The Four Things You Need To Do Right Now To Avoid Getting Hacked

Innovation, the Internet, gadgets, and more.
Aug. 7 2012 4:56 PM

How Not To Get Hacked

The four things you need to do right now to avoid the fate of tech writer Mat Honan.

Mat Honan, writer at Gizmodo and Wired
Mat Honan, writer at Gizmodo and Wired

Photograph by Jon Snyder.

Last Friday evening, a hacker got into Mat Honan’s Apple account, remotely erased the data on his iPhone, iPad, and MacBook, deleted his Google account, commandeered his Twitter account, and then posted a string of nasty stuff under Honan’s name. Until recently, Honan, who’s a writer at Wired and one of my favorite tech journalists, worked at Gizmodo, and his Twitter account was still linked to the tech blog’s main Twitter page—so for about 15 minutes, the hacker was able to post a bunch of foul-mouthed, racist stuff there, too.

I was on a cross-country flight when I read Honan’s first post about the hack. When the captain turned on the onboard Wi-Fi, I got down to doing what I always do when I hear about an attack that could have happened to me: I changed my passwords. This made me feel better, but it turns out it certainly wasn’t sufficient. Honan spent the weekend on the phone with Apple tech support and—curiously—in conversation with the hacker. By Monday morning, he’d found out exactly how his online identities had been compromised. The upshot: Creating better passwords wouldn’t have helped him.

In a lengthy Wired piece, Honan explains that the hacker got into his account not by guessing his passwords but by asking for them. On Friday, the hacker called Apple’s tech support line and, pretending to be Honan, claimed he’d been locked out of his Apple account. Apple’s support guy asked the hacker to answer the security questions on Honan’s account, but the hacker apparently said that he’d forgotten the answers.

Advertisement

No problem, because the hacker knew something most of us don’t: If you can’t answer your security questions, Apple will issue you a new password if you can prove that you’re who you say you are using another form of identification. What identification does Apple ask to reset your password? A billing address and the last four digits of your credit card number.

Billing addresses are easy to find online, and credit card numbers are only slightly more difficult to come by. The hacker had both bits of data on Honan. He’d found the billing address by looking up the registration of Honan’s personal website, and he’d gotten the credit card number by calling the support line of another tech behemoth, Amazon. The hacker had asked Amazon to place his—the hacker’s—email address on Honan’s account, which Amazon happily did. Then the hacker issued a forgotten password request on Amazon’s website—this sent a link to the hacker’s email, allowing him to change Honan’s password and get full access to his Amazon account, including the ability to see the last four digits of his credit card.

Bingo! Now the hacker could get into Honan’s Apple account, which allowed him to delete everything connected to Honan’s iCloud profile (his iPad, iPhone, and Mac). Because Honan had set his Apple account as his Google account’s alternate address, the hacker only had to issue another forgotten-password request for Honan’s Gmail to fall, too. 

This is a sorry tale. There were lots of lapses here—relatively small ones by Honan (he hadn’t backed up his data), and huge, glaring, scary ones by Apple and Amazon. But if you examine this epic hack, you’ll find a few simple lessons.

Here are the four things users and companies could do immediately to reduce these kinds of attacks:

1) Everyone should turn on two-factor authentication now.

To get into most online accounts, you only need to dig up a single piece of data—a password. (The username on many services—including email accounts, Twitter, and Facebook—is your public handle, available to everyone.)

There was a time when passwords were enough (and you should follow my advice on how to create very strong, easy to remember passwords). But now we’ve all got so many online accounts protecting so much valuable information that we need something in addition to passwords.

Fortunately, that something exists. Unfortunately, very few people use it. It’s called “two-factor authentication”—a security system that requires two credentials to let you into an account. The first is something you know—your password. The second is something you have with you: a biometric marker (say, your fingerprint), an electronic key tag, or—easiest of all—a cellphone that can generate a unique code.

TODAY IN SLATE

Frame Game

Hard Knocks

I was hit by a teacher in an East Texas public school. It taught me nothing.

Republicans Like Scott Walker Are Building Campaigns Around Problems That Don’t Exist

Why Greenland’s “Dark Snow” Should Worry You

If You’re Outraged by the NFL, Follow This Satirical Blowhard on Twitter

The Best Way to Organize Your Fridge

The World

Iran and the U.S. Are Allies

They’re just not ready to admit it yet.

Sports Nut

Giving Up on Goodell

How the NFL lost the trust of its most loyal reporters.

Chief Justice John Roberts Says $1,000 Can’t Buy Influence in Congress. Looks Like He’s Wrong.

Farewell! Emily Bazelon on What She Will Miss About Slate.

  News & Politics
Politics
Sept. 16 2014 2:11 PM Spare the Rod What Charles Barkley gets wrong about corporal punishment and black culture.
  Business
Moneybox
Sept. 16 2014 2:35 PM Germany’s Nationwide Ban on Uber Lasted All of Two Weeks
  Life
The Eye
Sept. 16 2014 12:20 PM These Outdoor Cat Shelters Have More Style Than the Average Home
  Double X
The XX Factor
Sept. 15 2014 3:31 PM My Year As an Abortion Doula
  Slate Plus
Slate Plus Video
Sept. 16 2014 2:06 PM A Farewell From Emily Bazelon The former senior editor talks about her very first Slate pitch and says goodbye to the magazine.
  Arts
Brow Beat
Sept. 16 2014 1:27 PM The Veronica Mars Spinoff Is Just Amusing Enough to Keep Me Watching
  Technology
Future Tense
Sept. 16 2014 1:48 PM Why We Need a Federal Robotics Commission
  Health & Science
Science
Sept. 16 2014 1:39 PM The Case of the Missing Cerebellum How did a Chinese woman live 24 years missing part of her brain?
  Sports
Sports Nut
Sept. 15 2014 9:05 PM Giving Up on Goodell How the NFL lost the trust of its most loyal reporters.