Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

26 comments on “What Can We Learn from Mat Honan?”

  1. Definitely some timely information here; however, as long as we’re commenting about English usages, how about learning the difference between “lead” and “led.”

    Reply
  2. Amazon and PayPal both allow a serious gap in their security. Neither requires an on-line purchaser to provide the security code found on the back of a credit card when making a purchase. If a hacker can somehow get into your account with either of these two companies (s)he can easily make a purchase using your card. I have had a charge made to my PayPal account by a person simply using my name. Needless to say I have had to set up my own security measures to prevent this happening again via these two companies.

    Reply
  3. Thank you for this article. I now appreciate even more the very inexpensive Yahoo Mail Plus which provides 500 disposable email addresses. I set a different address for every business, service, contact etc., along with a unique password for each one.

    Several times, a contact was hacked and it was just a matter of deleting that address and creating a new slightly different one.

    Reply
  4. I have so many accounts and passwords that I finally bought a telephone address book with the tabbed pages for each letter and put all my account names in there with a 1 or 2 letter code to my passwords in it and it is also hidden away. Some places I only log into once or twice a month and I seem to always forget, or I change a password and forget what I changed it to. Sometimes my code to the password is so cryptic even I can’t figure out what I meant, though!

    Reply
  5. Storing files on Dropbox can be helpful. I found when a check writing DB was corrupted I could restore any changes made to the file in the last 30 days. I also have carbonite, but this was easier.

    Reply
  6. First & foremost, anyone who has read this article and only comes away with snide comments regarding grammar, will probably be the next one in line to experience a catastrophe such as stated.
    Aside from that nonsense, I myself have recently become the target of a relentless nuisance rather than hacker. I don’t believe this individual has enough brains to be a “hacker”
    In any event, said individual has gained access to my uTube account, leading to my gMail account, which was “hacked” granting “them” access to my contacts. I was verbally/physically threatened with unannounced beatings and enough abuse over the internet by way of slander to want to make me “kill myself” (His Words)
    I have different email accounts for different online blogs, forums, etc… this is how this “individual” latched onto me.
    The only way I’ve been able to deal with it, since the authorities want nothing to do with it even with many contacts to the law enforcement community that I have, (they just don’t have the time or resources) Is to delete all my accounts to the best of my ability & start over again with new email addresses, accounts and such. It is a very time consuming process, and one that I will never be %100 sure of having rid myself of this #$@&*^(@#+ individual.
    If you thought reformatting/re-installing was bad, sheeshhh this has nothing on that!
    Yes I back up. to see how much so read my comments to Leo’s @ http://ask-leo.com/will_windows_8_overwrite_my_system_restore_partition_and_if_so_how_do_i_restore.html
    Thanks again, Leo & never mind those OCD gRAMMAR gEEKS!!!
    Johnny.

    Reply
  7. Excellent article, but it seems that it would be too easy for hackers to figure out your actual email address if you use the gmail “+” method of adding characters to your address. Your actual email address would be the characters before the “+” sign.

    The scenario at play in this case where someone correctly guessed the email address from only the first and last characters of the email – a*******b@me.com was displayed, and knowing that it was typically a firstname.lastname email address that was enough. When the email address is display obfuscated like that there’s no way to know if there’s a + in there or not. Making sure it’s not a pointer to another important account (as happened in this hack) is also part of the solution.

    Leo
    11-Aug-2012
    Reply
  8. I back up every couple of months, because
    idiots with time on their hands exist. I have had to verify my account. I have learned heaps from your pages and will continue reading.BACKUP PEOPLE. Thanks Nigel

    Reply
  9. Leo, Please expand on this mysterious sentence from the above article: ‘I recently backed out of two-factor authentication on one of my other accounts because the recovery process after losing that required device was suspect.’ Google and Craigslist are the only two major site I deal with that require two-factor identification including phone contact. What about the phone contact is suspect? Thank you.

    Amazon Web Services – if you set up two factor authentication and you then loose your phone or device then the only solution is to call Amazon support for assistance. Now realize that the whole Mat Honan experience is, in part, due to failings in Amazon customer support with respect to security. Google and LastPass allow you to take proactive steps by generating a set of one-time use passwords that you can keep in a secure place that will allow you to login without the device.

    Leo
    11-Aug-2012
    Reply
  10. I must be missing something bleedingly obvious in Mat Honan’s hacking saga.

    Why didn’t (or can’t) he simply recover his child’s photos etc from his external backup device? How did the hacker(s) get access to a disconnected device? And of course I’m assuming that being a professional IT journalist advising less-talented folks about security he would in fact have such a device.

    That’s part of the point. He did not have any kind of backup whatsoever.

    Leo
    11-Aug-2012
    Reply
  11. @Geoff
    The bleeding obvious is that in spite of being an IT professional, Matt Honan didn’t have a backup.
    ‘Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location.’
    The wise learn from the mistakes of others.

    Reply
  12. It’s very interesting and downright scary to realize how easily complex data and identity protocols can sometimes be undone by basically leaving out the human interaction factor. I have had a personal experience with my online banking account that perfectly illustrates this. This bank employed a password system which required customers to change passwords every 90 days , and actually required a fairly complex password, along with an assigned numerical user id. Occassionally I would find myself locked out for no apparent reason other than a glitch in their system, so I would call a very friendly and helpfull customer service rep who would reset the password. On one particular occasion I misrememmbered my user id, replacing one digit with another. Since no other information was required my password was reset (“abcd” was the temp password I was always given ha-ha). I logged into what I thought was my account (hadn’t realized I was using the a the wrong user ID yet), an found most of my money had disappeared. It took me just a few moments to realized I had accidently hacked into someone else’s account! I remember reading an interesting article by a security research expert who made the point that very often the weakest link in security is a very well meaning customer service person or even in large companies where persons in a far flung department who will divulge security information under the impression he’s just helping an unfamiar fellow employee who forgot his ID or password. This researcher was really quite amazed to find that he could find these weak links created by by individuals just trying to be really helpfull and literally talk his way through all the layers of security designed to stop brute force entry .
    In my own case with my bank I was not even asked for the last four digits of my ss let alone the whole thing, which I would think is the usual minimum. They have since implemented a two factor authentication but that incident has always stuck with me and I think this article well illustrates how seemingly minor overlooked human interaction factors (i.e. when the security passes from software to interacting people) the whole process can be unravelled.

    Reply
  13. Leo…
    I’m another idiot who, while happily gleaning all kinds of pertinent info from your newsletters – allowed your constant ‘back up’ warnings to go in one ear and out the other…for years. Two weeks ago my laptop crashed. A computer tech said all was lost. Later, having a light bulb moment, she popped my PC hard drive into her Mac and was able to recover my photos, for which I was extremely greatful. However, all else was lost. I feel for Mr. Honan and everyone who has lost all their data. It is SO disconcerting…..like having part of your brain’s memory wiped out. I am currently shopping for an external back up system. Nan

    Reply
  14. Very interesting stuff. This really got me wondering what to do if, heaven forbid, my LastPass account got hacked somehow. URLs and passwords galore in there — keys to my kingdom. Scary.

    Reply
  15. I have my own domain and already use a separate email address for each service for the reasons Leo describes in this article. I also use disposable email addresses for forums etc.

    I am now wondering is this actually enough. Take Amazon as an example, someone who knows my domain name could very easily guess that I use amazon@mydomain.com. Then using my name and address (easily accessible and included on all my business emails) they could gain access.

    From there they could guess that I use the same format on other services e.g. paypal@mydomain.com facebook@mydomain.com etc etc.

    Feels like I am patting myself on the back for being so clever and security conscious when any second all my efforts and minimum 16 digit passwords could be shot down in flames.

    Am I being too overcautious and is there anything we can do to fully protect ourselves.

    One thing I did was not to use “amazon@” simply because it’s too obvious. I use something else. Yes, if Amazon’s customer service screws up they can hand your account to anyone regardless of what we do, but the goal then is to minimize the damage.

    Leo
    16-Aug-2012
    Reply
  16. @Simon
    A strong unique password, along with security questions with obscure answers, should be enough to protect you against your accounts being hacked. However, if you feel your email adress names are too easy to guess you can add numbers or text to the site name, for example facebook_login@mydomain.com, hotmail_8997, twitter_safe etc. Of course using a unique suffix for each account. This is probably overkill, but if you’re really paranoid it’s better than underkill.

    Reply
  17. Hold on a minute – we really have no way of knowing that this was not all a pre-meditated stunt to gain a lot of publicity for the journalist wishing to expose security shortcomings without risking any liability himself. If so it has obviously worked.

    Nevertheless, the principles highlighted are all valid, so it has been of benefit to us either way.

    Reply
  18. Thanks Mark,

    Great idea about the prefix especially if I can come up with a formula to work out each random prefix. Being pedantic I know they wouldn’t be truly random but they would be easy to remember and hard to guess.

    Fortunately I don’t have to worry about my bank as they use 2 factor authentication requiring a username, password, key fob and a PIN entered into the key fob before it displays the code. Not sure if 2 factor is an accurate description of this process but I’m happy with it.

    And as a long time reader of Ask Leo I have everything backed up with offsite copies.

    So at least I am as safe if not safer than most, even if my impregnable digital bunker was nothing more than a complacent perception.

    Reply
  19. Thanks Leo, I will learn to back up or store pics on CD’s ; your articles are very helpful, I bookmarked this one to reread . Thanks Earl : )

    Reply
  20. As an experiment I went to another website that I do business with. I called them told them I was having trouble getting into my account. Hey, no problemo!
    The CS guy reset my password after getting my name and address. He actually volunteered my email address, as in: “Your email is Bill@dumbo.com?” (though my email address is very easy to find.)
    “Voila!” as they say in France, there was the last 4 of my credit card. Oops.

    Does anyone know if Apple, or any other major sites, are still using this number as an I.D. validation?

    At a minimum anyone who did what I did could have ordered product using my card and changed my email address so that I wouldn’t get a notification. BTW the product is instantly consumable and re-saleable.

    ps I didn’t even know that Apple used those numbers as authentication until Honan’s disaster.

    Reply
  21. Moving a little off topic….
    RE: “PayPal allows a serious gap in security. Neither requires an on-line purchaser to provide the security code found on the back of a credit card when making a purchase.”

    My experience [past and present] indicates that my payment will not be processed when the security code IS required, and requires a call to the seller to submit my payment….then it goes through.
    Why? Because I use the PayPal Student Debit Card [I’m not really a student]. For this reason, and the fact that my financial liability is limited to the existing balance, I use their Student Debit Card . Also, transfers are immediate, and no fees [except $1.00 for ATM w/d]. Also, PayPal’s CSR’s wont give out any information on your account if you forget the PW. I had transposed the last 2 characters of a PW….no dice, open a new account.

    I’m guessing the student financial relationship with a main account [parent] is a bit more secure, for the students benefit. Oh those kids.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.