Update, December 2019: The events prompting this article, and the admonitions within it, date back to the summer of 2012. It's hard to believe it's been seven years. It's even harder to believe how little has changed, and how timely this story and its lesson remains.
"How Apple and Amazon Security Flaws Led to My Epic Hacking", on Wired.com, is a tale of account hacks leading to the compromise of several accounts and, ultimately, the irretrievable destruction of precious data, including photos of the author's infant daughter. The tale of woe features lax security from the author and major services -- all of whom ought to have known better.
The author watched as it happened, powerless to stop it.
It makes for chilling reading, and I strongly recommend you review it to see how horribly things can go wrong.
Let's look at the lessons learned, and some of the steps you and I can take to avoid, or at least seriously minimize, the risk of ever experiencing something similar.
Back up. Seriously: BACK UP!
I really want to drive it home with this quote from the Wired article:
Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location.
For more emphasis: "... that I had stored in no other location."
I say it again and again. If there's only one copy1, it's not backed up. I don't care if it's on your hard disk, your "backup" drive, or some kind of cloud thingamajig. If there's only one, it can disappear in an instant.
If you take away only one thing from anything I ever say, write, or do, please let it be about backing up. Nothing can save you from almost any possible disaster more than a proper and current backup.
Learn from Mat Honan's loss. Had he backed up, his story would have been about a major inconvenience, nothing more. As it is, some of his most precious data is gone forever.
Isolate your accounts from each other
Quoting the victim:
My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter.
We often talk about how important it is to have different passwords for different accounts. If a hacker manages to get your password at service "A," then he may well be able to log in to services "B", "C", and "D", if you used the same password at all four.
That's not what happened here.
In this case, using the same email addresses for the accounts allowed the hacker to exploit vulnerabilities in the "I lost my password" recovery process to gain access.
So, how do you "isolate" your accounts from each other?
- Use different email addresses as usernames at different services.
- Don't use the primary email for one service as the recovery or alternate address at another.
The problem? Those guidelines are very inconvenient.
Multiple email accounts
Using different email addresses for each account prevents a hacker from using "common" information about you -- like a single, primary email address -- as a foot in the door to compromise one or more of your services.
Unfortunately, managing multiple email addresses can be anything from mildly annoying to a downright pain.
If you own a domain -- say "yourveryowndomainname.com" -- then you can have an unlimited number of email addresses on that domain. You can set up separate email addresses for each of the services you want to isolate.
You might set up "amazon@yourveryowndomainname.com" and "apple@yourveryowndomainname.com" and so on.
Each would be configured to automatically forward to your "real" email address, so you don't have to actually manage multiple email accounts and inboxes -- only email addresses that all forward to a single destination.
Some services, including Gmail, support a technique known as "subaddressing", which lets you set up unique email addresses that automatically land in your single inbox. You simply use the "+" sign to add a unique identifier to your email address.
If your email address is example@gmail.com, then you might use example+amazon@gmail.com as your Amazon.com email address.
Some services support creating aliases to additional email addresses, which work very much like the two examples above – the aliases are all different email addresses that all deliver to a single email account.
And of course, many email services don't support a convenient solution at all. Your only solution there is to create more email accounts, or use a provider that has the functionality I've listed above.
Recovery email addresses
Mr. Honan's story begins with the hackers discovering that the recovery email address for his Gmail account is an Apple ".me" account. Even though Gmail's "I forgot my password" page obscured the email address as "m******n@me.com", knowing that .me accounts are usually firstname.lastname@me.com, the hackers were able to decipher it.
Normally, that alone wouldn't be enough, but if you read the account of what progressed, you can see why it was.
One thing, quite literally, led to another.
One fairly simple solution to at least some of this "daisy chaining" of accounts is to set up a separate recovery email address and use that rather than the email address actually associated with an online service.
The victim put it even more clearly:
And I should have had a recovery address that’s only used for recovery without being tied to core services.
So, rather than using your Facebook login email address as your Gmail alternate account, use a separate email address dedicated to account recovery as that alternate for Gmail. That way, compromising either won't act as a steppingstone to compromising the other.
Once again, this calls for a new email address. Perhaps "recovery@yourveryowndomainname.com", or "example+recovery@gmail.com", or some other email account or alias. Just make sure the recovery email address is not itself dependent on the service it might be used to recover (for example, don't set up example+recovery@gmail.com to recover your example@gmail.com account – you may not have access when you need it most).
And if it is a separate account, make sure to maintain it. Log in periodically to make sure it's not closed for lack of use.
None of this should be necessary
In reality, aside from backing up, nothing I've discussed should be required.
Ideally, account recovery procedures would allow the legitimate account holder and only the legitimate account holder to recover their account credentials. The problem is, that's a customer service nightmare:
- Make the recovery rules too easy, and account breaches like this happen.
- Make the recovery rules too hard, and you run the risk of preventing legitimate account holders from regaining access to their account if they lose even one small detail of required information.
As a result, many companies set up policies trying to make the recovery process both secure and customer-friendly. Unfortunately, those two are often at odds. And as I've said before,
people forget their passwords much more often than we might expect.
The recovery process exploited in this case relied on fundamentally bad policies, not bad technology. Both Apple and Amazon have changed their policies since.
While it's great that Apple and Amazon have improved security, it's too bad it took this very public and embarrassing episode to make it happen.
But what about all of the other services that we use and rely on every day? How do we know their account recovery processes can't be exploited or circumvented?
We don't.
And that means that it's up to us to take on the responsibility to stack the deck a little more in our favor and minimize whatever damage might result.
Even if it does add a little inconvenience.
That little inconvenience is nothing compared to the massive inconvenience of account loss, data loss, or even identity theft.
Postscript: Two-factor authentication
One of Mr. Honan's comments was:
"Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened..."
Two-factor authentication, now more commonly available than back in 2012, means the email address and the password is not enough to gain access to an account. When enabled, two-factor authentication requires something you know (the standard username/password information), but also something you have (for instance, information from a device or mobile phone application, which proves you are in possession of that particular device at the time you log in).
I highly recommend it.
While it doesn't solve every possible security problem, like using separate email addresses, it makes hacking your account significantly more difficult, and therefore less likely.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
1: That one "copy" being the one and only original.
Thanks Leo. I’ve read a lot of good info on your site. This one is quite an eye opener, and might be the most important for my personal situation.
Leo, the word you want is ‘breaches’ not ‘breeches’!
@Bob
Yes, it’s breaches. The error is now fixed. Leo is a computer geek, not a grammar geek. But I’m quite impressed with his use of English. As Leo himself said The one thing that I wished I’d done differently.
Bit of a common repeat this Leo, but still just to be sure just backed up all again outside comp.
Definitely some timely information here; however, as long as we’re commenting about English usages, how about learning the difference between “lead” and “led.”
Amazon and PayPal both allow a serious gap in their security. Neither requires an on-line purchaser to provide the security code found on the back of a credit card when making a purchase. If a hacker can somehow get into your account with either of these two companies (s)he can easily make a purchase using your card. I have had a charge made to my PayPal account by a person simply using my name. Needless to say I have had to set up my own security measures to prevent this happening again via these two companies.
Thank you for this article. I now appreciate even more the very inexpensive Yahoo Mail Plus which provides 500 disposable email addresses. I set a different address for every business, service, contact etc., along with a unique password for each one.
Several times, a contact was hacked and it was just a matter of deleting that address and creating a new slightly different one.
I have so many accounts and passwords that I finally bought a telephone address book with the tabbed pages for each letter and put all my account names in there with a 1 or 2 letter code to my passwords in it and it is also hidden away. Some places I only log into once or twice a month and I seem to always forget, or I change a password and forget what I changed it to. Sometimes my code to the password is so cryptic even I can’t figure out what I meant, though!
Storing files on Dropbox can be helpful. I found when a check writing DB was corrupted I could restore any changes made to the file in the last 30 days. I also have carbonite, but this was easier.
First & foremost, anyone who has read this article and only comes away with snide comments regarding grammar, will probably be the next one in line to experience a catastrophe such as stated.
Aside from that nonsense, I myself have recently become the target of a relentless nuisance rather than hacker. I don’t believe this individual has enough brains to be a “hacker”
In any event, said individual has gained access to my uTube account, leading to my gMail account, which was “hacked” granting “them” access to my contacts. I was verbally/physically threatened with unannounced beatings and enough abuse over the internet by way of slander to want to make me “kill myself” (His Words)
I have different email accounts for different online blogs, forums, etc… this is how this “individual” latched onto me.
The only way I’ve been able to deal with it, since the authorities want nothing to do with it even with many contacts to the law enforcement community that I have, (they just don’t have the time or resources) Is to delete all my accounts to the best of my ability & start over again with new email addresses, accounts and such. It is a very time consuming process, and one that I will never be %100 sure of having rid myself of this #$@&*^(@#+ individual.
If you thought reformatting/re-installing was bad, sheeshhh this has nothing on that!
Yes I back up. to see how much so read my comments to Leo’s @ http://ask-leo.com/will_windows_8_overwrite_my_system_restore_partition_and_if_so_how_do_i_restore.html
Thanks again, Leo & never mind those OCD gRAMMAR gEEKS!!!
Johnny.
Excellent article, but it seems that it would be too easy for hackers to figure out your actual email address if you use the gmail “+” method of adding characters to your address. Your actual email address would be the characters before the “+” sign.
11-Aug-2012
I back up every couple of months, because
idiots with time on their hands exist. I have had to verify my account. I have learned heaps from your pages and will continue reading.BACKUP PEOPLE. Thanks Nigel
Leo, Please expand on this mysterious sentence from the above article: ‘I recently backed out of two-factor authentication on one of my other accounts because the recovery process after losing that required device was suspect.’ Google and Craigslist are the only two major site I deal with that require two-factor identification including phone contact. What about the phone contact is suspect? Thank you.
11-Aug-2012
I must be missing something bleedingly obvious in Mat Honan’s hacking saga.
Why didn’t (or can’t) he simply recover his child’s photos etc from his external backup device? How did the hacker(s) get access to a disconnected device? And of course I’m assuming that being a professional IT journalist advising less-talented folks about security he would in fact have such a device.
11-Aug-2012
@Geoff
The bleeding obvious is that in spite of being an IT professional, Matt Honan didn’t have a backup.
‘Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location.’
The wise learn from the mistakes of others.
It’s very interesting and downright scary to realize how easily complex data and identity protocols can sometimes be undone by basically leaving out the human interaction factor. I have had a personal experience with my online banking account that perfectly illustrates this. This bank employed a password system which required customers to change passwords every 90 days , and actually required a fairly complex password, along with an assigned numerical user id. Occassionally I would find myself locked out for no apparent reason other than a glitch in their system, so I would call a very friendly and helpfull customer service rep who would reset the password. On one particular occasion I misrememmbered my user id, replacing one digit with another. Since no other information was required my password was reset (“abcd” was the temp password I was always given ha-ha). I logged into what I thought was my account (hadn’t realized I was using the a the wrong user ID yet), an found most of my money had disappeared. It took me just a few moments to realized I had accidently hacked into someone else’s account! I remember reading an interesting article by a security research expert who made the point that very often the weakest link in security is a very well meaning customer service person or even in large companies where persons in a far flung department who will divulge security information under the impression he’s just helping an unfamiar fellow employee who forgot his ID or password. This researcher was really quite amazed to find that he could find these weak links created by by individuals just trying to be really helpfull and literally talk his way through all the layers of security designed to stop brute force entry .
In my own case with my bank I was not even asked for the last four digits of my ss let alone the whole thing, which I would think is the usual minimum. They have since implemented a two factor authentication but that incident has always stuck with me and I think this article well illustrates how seemingly minor overlooked human interaction factors (i.e. when the security passes from software to interacting people) the whole process can be unravelled.
Leo…
I’m another idiot who, while happily gleaning all kinds of pertinent info from your newsletters – allowed your constant ‘back up’ warnings to go in one ear and out the other…for years. Two weeks ago my laptop crashed. A computer tech said all was lost. Later, having a light bulb moment, she popped my PC hard drive into her Mac and was able to recover my photos, for which I was extremely greatful. However, all else was lost. I feel for Mr. Honan and everyone who has lost all their data. It is SO disconcerting…..like having part of your brain’s memory wiped out. I am currently shopping for an external back up system. Nan
Very interesting stuff. This really got me wondering what to do if, heaven forbid, my LastPass account got hacked somehow. URLs and passwords galore in there — keys to my kingdom. Scary.
That’s why the cloud is dangerous.
15-Aug-2012
The cloud isn’t dangerous. Solely relying on the cloud without backup is dangerous as is working on your hard drive without backup.
I have my own domain and already use a separate email address for each service for the reasons Leo describes in this article. I also use disposable email addresses for forums etc.
I am now wondering is this actually enough. Take Amazon as an example, someone who knows my domain name could very easily guess that I use amazon@mydomain.com. Then using my name and address (easily accessible and included on all my business emails) they could gain access.
From there they could guess that I use the same format on other services e.g. paypal@mydomain.com facebook@mydomain.com etc etc.
Feels like I am patting myself on the back for being so clever and security conscious when any second all my efforts and minimum 16 digit passwords could be shot down in flames.
Am I being too overcautious and is there anything we can do to fully protect ourselves.
16-Aug-2012
@Simon
A strong unique password, along with security questions with obscure answers, should be enough to protect you against your accounts being hacked. However, if you feel your email address names are too easy to guess you can add numbers or text to the site name, for example Facebook_login@mydomain.com, hotmail_8997, twitter_safe etc. Of course using a unique suffix for each account. This is probably overkill, but if you’re really paranoid it’s better than underkill.
Hold on a minute – we really have no way of knowing that this was not all a pre-meditated stunt to gain a lot of publicity for the journalist wishing to expose security shortcomings without risking any liability himself. If so it has obviously worked.
Nevertheless, the principles highlighted are all valid, so it has been of benefit to us either way.
Thanks Mark,
Great idea about the prefix especially if I can come up with a formula to work out each random prefix. Being pedantic I know they wouldn’t be truly random but they would be easy to remember and hard to guess.
Fortunately I don’t have to worry about my bank as they use 2 factor authentication requiring a username, password, key fob and a PIN entered into the key fob before it displays the code. Not sure if 2 factor is an accurate description of this process but I’m happy with it.
And as a long time reader of Ask Leo I have everything backed up with offsite copies.
So at least I am as safe if not safer than most, even if my impregnable digital bunker was nothing more than a complacent perception.
Thanks Leo, I will learn to back up or store pics on CD’s ; your articles are very helpful, I bookmarked this one to reread . Thanks Earl : )
As an experiment I went to another website that I do business with. I called them told them I was having trouble getting into my account. Hey, no problemo!
The CS guy reset my password after getting my name and address. He actually volunteered my email address, as in: “Your email is Bill@dumbo.com?” (though my email address is very easy to find.)
“Voila!” as they say in France, there was the last 4 of my credit card. Oops.
Does anyone know if Apple, or any other major sites, are still using this number as an I.D. validation?
At a minimum anyone who did what I did could have ordered product using my card and changed my email address so that I wouldn’t get a notification. BTW the product is instantly consumable and re-saleable.
ps I didn’t even know that Apple used those numbers as authentication until Honan’s disaster.
Moving a little off topic….
RE: “PayPal allows a serious gap in security. Neither requires an on-line purchaser to provide the security code found on the back of a credit card when making a purchase.”
My experience [past and present] indicates that my payment will not be processed when the security code IS required, and requires a call to the seller to submit my payment….then it goes through.
Why? Because I use the PayPal Student Debit Card [I’m not really a student]. For this reason, and the fact that my financial liability is limited to the existing balance, I use their Student Debit Card . Also, transfers are immediate, and no fees [except $1.00 for ATM w/d]. Also, PayPal’s CSR’s wont give out any information on your account if you forget the PW. I had transposed the last 2 characters of a PW….no dice, open a new account.
I’m guessing the student financial relationship with a main account [parent] is a bit more secure, for the students benefit. Oh those kids.
I’m glad to see that Mat Honan admitted that this was his fault, especially for not having backups. But, in the article he quickly diverted to saying “what happened to me exposes vital security flaws in several customer service systems” – because, Mat claimed, that the services had different priorities for their security methods. Wrong, this was his fault alone. The biggest fault was the unquestioned, unwavering, wholehearted adoption of everything that these online companies allow you to do, aggravated by a lack of knowledge or understanding of any of the technology or its implications. “Click here”. “Sure, I’ll click here”. But to be fair, the man was also unlucky.
Leo, you must be commended for your dedication to advocating backup. People don’t do backup, because it’s not sexy. It’s boring. (And not necessarily easy, at least the first time.)
I really think this is a major reason why it is so often overlooked. People do privacy and encryption, even when they don’t really need it, because it’s sexy. It’s Snowdeny and James-Bondesque to high heavens. But backup ? That’s a menial task.
In fact, all the vulnerabilities in the described case are easy to mitigate :
1. Establish an appropriate automatic backup routine with a good specialized program (which may even be free).
2. Install a good password manager (which may even be free), and use unique, long and random passwords for each account.
3. Use unique email addresses for each account, either through your own domain, or through a good alias providing service (which may even be free) : Spamex, 33 Mail and Anon Addy are three such good providers.
Done. Not difficult. Possibly free, and once you’ve been through the inital setup and learning, it’s completely intuitive.
Get 2FA but don’t select the option of sending code to your email. Send it to your phone.
Actually, the beauty of phone app-based 2FA is that nothing is “sent” from or to the phone. No connectivity is needed.
To pair the app with a specific website, you take a picture of your computer screen. Communication is only optical. This shares the secret key between the site and the phone.
Once it’s there, the app generates the TOTP code by itself. That’s the 6-figure extra password, which changes every 30 seconds. You then type that code manually into your computer. You do the communication with your fingers.
This means 2FA works, even if you don’t have cell phone signal, or Internet Wifi connectivity. You don’t need either of those. Your smartphone only works as an unconnected hand-held computer, albeit with a camera inside.
Mat Honan’s experience demonstrates two things:
1 – even experienced and knowledgeable computer users can fail to look after their best interests.
2 – providers of on-line services place profit before the best interests of subscribers.
Solution? Don’t use on-line services – particularly financial services -until a well-regulated and compulsory framework is in place that all consumers clearly understand.
Wow. I don’t see how #2 follows from the experience. And “don’t use online services”? Not practical these days. And waiting for for some kind of regulatory framework, while nice, just isn’t going to happen any time soon — particularly one that consumers understand. Let face it, does such a framework exist for anything offline? That consumers actually understand? I think not.
My #2 is simply that individuals — you and me and all those consumers — must take responsibility for their own online security. That means becoming educated, and following individual best practices.