Update, December 2019: The events prompting this article, and the admonitions within it, date back to the summer of 2012. It’s hard to believe that it’s been seven years. It’s even harder to believe how little has changed, and how timely this story and its lesson remains.
How Apple and Amazon Security Flaws Led to My Epic Hacking, on Wired.com, is a tale of account hacks, lax security on both the authors part and by major services — all of whom ought to know better — leading to the compromise of several accounts and ultimately the irretrievable destruction of precious data, including photos of the author’s infant daughter.
The author watched as it happened, powerless to stop it.
It makes for chilling reading and I strongly recommend you review it to see how horribly things can go wrong.
Let’s look at the lessons learned, and some of the steps you and I can take to avoid or at least seriously minimize the risk of ever experiencing something similar.
Become a Patron of Ask Leo! and go ad-free!
I really want to drive it home with this quote from the Wired article:
Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location.
For more emphasis: “… that I had stored in no other location.”
I say it again and again. If there’s only one copy1, it’s not backed up. I don’t care if it’s on your hard disk, your “backup” drive, or some kind of cloud thingamajig. If there’s only one it can disappear in an instant.
If you take away only one thing from anything I ever say, write, or do, please let it be about backing up. Nothing can save you from almost any possible disaster than a proper and current backup.
Learn from Mat Honan’s loss. Had he had a backup, his story would have been about a major inconvenience, nothing more. As it is, some of his most precious data is gone – forever.
Isolate your accounts from each other
Quoting the victim:
My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter.
We often talk about how important it is to have different passwords for different accounts. That’s absolutely still true – if a hacker manages to get your password at service “A,” then he may well be able to log in to services “B”, “C”, and “D”, if you used the same password at all four.
That’s not what happened here.
In this case, using email addresses common between the accounts allowed the hacker to exploit vulnerabilities in the “I lost my password” recovery process to gain access.
So, how do you “isolate” your accounts from each other?
- Use different email addresses as login IDs at different services.
- Don’t use the primary email for one service as the recovery or alternate address at another.
The problem? Each of those guidelines are very inconvenient.
Multiple email accounts
Using different email addresses for each account prevents a hacker from using “common” information about you — like a single, primary email address — as a foot in the door to compromise one or more of your services.
Unfortunately, managing multiple email addresses can be mildly annoying to a downright pain.
If you own a domain — say “yourveryowndomainname.com” — then you can certainly have an unlimited number of email addresses on that domain. You can set up a separate email addresses for each of the services that you would want to isolate.
You might set up “firstname.lastname@example.org” and “email@example.com” and so on.
Each would be configured to automatically forward to your “real” email address, so you’re not having to actually manage multiple accounts and inboxes, only email addresses that all forward to a single destination.
Some services, including Gmail, support a technique known as “subaddressing” which lets you set up unique email addresses that automatically land in your single inbox. You can simply use the “+” sign to add a unique identifier to your email address.
If your email address is firstname.lastname@example.org, then you might use email@example.com as your Amazon.com email address.
Some services support creating aliases to additional email addresses, which work very much like the two examples above – the aliases are all different email addresses that all deliver to a single email account.
And of course, many email services may not support a convenient solution at all. Your only solution there is to create more email accounts or use a provider that has the functionality I’ve listed above.
Recovery email addresses
Mr. Hanan’s hack actually begins with the hackers discovering that the recovery email address for his Gmail account is an Apple “.me” account. Even though Gmail’s “I forgot my password” page obscured the email address as “firstname.lastname@example.org” knowing that .me accounts are usually email@example.com, the hackers were able to decipher it.
Normally, that alone wouldn’t be enough, but if you read the account of what progressed, you can see why it was.
One thing, quite literally, led to another.
One fairly simple solution to at least some of this “daisy chaining” of accounts is to set up a separate recovery email address and use that rather than any email address that’s actually associated with an online service.
The victim put it perhaps even more clearly:
And I should have had a recovery address that’s only used for recovery without being tied to core services.
So, rather than using your Facebook login email address as your Gmail alternate account, use a separate email address dedicated to account recovery as that alternate for Gmail. That way, compromising either can’t act as a stepping stone to compromising the other.
Once again, this calls for a new email address. Perhaps “firstname.lastname@example.org”, or “email@example.com”, or some other email account or alias. Just make sure the recovery email address is not itself dependant on the service it might be used to recover (meaning: don’t set up firstname.lastname@example.org to recover your email@example.com account – you may not have access when you need it most).
And if it is a separate account, make sure to maintain it: login periodically to make sure it’s not closed for lack of use.
None of this should be necessary
In reality, aside from backing up, nothing I’ve discussed should be required.
Ideally, account recovery procedures would allow the legitimate account holder and only the legitimate account holder to recover their account credentials. The problem is that it’s a customer service nightmare:
- Make the recovery rules too easy, then account breaches like this can happen.
- Make the recovery rules too hard and you run the risk of preventing legitimate account holders from regaining access to their account if they lose even one small detail of required information.
As a result, many companies set up policies trying to make the recovery process both secure and customer-friendly. Unfortunately, those two are often at odds. And as I’ve said before,
people forget their passwords much more often than we might expect.
The recovery process exploited in this case relied on fundamentally bad policies, not bad technology. Policies making it too easy for accounts to be recovered and therefore, too easy for the recovery process to be exploited. Both Apple and Amazon have changed their policies.
While it’s great for Apple and Amazon that they’ve improved security, it’s too bad it took this very public and embarrassing episode to make it happen.
But what about all of the other services that we use and rely on every day? How do we know their account recovery processes can’t be exploited or circumvented?
And that means that it’s up to us to take on the responsibility to stack the deck a little more in our favor and minimize whatever damage might result.
Even if it does add a little inconvenience.
That little inconvenience is nothing compared to the massive inconvenience of account loss, data loss, or even identity theft.
Postscript: Two-factor authentication
One of Mr. Honan’s comments was:
“Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened…”
Two-factor authentication, now more commonly available than back in 2012, means knowing the email address and the password is not enough to gain access to an account. When enabled, two-factor authentication requires not only the standard username/password information, but you must also enter information from a device or mobile phone application, proving that you are in possession of that particular device at the time you login.
I highly recommend it.
While it doesn’t solve every possible security problem, like using separate email addresses, it makes hacking your account significantly more difficult and therefore, less likely.
1: That one “copy” being the one and only original.