33 comments on “What Can We Learn from Mat Honan?”

  1. Thanks Leo. I’ve read a lot of good info on your site. This one is quite an eye opener, and might be the most important for my personal situation.

    Reply
  2. Definitely some timely information here; however, as long as we’re commenting about English usages, how about learning the difference between “lead” and “led.”

    Reply
  3. Amazon and PayPal both allow a serious gap in their security. Neither requires an on-line purchaser to provide the security code found on the back of a credit card when making a purchase. If a hacker can somehow get into your account with either of these two companies (s)he can easily make a purchase using your card. I have had a charge made to my PayPal account by a person simply using my name. Needless to say I have had to set up my own security measures to prevent this happening again via these two companies.

    Reply
  4. Thank you for this article. I now appreciate even more the very inexpensive Yahoo Mail Plus which provides 500 disposable email addresses. I set a different address for every business, service, contact etc., along with a unique password for each one.

    Several times, a contact was hacked and it was just a matter of deleting that address and creating a new slightly different one.

    Reply
  5. I have so many accounts and passwords that I finally bought a telephone address book with the tabbed pages for each letter and put all my account names in there with a 1 or 2 letter code to my passwords in it and it is also hidden away. Some places I only log into once or twice a month and I seem to always forget, or I change a password and forget what I changed it to. Sometimes my code to the password is so cryptic even I can’t figure out what I meant, though!

    Reply
  6. Storing files on Dropbox can be helpful. I found when a check writing DB was corrupted I could restore any changes made to the file in the last 30 days. I also have carbonite, but this was easier.

    Reply
  7. First & foremost, anyone who has read this article and only comes away with snide comments regarding grammar, will probably be the next one in line to experience a catastrophe such as stated.
    Aside from that nonsense, I myself have recently become the target of a relentless nuisance rather than hacker. I don’t believe this individual has enough brains to be a “hacker”
    In any event, said individual has gained access to my uTube account, leading to my gMail account, which was “hacked” granting “them” access to my contacts. I was verbally/physically threatened with unannounced beatings and enough abuse over the internet by way of slander to want to make me “kill myself” (His Words)
    I have different email accounts for different online blogs, forums, etc… this is how this “individual” latched onto me.
    The only way I’ve been able to deal with it, since the authorities want nothing to do with it even with many contacts to the law enforcement community that I have, (they just don’t have the time or resources) Is to delete all my accounts to the best of my ability & start over again with new email addresses, accounts and such. It is a very time consuming process, and one that I will never be %100 sure of having rid myself of this #$@&*^(@#+ individual.
    If you thought reformatting/re-installing was bad, sheeshhh this has nothing on that!
    Yes I back up. to see how much so read my comments to Leo’s @ http://ask-leo.com/will_windows_8_overwrite_my_system_restore_partition_and_if_so_how_do_i_restore.html
    Thanks again, Leo & never mind those OCD gRAMMAR gEEKS!!!
    Johnny.

    Reply
  8. Excellent article, but it seems that it would be too easy for hackers to figure out your actual email address if you use the gmail “+” method of adding characters to your address. Your actual email address would be the characters before the “+” sign.

    The scenario at play in this case where someone correctly guessed the email address from only the first and last characters of the email – a*******b@me.com was displayed, and knowing that it was typically a firstname.lastname email address that was enough. When the email address is display obfuscated like that there’s no way to know if there’s a + in there or not. Making sure it’s not a pointer to another important account (as happened in this hack) is also part of the solution.

    Leo
    11-Aug-2012
    Reply
  9. I back up every couple of months, because
    idiots with time on their hands exist. I have had to verify my account. I have learned heaps from your pages and will continue reading.BACKUP PEOPLE. Thanks Nigel

    Reply
  10. Leo, Please expand on this mysterious sentence from the above article: ‘I recently backed out of two-factor authentication on one of my other accounts because the recovery process after losing that required device was suspect.’ Google and Craigslist are the only two major site I deal with that require two-factor identification including phone contact. What about the phone contact is suspect? Thank you.

    Amazon Web Services – if you set up two factor authentication and you then loose your phone or device then the only solution is to call Amazon support for assistance. Now realize that the whole Mat Honan experience is, in part, due to failings in Amazon customer support with respect to security. Google and LastPass allow you to take proactive steps by generating a set of one-time use passwords that you can keep in a secure place that will allow you to login without the device.

    Leo
    11-Aug-2012
    Reply
  11. I must be missing something bleedingly obvious in Mat Honan’s hacking saga.

    Why didn’t (or can’t) he simply recover his child’s photos etc from his external backup device? How did the hacker(s) get access to a disconnected device? And of course I’m assuming that being a professional IT journalist advising less-talented folks about security he would in fact have such a device.

    That’s part of the point. He did not have any kind of backup whatsoever.

    Leo
    11-Aug-2012
    Reply
  12. @Geoff
    The bleeding obvious is that in spite of being an IT professional, Matt Honan didn’t have a backup.
    ‘Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location.’
    The wise learn from the mistakes of others.

    Reply
  13. It’s very interesting and downright scary to realize how easily complex data and identity protocols can sometimes be undone by basically leaving out the human interaction factor. I have had a personal experience with my online banking account that perfectly illustrates this. This bank employed a password system which required customers to change passwords every 90 days , and actually required a fairly complex password, along with an assigned numerical user id. Occassionally I would find myself locked out for no apparent reason other than a glitch in their system, so I would call a very friendly and helpfull customer service rep who would reset the password. On one particular occasion I misrememmbered my user id, replacing one digit with another. Since no other information was required my password was reset (“abcd” was the temp password I was always given ha-ha). I logged into what I thought was my account (hadn’t realized I was using the a the wrong user ID yet), an found most of my money had disappeared. It took me just a few moments to realized I had accidently hacked into someone else’s account! I remember reading an interesting article by a security research expert who made the point that very often the weakest link in security is a very well meaning customer service person or even in large companies where persons in a far flung department who will divulge security information under the impression he’s just helping an unfamiar fellow employee who forgot his ID or password. This researcher was really quite amazed to find that he could find these weak links created by by individuals just trying to be really helpfull and literally talk his way through all the layers of security designed to stop brute force entry .
    In my own case with my bank I was not even asked for the last four digits of my ss let alone the whole thing, which I would think is the usual minimum. They have since implemented a two factor authentication but that incident has always stuck with me and I think this article well illustrates how seemingly minor overlooked human interaction factors (i.e. when the security passes from software to interacting people) the whole process can be unravelled.

    Reply
  14. Leo…
    I’m another idiot who, while happily gleaning all kinds of pertinent info from your newsletters – allowed your constant ‘back up’ warnings to go in one ear and out the other…for years. Two weeks ago my laptop crashed. A computer tech said all was lost. Later, having a light bulb moment, she popped my PC hard drive into her Mac and was able to recover my photos, for which I was extremely greatful. However, all else was lost. I feel for Mr. Honan and everyone who has lost all their data. It is SO disconcerting…..like having part of your brain’s memory wiped out. I am currently shopping for an external back up system. Nan

    Reply
  15. Very interesting stuff. This really got me wondering what to do if, heaven forbid, my LastPass account got hacked somehow. URLs and passwords galore in there — keys to my kingdom. Scary.

    Reply
    • The cloud isn’t dangerous. Solely relying on the cloud without backup is dangerous as is working on your hard drive without backup.

      Reply
  16. I have my own domain and already use a separate email address for each service for the reasons Leo describes in this article. I also use disposable email addresses for forums etc.

    I am now wondering is this actually enough. Take Amazon as an example, someone who knows my domain name could very easily guess that I use amazon@mydomain.com. Then using my name and address (easily accessible and included on all my business emails) they could gain access.

    From there they could guess that I use the same format on other services e.g. paypal@mydomain.com facebook@mydomain.com etc etc.

    Feels like I am patting myself on the back for being so clever and security conscious when any second all my efforts and minimum 16 digit passwords could be shot down in flames.

    Am I being too overcautious and is there anything we can do to fully protect ourselves.

    One thing I did was not to use “amazon@” simply because it’s too obvious. I use something else. Yes, if Amazon’s customer service screws up they can hand your account to anyone regardless of what we do, but the goal then is to minimize the damage.

    Leo
    16-Aug-2012
    Reply
  17. @Simon
    A strong unique password, along with security questions with obscure answers, should be enough to protect you against your accounts being hacked. However, if you feel your email address names are too easy to guess you can add numbers or text to the site name, for example Facebook_login@mydomain.com, hotmail_8997, twitter_safe etc. Of course using a unique suffix for each account. This is probably overkill, but if you’re really paranoid it’s better than underkill.

    Reply
  18. Hold on a minute – we really have no way of knowing that this was not all a pre-meditated stunt to gain a lot of publicity for the journalist wishing to expose security shortcomings without risking any liability himself. If so it has obviously worked.

    Nevertheless, the principles highlighted are all valid, so it has been of benefit to us either way.

    Reply
  19. Thanks Mark,

    Great idea about the prefix especially if I can come up with a formula to work out each random prefix. Being pedantic I know they wouldn’t be truly random but they would be easy to remember and hard to guess.

    Fortunately I don’t have to worry about my bank as they use 2 factor authentication requiring a username, password, key fob and a PIN entered into the key fob before it displays the code. Not sure if 2 factor is an accurate description of this process but I’m happy with it.

    And as a long time reader of Ask Leo I have everything backed up with offsite copies.

    So at least I am as safe if not safer than most, even if my impregnable digital bunker was nothing more than a complacent perception.

    Reply
  20. Thanks Leo, I will learn to back up or store pics on CD’s ; your articles are very helpful, I bookmarked this one to reread . Thanks Earl : )

    Reply
  21. As an experiment I went to another website that I do business with. I called them told them I was having trouble getting into my account. Hey, no problemo!
    The CS guy reset my password after getting my name and address. He actually volunteered my email address, as in: “Your email is Bill@dumbo.com?” (though my email address is very easy to find.)
    “Voila!” as they say in France, there was the last 4 of my credit card. Oops.

    Does anyone know if Apple, or any other major sites, are still using this number as an I.D. validation?

    At a minimum anyone who did what I did could have ordered product using my card and changed my email address so that I wouldn’t get a notification. BTW the product is instantly consumable and re-saleable.

    ps I didn’t even know that Apple used those numbers as authentication until Honan’s disaster.

    Reply
  22. Moving a little off topic….
    RE: “PayPal allows a serious gap in security. Neither requires an on-line purchaser to provide the security code found on the back of a credit card when making a purchase.”

    My experience [past and present] indicates that my payment will not be processed when the security code IS required, and requires a call to the seller to submit my payment….then it goes through.
    Why? Because I use the PayPal Student Debit Card [I’m not really a student]. For this reason, and the fact that my financial liability is limited to the existing balance, I use their Student Debit Card . Also, transfers are immediate, and no fees [except $1.00 for ATM w/d]. Also, PayPal’s CSR’s wont give out any information on your account if you forget the PW. I had transposed the last 2 characters of a PW….no dice, open a new account.

    I’m guessing the student financial relationship with a main account [parent] is a bit more secure, for the students benefit. Oh those kids.

    Reply
  23. I’m glad to see that Mat Honan admitted that this was his fault, especially for not having backups. But, in the article he quickly diverted to saying “what happened to me exposes vital security flaws in several customer service systems” – because, Mat claimed, that the services had different priorities for their security methods. Wrong, this was his fault alone. The biggest fault was the unquestioned, unwavering, wholehearted adoption of everything that these online companies allow you to do, aggravated by a lack of knowledge or understanding of any of the technology or its implications. “Click here”. “Sure, I’ll click here”. But to be fair, the man was also unlucky.

    Reply
  24. Leo, you must be commended for your dedication to advocating backup. People don’t do backup, because it’s not sexy. It’s boring. (And not necessarily easy, at least the first time.)

    I really think this is a major reason why it is so often overlooked. People do privacy and encryption, even when they don’t really need it, because it’s sexy. It’s Snowdeny and James-Bondesque to high heavens. But backup ? That’s a menial task.

    In fact, all the vulnerabilities in the described case are easy to mitigate :

    1. Establish an appropriate automatic backup routine with a good specialized program (which may even be free).

    2. Install a good password manager (which may even be free), and use unique, long and random passwords for each account.

    3. Use unique email addresses for each account, either through your own domain, or through a good alias providing service (which may even be free) : Spamex, 33 Mail and Anon Addy are three such good providers.

    Done. Not difficult. Possibly free, and once you’ve been through the inital setup and learning, it’s completely intuitive.

    Reply
    • Actually, the beauty of phone app-based 2FA is that nothing is “sent” from or to the phone. No connectivity is needed.

      To pair the app with a specific website, you take a picture of your computer screen. Communication is only optical. This shares the secret key between the site and the phone.

      Once it’s there, the app generates the TOTP code by itself. That’s the 6-figure extra password, which changes every 30 seconds. You then type that code manually into your computer. You do the communication with your fingers.

      This means 2FA works, even if you don’t have cell phone signal, or Internet Wifi connectivity. You don’t need either of those. Your smartphone only works as an unconnected hand-held computer, albeit with a camera inside.

      Reply
  25. Mat Honan’s experience demonstrates two things:
    1 – even experienced and knowledgeable computer users can fail to look after their best interests.
    2 – providers of on-line services place profit before the best interests of subscribers.

    Solution? Don’t use on-line services – particularly financial services -until a well-regulated and compulsory framework is in place that all consumers clearly understand.

    Reply
    • Wow. I don’t see how #2 follows from the experience. And “don’t use online services”? Not practical these days. And waiting for for some kind of regulatory framework, while nice, just isn’t going to happen any time soon — particularly one that consumers understand. Let face it, does such a framework exist for anything offline? That consumers actually understand? I think not.

      My #2 is simply that individuals — you and me and all those consumers — must take responsibility for their own online security. That means becoming educated, and following individual best practices.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.