Jeff Gelles: Hacker's havoc exposes user laxity and security flaws

Within an hour, Mat Honan, who writes Wired's Gadget Lab, lost access, memory, and data - before his eyes.
Within an hour, Mat Honan, who writes Wired's Gadget Lab, lost access, memory, and data - before his eyes. (JULIE MICHELLE)
Posted: August 16, 2012

In the annals of digital nightmares, Mat Honan's could rank up there with an unscheduled trip into The Matrix.

In one mind-bending hour, the writer for Wired magazine's Gadget Lab lost access to his Apple, Amazon, Google, and Twitter accounts.

But that wasn't the worst. He then watched in horror as hackers posted offensive tweets in his name, erased eight years of his Gmail messages, and wiped all the memory from his iPhone, his iPad, and his Mac laptop. He lost all his unbacked-up data - including a year's worth of priceless photos of his daughter.

As a tech writer, Honan conceded his own mistakes - especially his failure to back up his personal computer, and the risks he took with passwords and other security protections.

But he also identified something more surprising than his own laxity: security flaws in key procedures at Apple and Amazon, two high-tech giants that also should have known better.

Honan made contact with one of the hackers, who called himself "Phobia" and explained some key tricks.

Phobia's goal, he contended, wasn't to wreak total havoc in Honan's life. He and an accomplice supposedly had a more prosaic target: taking over Honan's Twitter handle, "@mat." Zapping photos of his daughter and all the rest of Honan's data was apparently just bonus mischief.

Honan, whose Twitter feed now bears the label "Probably Mat Honan," detailed his digital downfall in a post at www.Wired.com/gadgetlab. According to Wired, the flaws at Apple and Amazon - each initiated by impostors during low-tech phone calls - have since been fixed. But they're a cautionary tale unto themselves.

The procedure was circuitous - Phobia and his fellow maladies plainly know their stuff. It began when Amazon allowed the hacker to add an extra credit card to Honan's account. Then, with a second call, Amazon allowed the hacker to add a new e-mail address to the same account. All the hacker needed was Honan's name, billing address, and - bam! - that credit-card number.

That new address was crucial. With it, the hacker could request a password reset, and get into Honan's Amazon account. He could have then ordered a dozen flat-screen TVs, or committed other costly frauds, but he was apparently after something else.

He wanted to see the last four digits of Honan's actual credit-card number - the only digits that Amazon displayed and, coincidentally, the only digits that Apple then required, with other account details the hacker could infer, to issue a temporary password reset.

It was downhill from there. Honan had given Google his Apple "me.com" e-mail address for password recovery - the process that provides temporary access to your account when you click a "Forgot password?" link on a website.

Amazon and Apple may have since blocked Phobia's tactics. But Honan rightly sees his own role in enabling this saga, including these mistakes:

Not using Google's offer of "two-factor authentication" - a crucial failure that allowed Phobia to get into his Gmail account and then into Twitter, his primary goal.

"Daisy-chaining" accounts, Honan's term for linking one e-mail account to another through account-recovery addresses, and the use of similar - and thus guessable - e-mail addresses at multiple accounts.

Using Apple's "Find My Mac" app, a companion to its popular "Find My iPhone" app. That app was what allowed the hackers to remotely erase Honan's laptop.

Is there more to learn from Honan's story, which he sees as a warning about the "looming nightmare as we enter the era of cloud computing and connected devices"? I put that question to Edmond Rogers, a cybersecurity engineer at the University of Illinois' Information Trust Institute.

Rogers agrees with Honan that a central mistake was the daisy-chaining of accounts.

"You don't have the same key for all the cars you own. You don't have the same keys for your home that you do at work," Rogers says. "Unfortunately, there are some people who are always going to take advantage of you if you expose your weakness."

In addition to using two-factor authentication when it's offered, Rogers recommended using a password manager - software that encrypts and remembers different passwords for each of your accounts, and allows you to access them with a single, strong and well-protected password. Good ones are easily available - one is even built into the Firefox browser.

It's also wise to remember how e-mail accounts have become as crucial as your most sensitive financial accounts. Once into your e-mail, a hacker can do massive damage. Even one whose name isn't synonymous with fear itself.


Contact Jeff Gelles at 215-854-2776 or jgelles@phillynews.com.

comments powered by Disqus
|
|
|
|
|