Do
you use iCloud? Gmail? Did you setup secondary email address for your Gmail or
iCloud? So, if somehow you lost your password or if someone “stole” your email
account, you can reset your Gmail/iCloud password from the secondary email. You
think you are safe now, is that correct? It turned out you might be wrong.
Today, I am going to share a story
about how cloud service destroyed a tech writer’s digital life and what you can
do to protect yourself from bad people on the Internet.
As we all know, cloud service is an
Internet tool that has gradually become an indispensible part of our digital
life. It has lots of benefits: accessing your files and data from anywhere in
the world and from any device, from your computer, your phone to your tablet;
saving space on your hard drive; synchronizing between devices and sharing data
becomes much easier and much more. However, it also has major downsides…
The
tragedy happened to Honan was that he lost all of his photos, covering the
entire lifespan of his daughter, all of the documents and e-mails that he
stored in no location other than his MacBook. Furthermore, Phobia deleted the
Gmail account containing eight years of emails and messages. In the next few
weeks, Honan was able to recover most of the photos and his Gmail account, but
it also came with a cost since data didn’t come cheap: $1690 USD.
The Poor Writer
Our story starts with Mat Honan, a senior
writer at Wired.com.
In the afternoon of Friday, August 3,
2012, while Mat Honan was playing with his daughter in her bedroom, his iPhone
shut down. At the beginning, he believed it was just either a software glitch
and the phone automatically restarted like it used to be or the battery died.
However, when he plugged in the phone, he got the “activate your phone” screen.
Then, he got to his MacBook and unfortunately, it powered itself off. The same
happened to his iPad.
What happened to him? He was hacked?
Correct! His Twitter, Google, Amazon and Apple account was hacked too.
How did it happen? Honan used different
password for different account and all of them were combinations of at least
7-character long and lots of specials characters, for example Je7Io@$8!. Did
the hacker “guessed” Honan’s password? No! It turned out that the hacker,
identified himself as Phobia, got access to the accounts quite easily and
effortlessly.
The hack began with Honan’s Twitter
account, where Phobia found Honan’s personal webpage, from which he found our
poor writer’s personal Gmail address. Then, Phobia went to Google’s account
recovery page and it showed that Honan’s Gmail address was associated with
another email from Apple: a @me.com email. This was where things got
interesting.
As a hacker, Phobia knew that to request a
@me.com temporary password Apple’s AppleCare telephone support, he just needed
Honan’s billing address and the last four digit of his credit card number.
Okay, billing address? Easy as cake. Phobia found it via Honan’s registered
domain name. Last four digit of the credit card? Not so hard. He used a
loophole from Amazon. Firstly, Phobia called Amazon and told them he was the
account holder and wanted to add a (fake) credit card number to his account.
All he needed was his name (checked), the email address (checked), and the
billing address (checked). Then, he hung up. Secondly, he called Amazon again.
This time, he told Amazon’s customer service that he lost access to the
account. Upon providing the name, the billing address and a credit card number
on the account, which was the one he just added, he was able to add a new email
address to Honan’s Amazon account. From there, Phobia was able to see all of
Honan’s credit card numbers! It must have been magic!
Headed back to Apple, Phobia called
AppleCare telephone support line, provided them with the information and he was
granted a temporary password to Honan’s @me.com email address. Next, he went on
iCloud.com and remotely wiped Honan’s iPhone, iPad and Macbook, thanks to the
Find My iPhone and Find My Mac feature.
 |
Honan and his one month-old
daughter
|
Nowadays, since we are all relied so much
on cloud services and we do not usually pay enough attention to security
features, it is those cloud services that may be used to hurt us. In Honan’s
case, you didn’t need to be a hacker with a bachelor degree in computer science
to do what Phobia did. A pizza deliveryman could do the same. He got your name,
your billing address and sometimes your last for credit card number on the
pizza order that you made online!
So how to protect yourself on the Internet?
1. Use a strong password
You can use a combination of at least 6-8
uppercase and lowercase letters, numbers and special characters as your
password. For example, instead of using “BadPassword” as your password, you
should use “B@dP@$$w0rd!”. You should use some strong password generators such
as http://strongpasswordgenerator.com
or http://passwordsgenerator.net
2. Use different password for different
website/account
It is always better and safer to use
different password for different website. However, it is also hard to remember every
single one. There are several solutions to this problem
- Low-tech (and for grandma/grandpa :D): write it on a small piece of paper. It is actually a good idea if you can keep it somewhere safe. Or, you can write it on a card and keep it in your wallet. This also works well until one day… your wallet is lost or stolen :D.
- Medium-tech: instead writing it on a small piece of paper, store it in the Notes app on you phone instead. This is quite safe if you lock your phone with a good passcode. If someone borrows your phone and copies your note, then those strong passwords are as good as dead. This is why I recommend you to use the next method.
- High-tech: use one of the many tools that encrypt your passwords and store them securely. Then, the only password you should remember is the master password. These tools can create and save super strong passwords for each website. The next time you log into those website, these tools will automatically enter those password for you. The most popular tool is 1Password (https://agilebits.com/onepassword). It may be a bit pricey but it works seamlessly between Mac, Windows, iOS and Android. In addition, it can also store your driver license number, credit cards, passport, bank accounts… If you don’t want to spend 50 bucks for 1Password, you have other options like iCloud keychain, KeePass, LastPass…
3. Using two-step verification (or
two-factor verification)
By enabling two-step verification,
whenever you sign into your Gmail, Dropbox, Twitter… you have to enter your
password and a randomly changed code, which you can get only via text, phone
call or apps on your phone. So, in case someone got your password, they are
still unable to log into your accounts.
Stay up-to-date
Keep your anti-virus software updated.
Use the latest version of your web browser. Install software and system updates
as soon as they are ready to install. I know everyone hates windows update but
trust me, you are not safe if you click postpone or cancel everytime :).
4. Shop safely
If
you plan to buy something from an online store, please make sure that the
website uses secure technology. When you are at the check out page, verify that
the web address begins with “https” and there is a tiny locked padlock symbol.
In addition, look for security Technology Company’s logo at the bottom of the
check out page to ensure you are safe.
No comments:
Post a Comment