Honan, who used to work for Gizmodo, found Friday that his Apple, Amazon and Google accounts had been broken into and that his iPhone, iPad and MacBook had all been remotely wiped out. He also found someone was tweeting messages to his Twitter account as well as to Gizmodo’s Twitter account.
The people behind the attack were able to do all of this because they got a temporary password for Honan’s iCloud account. As Honan reported, strangers were able to convince an AppleCare representative to send them a password reset link without answering security questions because they had Honan’s name, e-mail address, mailing address and the last four digits of his on-file credit card. And once they were into Honan’s iCloud account, they were able to access several of his other accounts.
After the attack, Apple told Wired that it is reviewing all of its processes for resetting passwords and that it appeared the company’s own internal policies weren’t followed to the letter in this instance.
According to the latest Wired piece, reporters who were able to replicate the methods used in Honan’s attack earlier were stymied by the new precautions.
The attack has highlighted concerns not only about security measures at consumer technology companies, but has also become a cautionary tale for those moving their data to the cloud.
Honan has said that he blames himself for the attack, in part, because he didn’t back up his data. But, as GigaOm’s Derrick Harris pointed out, the breach has further lessons for the average consumer contemplating a move to the cloud.
For one, Harris noted, moving data to the cloud — particularly one that’s tied to hardware — means that users are giving over a lot of trust to companies to safeguard their data.
This is a common complaint from cloud critics, who say that consumers are moving too quickly when it comes to relinquishing control of their own data to other companies. That’s exactly the sentiment that Apple co-founder Steve Wozniak expressed last week when he said that he expects there will be a lot of “horrible problems” with cloud computing in the future.
While society hammers out the thornier issues of cloud computing, there are some proactive steps you can take to make it more difficult to execute a wide breach of your digital accounts. (Hey, you might as well take control of what you can, right?)
Coming up with different passwords — either through a password manager or on your own — is one common suggestion.
Honan also identified a couple of other potentially instructive keys to his breach.
He said he used the same sort of username across services — in this case, his first initial and last name — which made it easy to guess his log-in credentials across the Web. Switching up the format of your usernames is a good idea, so that you’re not email@example.com and firstname.lastname@example.org.
Another problem? He backed up his Google account with his Apple account and hadn’t enabled Google’s two-factor authentication feature, which will send a second code to your smartphone or other device that you need to log in.
Thinking hard about whether you really want to link otherwise unassociated accounts should be a first step for anyone setting up a new account. Another solution would be to set your back-up e-mail address to one that almost nobody knows, i.e. not your work e-mail, or any personal e-mail that could show up in a PTA or neighborhood association contact list is a good first step.
Another Wired writer, Kim Zetter at Threat Level, recommends obscuring the answers to security questions by inserting seemingly random numbers or symbols into answers such as your mother’s maiden name or the model of your first car.
Zetter also brings up an interesting option when it comes to protecting financial information: using single-use credit card numbers when shopping online. Many people generate one-time use credit card numbers from their bank or use gift cards from major credit card companies for online purchases.
You could also resign yourself to entering in your credit card number each time you buy something instead of storing it with a company, so that the last four digits of your account don’t show up if someone gets into your account.
Chances are, if you don’t have a high profile like Honan — in this case, he was targeted because he has a particularly cool Twitter handle @mat — that throwing a few of these obstacles up will deter would-be criminals from taking your information.
The truth is, there’s no way to completely protect yourself against breaches — particularly if people are intent on getting your information — but that doesn’t mean you can’t take steps to limit the damage.
iCloud breach puts spotlight on cloud security