A Wired Reporter was Hacked Because of Carelessness
It was all over the news last week. A Wired reporter was hacked because of carelessness. Oh, wait, that wasn’t the story you read. The reporter, Mat Honan, was vicitimized by a hacker. Now don’t think I’m taking this lightly. Mr. Honan lost six years of e-mails and most of the pictures of the first year of his 18 month old daughter’s life. As well as nearly everything else. But he made it way too easy for the hacker because he did the following dumb things:
- Used the same e-mail account for most of his commercial accounts.
- Used the same credit card number on various accounts.
- Didn’t have a secure, reliable backup in place.
Hacking for Dummies
Let’s first review how the hacker managed the break-in. The following description is from the interview on NPR’s On the Media August 12. I’ll mark places where I’ve filled in gaps in the story with [ ]. To make the story easy, let’s call the hacker Hank (not to be confused with Hank for Senate).
According to Mr. Honan, Hank called Amazon [apparently pretending to be Mr. Honan] and gave them a fake credit card number [apparently to add this number to his account]. Hank then called Amazon back and said he had lost access to e-mail and needed to add a new e-mail address to the account. Amazon dutifully followed their verification procedure, asking Hank for a credit card number attached to the account. No problem, the fake number was already in place. Bingo, Hank had login access to the account. From which they extracted the last four digits of Mr. Honan’s actual credit card number. (Amazon displays only the last four digits for security. Irony abounds.)
Hank then placed a call to Apple. To verify identity, Apple requires three pieces of information:
- an Apple ID (an e-mail address),
- the billing address (easier to find than you might think, no I won’t tell you how), and
- the last four digits of a credit card Apple has on file for you.
Zowie. Hank now had access to Mr. Honan’s entire system, including iCloud. Mr. Honan had been using his Apple account to back up his Gmail account. (If this seems like a bad idea to you, that’s because it is.) Hank, therefore, had access to Mr. Honan’s Gmail. Apple has made it easy to delete data using “Find my Mac/iPad/iPhone” service. This is very useful when a lost device can’t be recovered. But perhaps just a tad more security ought to be put in place before device-wiping is allowed.
Mistakes Mr. Honan Made
There are two simple things you can do to avoid these problems. First, use multiple e-mail accounts for various shopping sites. Second use different credit cards. If you don’t have very many credit cards, either get some more cards or shop online less.
But the single most important mistake Mr. Honan made was relying on “the cloud” and other non-secure backup systems. He needed a real backup system. Here are a few guidelines:
- Make routine backups several times a week. For routine backups, use network-attached storage. We have set our QNap TS-419P II populated with 4 x 2tb Samsung hard drives and set to RAID0. The QNap can be set up to accept input from TimeMachine, Windows machines, and just about anything else. It’s fast, quiet, and does its job. But the whole setup will run you about $1,000. It’s worth that to us because of our ever-changing configurations and data. We use our computers upwards of 40 hours a week. But you have to do your own benefit-cost analysis.
- Less routine, more secure backups should be made every other week (more often if you’re nervous). Use an external hard drive that is connected to the computer only while the backup is in process. External hard drives are cheap, with several terabytes available for $100. Windows backup works well. The Mac’s Time Machine could be better, but there are utilities available such as Time Machine Editor. (Time Machine Editor does not list compatibility with Mountain Lion, so check first.)
- Once a month you should make an image copy of the hard drive. In case of catastrophic failure the image can be copied back onto a hard drive, restoring the computer to the state it was in when the image was made.
- Arrange with someone in a different part of the country to ship backups to each other every six months or so. Living in California I am very aware of natural disasters and the havoc they can wreak. All the backups in the world won’t do you any good if they burn to a crisp. (We have a fireproof safe in the house, too, but it’s not really large enough to handle our backups.)
The guidelines I’ve listed above have been around practically since computers were invented. Today almost everyone has a computer, but they haven’t bothered to learn the first thing about security and safety. “Experience keeps a dear school, but fools will learn in no other.” Ben Franklin’s comment is just as meaningful today as it was a couple of centuries back.