Strong Passwords Aren’t Enough: How To Ensure Exploits Never Happen To You

6
Strong Passwords Aren’t Enough: How To Ensure Exploits Never Happen To You


Former Gizmodo writer Mat Honan lived every tech geek’s worst nightmare when he got hacked last weekend. All his accounts were compromised and his computers were wiped with no backup. The scary part is that no “real” hacking was involved — all it took was a few support calls to Apple and Amazon and nearly all his most important accounts were compromised. Here’s everything you need to do now to keep this from happening to you.

What Happened

The person who hacked Mat’s accounts didn’t need to crack any passwords to get in. Instead, he used social engineering, manipulating both Apple tech support and Amazon into believing they were Mat (something that’s easier than you might imagine). Apple and Amazon only require limited, easily accessible information, including billing address, email and the last four digits of a credit card (which sounds more difficult to access than it was) before allowing anyone to change or reset user accounts. Once the hacker had access to Mat’s iCloud account, he was able to get into Mat’s Gmail and other accounts, not to mention wipe his iPhone, iPad and Mac, setting a PIN that kept Mat from recovering any of that data.

What happened to Mat was awful, but we should all take this as a cautionary tale to not only set up good security and backups, but to take heed of security flaws in services like iCloud. Here’s what you should do right now to protect yourself from a similar incident.

Audit Your Insecure Services (Like iCloud)


The biggest problem in Mat’s breach was that there were some serious security flaws in Apple and Amazon that let the intruder right into his accounts. In his Wired piece on the hack, Mat details some of the things you can do to avoid a similar issue with iCloud. Namely, you should create a separate Apple ID for your iCloud account, turn off remote wipe for your computers, and don’t attach your home address to anything public, like your personal domain name.

Takeaway lesson: Some services, like iCloud, don’t have the security features they should have. As such, make sure you don’t give them too much power, and don’t connect them with your secure accounts like Gmail — one weak link in the chain can bring everything crashing down.

Use Strong, Separate Passwords for Every Account


how easy it is to hack a weak passwordit’s more secureUse a tool like LastPassone of these alternativesmulti-word phrases are actually the best password you can have

Takeaway lesson: If you haven’t updated your passwords in a while, take some time to audit and update your passwords now to get it all done in one fell swoop.

Enable Two-Factor Authentication to Ensure No One Gets In


Takeaway lesson: Set up two-factor authentication on every account you can, like Google, Facebook and other high-profile services. It’s one of the best ways to protect yourself against any kind of breach.

Strengthen Your Password Recovery Options

You should also make sure your security questions aren’t easy for someone to answer. Anyone can figure out your pet’s name or high school mascot, so those won’t keep you safe. Instead, strengthen your security questions by adding extra words, picking out key words in the question, or shifting your hand on the keyboard. That way, they’ll truly become questions only you know how to answer.

Takeaway lesson: One of your biggest security flaws is probably in your password recovery method. Make sure your security questions aren’t easily answerable, and that your password resets go to a separate account designed for resets only.

Back Up Your Data


favorite backup app for WindowsMac

If you don’t back up to the cloud (or you want a local backup as well), check out these recommendations from our friends at the Wirecutter. They have picks for external drives, cheap network drives and full NAS solutions for all your home backup needs.

Takeaway lesson: Seriously, guys, back up your data. It only takes a few minutes to set up, and it’ll make sure you never lose your most important files.

Comments

  • This [almost] same story is constantly repeated, and it is always followed up with the same advice [see above]. How many people will heed this advise is very questionable – maybe 5%. It’s not until they fall victim to a breach that they will realise the error of their ways. Security is a process, not a product, but most people find that it is just to much trouble – seperate [strong] passwords and backing up are just not in their vocabulary. If “I didn’t think it would happen to me” was a facebook page it would have many sadder, but wiser followers.

    • the amount of times i have had people come to me with busted laptops etc pleading for their data back only to have me tell them its too late… One really unfortunate time was a lady at work who got her laptop stolen and she thought she had it all saved onto an external HDD but when i plugged it in the HDD was empty except the bloatware that came with the HDD.

      • Let me guess: the external HDD had a ‘quick backup’ button, so she was just pressing that without realising she first needed to install software on the pc?

        Those buttons probably caused as much data loss as they prevented.

  • Don’t settle for anything less the Two-factor authentication. I have two-step authentication on my email and I like the extra security it offers. You just telesign into your account and it’s good to go. I’m hoping that more companies start to offer this awesome functionality. In reality this should be a prerequisite to any system that wants to promote itself as being secure. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection.

  • when are we going to get biometric logins for the important stuff (banking etc)? I am quite happy to surrender my fingerprint for the extra security. (please don’t give me some BS telling me how easy it is to defeat, unless you personally have done it.)

Log in to comment on this story!