Update, December 2019: The events prompting this article, and the admonitions within it, date back to the summer of 2012. It’s hard to believe it’s been seven years. It’s even harder to believe how little has changed, and how timely this story and its lesson remains.
“How Apple and Amazon Security Flaws Led to My Epic Hacking”, on Wired.com, is a tale of account hacks leading to the compromise of several accounts and, ultimately, the irretrievable destruction of precious data, including photos of the author’s infant daughter. The tale of woe features lax security from the author and major services — all of whom ought to have known better.
The author watched as it happened, powerless to stop it.
It makes for chilling reading, and I strongly recommend you review it to see how horribly things can go wrong.
Let’s look at the lessons learned, and some of the steps you and I can take to avoid, or at least seriously minimize, the risk of ever experiencing something similar.
Become a Patron of Ask Leo! and go ad-free!
I really want to drive it home with this quote from the Wired article:
Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location.
For more emphasis: “… that I had stored in no other location.”
I say it again and again. If there’s only one copy1, it’s not backed up. I don’t care if it’s on your hard disk, your “backup” drive, or some kind of cloud thingamajig. If there’s only one, it can disappear in an instant.
If you take away only one thing from anything I ever say, write, or do, please let it be about backing up. Nothing can save you from almost any possible disaster more than a proper and current backup.
Learn from Mat Honan’s loss. Had he backed up, his story would have been about a major inconvenience, nothing more. As it is, some of his most precious data is gone forever.
Isolate your accounts from each other
Quoting the victim:
My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter.
We often talk about how important it is to have different passwords for different accounts. If a hacker manages to get your password at service “A,” then he may well be able to log in to services “B”, “C”, and “D”, if you used the same password at all four.
That’s not what happened here.
In this case, using the same email addresses for the accounts allowed the hacker to exploit vulnerabilities in the “I lost my password” recovery process to gain access.
So, how do you “isolate” your accounts from each other?
- Use different email addresses as usernames at different services.
- Don’t use the primary email for one service as the recovery or alternate address at another.
The problem? Those guidelines are very inconvenient.
Multiple email accounts
Using different email addresses for each account prevents a hacker from using “common” information about you — like a single, primary email address — as a foot in the door to compromise one or more of your services.
Unfortunately, managing multiple email addresses can be anything from mildly annoying to a downright pain.
If you own a domain — say “yourveryowndomainname.com” — then you can have an unlimited number of email addresses on that domain. You can set up separate email addresses for each of the services you want to isolate.
You might set up “firstname.lastname@example.org” and “email@example.com” and so on.
Each would be configured to automatically forward to your “real” email address, so you don’t have to actually manage multiple email accounts and inboxes — only email addresses that all forward to a single destination.
Some services, including Gmail, support a technique known as “subaddressing”, which lets you set up unique email addresses that automatically land in your single inbox. You simply use the “+” sign to add a unique identifier to your email address.
If your email address is firstname.lastname@example.org, then you might use email@example.com as your Amazon.com email address.
Some services support creating aliases to additional email addresses, which work very much like the two examples above – the aliases are all different email addresses that all deliver to a single email account.
And of course, many email services don’t support a convenient solution at all. Your only solution there is to create more email accounts, or use a provider that has the functionality I’ve listed above.
Recovery email addresses
Mr. Honan’s story begins with the hackers discovering that the recovery email address for his Gmail account is an Apple “.me” account. Even though Gmail’s “I forgot my password” page obscured the email address as “firstname.lastname@example.org”, knowing that .me accounts are usually email@example.com, the hackers were able to decipher it.
Normally, that alone wouldn’t be enough, but if you read the account of what progressed, you can see why it was.
One thing, quite literally, led to another.
One fairly simple solution to at least some of this “daisy chaining” of accounts is to set up a separate recovery email address and use that rather than the email address actually associated with an online service.
The victim put it even more clearly:
And I should have had a recovery address that’s only used for recovery without being tied to core services.
So, rather than using your Facebook login email address as your Gmail alternate account, use a separate email address dedicated to account recovery as that alternate for Gmail. That way, compromising either won’t act as a steppingstone to compromising the other.
Once again, this calls for a new email address. Perhaps “firstname.lastname@example.org”, or “email@example.com”, or some other email account or alias. Just make sure the recovery email address is not itself dependent on the service it might be used to recover (for example, don’t set up firstname.lastname@example.org to recover your email@example.com account – you may not have access when you need it most).
And if it is a separate account, make sure to maintain it. Log in periodically to make sure it’s not closed for lack of use.
None of this should be necessary
In reality, aside from backing up, nothing I’ve discussed should be required.
Ideally, account recovery procedures would allow the legitimate account holder and only the legitimate account holder to recover their account credentials. The problem is, that’s a customer service nightmare:
- Make the recovery rules too easy, and account breaches like this happen.
- Make the recovery rules too hard, and you run the risk of preventing legitimate account holders from regaining access to their account if they lose even one small detail of required information.
As a result, many companies set up policies trying to make the recovery process both secure and customer-friendly. Unfortunately, those two are often at odds. And as I’ve said before,
people forget their passwords much more often than we might expect.
While it’s great that Apple and Amazon have improved security, it’s too bad it took this very public and embarrassing episode to make it happen.
But what about all of the other services that we use and rely on every day? How do we know their account recovery processes can’t be exploited or circumvented?
And that means that it’s up to us to take on the responsibility to stack the deck a little more in our favor and minimize whatever damage might result.
Even if it does add a little inconvenience.
That little inconvenience is nothing compared to the massive inconvenience of account loss, data loss, or even identity theft.
Postscript: Two-factor authentication
One of Mr. Honan’s comments was:
“Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened…”
Two-factor authentication, now more commonly available than back in 2012, means the email address and the password is not enough to gain access to an account. When enabled, two-factor authentication requires something you know (the standard username/password information), but also something you have (for instance, information from a device or mobile phone application, which proves you are in possession of that particular device at the time you log in).
I highly recommend it.
While it doesn’t solve every possible security problem, like using separate email addresses, it makes hacking your account significantly more difficult, and therefore less likely.
Footnotes & References
1: That one “copy” being the one and only original.