Former Gizmodo writer Mat Honan lived every tech geek’s worst nightmare when he got hacked last weekend. All his accounts were compromised and his computers were wiped with no backup. The scary part is that no “real” hacking was involved — all it took was a few support calls to Apple and Amazon and nearly all his most important accounts were compromised. Here’s everything you need to do now to keep this from happening to you.
The person who hacked Mat’s accounts didn’t need to crack any passwords to get in. Instead, he used social engineering, manipulating both Apple tech support and Amazon into believing they were Mat (something that’s easier than you might imagine). Apple and Amazon only require limited, easily accessible information, including billing address, email and the last four digits of a credit card (which sounds more difficult to access than it was) before allowing anyone to change or reset user accounts. Once the hacker had access to Mat’s iCloud account, he was able to get into Mat’s Gmail and other accounts, not to mention wipe his iPhone, iPad and Mac, setting a PIN that kept Mat from recovering any of that data.
What happened to Mat was awful, but we should all take this as a cautionary tale to not only set up good security and backups, but to take heed of security flaws in services like iCloud. Here’s what you should do right now to protect yourself from a similar incident.
Audit Your Insecure Services (Like iCloud)
The biggest problem in Mat’s breach was that there were some serious security flaws in Apple and Amazon that let the intruder right into his accounts. In his Wired piece on the hack, Mat details some of the things you can do to avoid a similar issue with iCloud. Namely, you should create a separate Apple ID for your iCloud account, turn off remote wipe for your computers, and don’t attach your home address to anything public, like your personal domain name.
Takeaway lesson: Some services, like iCloud, don’t have the security features they should have. As such, make sure you don’t give them too much power, and don’t connect them with your secure accounts like Gmail — one weak link in the chain can bring everything crashing down.
Use Strong, Separate Passwords for Every Account
how easy it is to hack a weak passwordit’s more secureUse a tool like LastPassone of these alternativesmulti-word phrases are actually the best password you can have
Takeaway lesson: If you haven’t updated your passwords in a while, take some time to audit and update your passwords now to get it all done in one fell swoop.
Enable Two-Factor Authentication to Ensure No One Gets In
Takeaway lesson: Set up two-factor authentication on every account you can, like Google, Facebook and other high-profile services. It’s one of the best ways to protect yourself against any kind of breach.
Strengthen Your Password Recovery Options
You should also make sure your security questions aren’t easy for someone to answer. Anyone can figure out your pet’s name or high school mascot, so those won’t keep you safe. Instead, strengthen your security questions by adding extra words, picking out key words in the question, or shifting your hand on the keyboard. That way, they’ll truly become questions only you know how to answer.
Takeaway lesson: One of your biggest security flaws is probably in your password recovery method. Make sure your security questions aren’t easily answerable, and that your password resets go to a separate account designed for resets only.
Back Up Your Data
favorite backup app for WindowsMac
If you don’t back up to the cloud (or you want a local backup as well), check out these recommendations from our friends at the Wirecutter. They have picks for external drives, cheap network drives and full NAS solutions for all your home backup needs.
Takeaway lesson: Seriously, guys, back up your data. It only takes a few minutes to set up, and it’ll make sure you never lose your most important files.