. If you want to be as safe as possible, you should remove your credit card information from both Amazon and Apple.
The hack that happened to Mat Honan was complex, unexpected, and terrifying. Even if you follow best practices, and use unique passwords for every account, you're vulnerable to this sort of attack. It may seem like a lot of work to properly secure your accounts, but it's easier to secure your accounts now than it will be to clean up the aftermath of a successful attack.
Edit: We removed Hotmail from the list of email providers who support two-factor auth. While you need two-factorauth to make major changes to the account (delete the account, change passwords, etc), you can access email with a simple username/password combo.