By now I hope you have read about the devastating hack of Wired writer Mat Honan. It serves as a chilling example of how much of our lives are entrenched in the digital sphere today and what can happen if the keys to that sphere fall into the wrong hands. Reading Honan's story, I was of course empathizing with him because of my own nightmare with passwords being hacked. In fact, I just wrote yesterday about my Twitter account being hacked, but so far that seems to be an isolated minor irritant.
The thing about Mat's story, though, is that his passwords weren't hacked here. They were allowed to be changed because of some social engineering by the hackers convincing Apple, Amazon and Google to allow them to change the passwords for Honan's accounts there. It is amazing that what Amazon makes available (the last 4 digits of a person's credit card) is exactly the same information that Apple required to allow someone change their iCloud accounts. Of course, Apple says they are changing this now, but that doesn't do Mat much good.
Again, read Mat's story and realize how easy this can happen to you. They didn't go after Mat because of who he is, they just liked his Twitter name and wanted to get control of it. It can happen to any of us. Matt's only fault seems to be that he used the same name for all of his accounts. Probably most of us do too. But what else can we do?
That is the real lesson of the Mat Honan story. For far too long the security industry has said we need more than passwords. Using passwords and asking the same security questions (mother's maiden name, first pet, favorite movie - if you're a guy, is it the Godfather?) is just not a great way of protecting what has become a vital and irreplaceable part of our lives and fortunes. Two-factor authentication has been around a while now. While it is not perfect (see: last year's RSA hack of their token technology), it represents a quantum leap over single-factor authentication. Using SMS messages to your phone may be the best of these. We all have cellphones that are around us just about constantly. The only thing I can see messing this up is if somehow you lost your phone too.
Mat himself says that this whole ordeal could have been possibly avoided if he would have turned on two-factor authentication on his Google Gmail account. It is an easy thing to do. I did it myself this morning. Go to this Gawker article and follow the links to enable Gmail and Google account two-factor authentication. While you are at it, go through all of the devices and apps that you have authorized to use your Google account settings. Just as with the Twitter experience I went through the other day, I was amazed how linked in (no pun intended) my Google account was to many of the other services I use.
After setting up two-factor authentication in Google, next go to Facebook and do the same thing. The Gawker article has the link for that as well. Once you do, again take the time to see what devices and location have logged in to your Facebook account. Once again, I was blow away. Even scarier, I saw two or three log ins to Facebook from places and devices I did not recognize. That was scary. I went in and changed my Facebook password for good measure as well.
Finally, another lesson from Mat's misadventure is that backing up your data only to the cloud is only as good as the security of your cloud identity. If they can break into the service, they can wipe out your data. So maybe keeping an old-fashioned on-premises backup of both your company and personal account is still a wise move.
I was really sorry to see what happened to Mat here. Reading about the reasons one of the hackers who did this to him had for doing it made it seem like a senseless crime to me. I empathized with Mat after what happened to me. At the end of the day, if enough people adopt two-factor authentication and it finally reaches a critical mass as the normal way to secure your accounts, the good news is that Mat's hacking did not happen in vain.
Remember Honan's hack and install two factor authentication now!
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.