Harrowing tale from Mat Honan, writer for the popular tech news site Gizmodo:
I realized something was wrong at about 5 p.m. on Friday. I was playing with my daughter when my iPhone suddenly powered down. I was expecting a call, so I went to plug it back in.
It then rebooted to the setup screen. This was irritating, but I wasn’t concerned. I assumed it was a software glitch. And, my phone automatically backs up every night. I just assumed it would be a pain in the ass, and nothing more. I entered my iCloud login to restore, and it wasn’t accepted. Again, I was irritated, but not alarmed.
I went to connect the iPhone to my computer and restore from that backup — which I had just happened to do the other day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four-digit PIN.
I didn’t have a four-digit PIN.
By now, I knew something was very, very wrong.
The hacker, who goes by the name Phobia, pulled off a very clever trick by first taking advantage of a gaping security hole at Amazon, and then socially engineering an unsuspecting AppleCare rep and getting him or her to change Honan’s iCloud account password. Once they had control of his iCloud email, it was open season on his entire online world, including his Google/Gmail account.
Putting aside the sheer lunacy of a tech writer not having any sort of backup of his laptop, it appears there are only a couple things Mat could have done to prevent this. Namely, build a solid firewall between the email account he uses for communication, and an account used for everything else (web services, online shopping, etc). It’s a good lesson for the rest of us, but hindsight is 20/20. The real problem is Amazon and Apple either ignoring normal security procedures, or having a massively flawed system in place from the get-go.
Here are some tips for the average user to avoid this kind of disaster:
- Get 1Password.
- Don’t reuse the same password in multiple places. Using 1Password, create random, unique passwords for all of your accounts.
- Protect your email account like your life depends on it (it does).
- Better yet, set up a separate Gmail account with 2-step verification and use it for your online acccounts. Keep it secret and don’t ever send email with it. When it asks for an alternate recovery email, use your spouse’s, or set up a separate throwaway account just for that.
- Set up a PIN or password lock on any devices where you can receive email (iPhone, iPad, laptop, etc).
- Keep automatic, up-to-date backups of your stuff. For PCs, use CrashPlan. For Macs, use Time Machine. For iPhones and iPads, use iCloud. You’re crazy not to.
- Don’t over-share on social media, and lock your Facebook and LinkedIn profiles down so only approved friends can view them. No need to make it easier to guess your passwords or the answers to your security questions.