SEPTEMBER 2012: There’s a very human aspect to cyber crime. It’s not just automated phishing scams and malware.
Check out how some old-school con artistry, aka social engineering, wiped out a savvy tech’s digital life by using some of the world’s most popular online entities: Apple, Amazon.com, Google and Twitter. Then hop on our five tips for preventing the same disaster from happening to you!
Hackers pretended to be Mat Honan, a senior writer for Wired.com, by using two pieces of information: Mat’s public email address and the last four digits of Mat’s credit card, which the hackers obtained from Amazon.com after an easy hack into Amazon’s system. With those two pieces of “identification,” they convinced Apple Support to issue a temporary password over the phone.
Then, all within the next 39 minutes, the hackers:
• Permanently reset Mat’s Apple password
• Had Google send a password recovery email to Mat’s hacked Apple account
• Changed Mat’s Google account password
• Reset Mat’s Twitter account password
• Accessed Mat’s Apple iCloud account
• Used iCloud’s “Find My” tool to remotely wipe Mat’s iPhone and iPad
• Remotely wiped Mat’s MacBook, including the photos, so he couldn’t use it to regain access to his accounts
• Deleted Mat’s Google account, including eight years of emails and his Google Voice number
• Claimed credit for his deeds on Mat’s Twitter account by posting “Clan Vv3 and Phobia hacked this twitter”
And to add insult to major-cyber injury, they broadcast racist and homophobic slurs from Mat’s Twitter account.
The blogosphere and Twitterverse were on fire with the events, of course. Mat ultimately blames himself for having taken security shortcuts and daisy-chaining information between accounts, but the hack would never had happened if it weren’t for lousy security at Apple and Amazon.
Since the hack, Mat has been able to get most of his data back with help from top-notch professionals. Apple has, at least temporarily, suspended its over-the-phone password reset (Apple users should go to appleid.apple.com or iforgot.apple.com instead). And Amazon has closed the security hole that allowed anyone with a name, email address and mailing address the ability to access and change account settings over the phone.
Google, Mat, and your friendly IT frogs strongly recommend setting up Google’s two-factor identification. And if you’re running a business that has sensitive information, you also need three-factor authentication.
And even super-smart techies need to remember to do these five things all the time:
- Log out of your accounts when you leave your computer.
- When you use a public computer, use the browser’s privacy options so you don’t create a history, then close out of the browser completely when you’re done.
- Take advantage of two or three-factor authentication whenever possible.
- Use great passwords and change them often.
- Update your operating system and web browser so you have the latest patches and improvements. In fact, hop on that right now!