You may never have heard of Mat Honan, but his digital disaster is an important lesson for anyone who connects to the Internet. Honan, a former writer for Gizmodo, encountered an “epic hack” when his Amazon, Apple, Google and Twitter accounts were sequentially hacked within a matter of minutes. As a tech journalist, Honan is no stranger to the online world, but various mistakes and security vulnerabilities enabled hackers to access his accounts and wipe out Honan’s computer, iPhone and iPad.
Within a matter of minutes Honan had lost everything on his iPhone, iPad and MacBook, including irreplaceable pictures of his 1 1/2 year old daughter and family members who are now deceased. Honan’s Twitter account as well as Gizmodo’s Twitter account, which was linked to Honan’s, were used by the hackers to tweet out inflammatory messages.
Honan shared his experiences and lessons learned in a thorough article in Wired. I encourage you to read the article to learn both what happened to him and what he suggests doing to avoid this nightmare happening to you.
Honan discovered the attack soon after it had occurred when he tried to use his iPhone and realized it was wiped clean of all data and unusable. After he discovered the other hacks one by one, he had the presence of mind to create a new Twitter account to alert his followers that his original Twitter account had been hacked and to disregard the offensive tweets being sent from that account. He then saw that the hackers had posted a tweet from his original account claiming responsibility for the hack.
Amazingly, one of the hackers who took over his @mat account contacted Honan through his new Twitter account and provided enough information to verify that it was indeed the hacker who had infiltrated Honan’s accounts. The hacker, a 19 year-old code-named Phobia, offered to explain the hacks if Honan agreed not to prosecute them. He agreed and Phobia walked him through what they did and how they did it.
One of the hackers called Amazon customer service pretending to be Honan and asked to add a new credit card number to Honan’s account. The hacker identified himself as Honan using Honan’s email address, which was listed on his website, and his physical address, discovered through an online search. Amazon added the new (fake) credit card number to Honan’s account.
The hacker then called Amazon back a few minutes later, again pretending to be Honan, and told a different customer service rep that he had forgotten his Amazon password and needed to reset it. The customer service rep asked him for his (Honan’s) email address, billing address and the last four digits of his credit card number. The hacker provided this information, using the new credit card number he had just added to Honan’s account a few minutes earlier, and the account password was changed. The hacker next logged into Honan’s Amazon account using the newly reset password and found the last four digits of Honan’s credit card number.
Next the hacker called Apple customer service pretending to be Honan and said he needed to reset the password for his Apple ID. Apple asked for his (Honan’s) email address, billing address and the last four digits of the credit card on his account. The hacker provided Apple with the information, including the four digits from Honan’s credit card from his Amazon account. The hackers guessed correctly that Honan used the same credit card for his Amazon account as he did for his Apple account.
Apple then asked for answers to the security questions that Honan had set up. Even though the hacker was unable to answer the questions correctly, Apple verified the identity and reset Honan’s password, providing the hackers with access to Honan’s:
- iCloud account
- .Me email account
- Find My Mac app
- Find My iPhone app
The hackers then wiped all of the data from Honan’s MacBook, iPhone and iPad. Using Honan’s .Me email account, they were then able to access Honan’s Gmail and Twitter accounts, as well as Gizmodo’s Twitter account, which was linked to Honan’s account, and continue with the hacks.
Could This Happen to You?
Members of Wired’s staff were able to replicate the hackers’ steps with Amazon and Apple on Monday using the same techniques as the hackers used, but by yesterday Amazon had changed its security policy. Attempts by Wired yesterday to add a new credit card over the phone to an Amazon account were unsuccessful yesterday due to changes that had reportedly been made by Amazon to “protect customers’ security.”
Wired was informed yesterday by an anonymous Apple representative that Apple has put a 24 hour hold on resetting passwords over the phone. Subsequent attempts by Wired to reset passwords over the phone after the moratorium was imposed were unsuccessful. Expect further measures being taken by Apple and Amazon in the future.
What You Can Do to Protect Yourself
Back Up Your Photos
Honan admits that it was a very regrettable mistake to not have backed up his photos that were on his laptop.
Ideally, your photos should be accessible in three places:
- the original,
- on an external hard drive, SD card or CD
- the Cloud
See, Back It Up!
Don’t Use Your Name as a Prefix for Your Email Accounts
The hackers were able to guess the prefix of Honan’s Gmail account because he used his name as a prefix and his Gmail prefix was very similar to the prefix of his .Me email account. Names and monograms are easily guessed by hackers. Use unique prefixes for your various email accounts that don’t include your name or initials.
Use Separate Credit Cards for Your Major Accounts
The hackers guessed correctly that Honan used the same credit card for his Amazon and Apple accounts. While it doesn’t make sense to sign up for a unique credit card for each site where you shop online, consider using different cards for popular sites. You can also use temporary credit card numbers for your online shopping.
Use Google’s Two-Step Verification for Your Gmail Account
Google offers a two-step verification for your Gmail account so that you can verify your Gmail account and phone number. Google will send a verification code in a text message or voice call to your phone.
By using this service, you can greatly reduce the chances that a hacker will be able to access your Gmail from an unauthorized computer. This video explains how Google’s two-step verification works.
Honan regrets that he didn’t activate this verification process with Google to protect his Gmail account.
Honan used his Gmail account to verify his .Me email account. Although the prefix of his Gmail address was partially hidden in his .Me account settings, the hackers guessed what the prefix was because Honan used his name on both accounts.
Create a separate, dedicated email account for verifying other email accounts. Only use the account for verification purposes and don’t use a prefix that is related to any of your other email accounts.
Find My Mac
Find My Mac is an Apple app that allows you to locate and wipe your Mac computer should it be lost or stolen. Honan had signed up for this service and had the app installed on his computer when his Apple account was hacked, enabling the hackers to wipe his computer. Honan recommends against using this service after his experience, reasoning that it is preferable to risk your laptop being or stolen than to have your data wiped by a hacker.
Although Honan’s iPad and iPhone were also wiped by the hackers using the Find My iPhone app, Honan thinks the value of retrieving a lost or stolen iPhone or iPad is worth risking a hacker being able to wipe his mobile devices as they are at a greater risk of falling into the hands of others.
Clean Up Your Permissions
Restrict access to your accounts by others by cleaning up your permissions. See, Clean Up Your Permissions! for an easy way to make sure only the apps and websites you are using have permission to access your accounts.
Nothing is 100% Safe
No matter what steps you take your personal information is vulnerable to customer service representatives who may disclose it to hackers. As ethical hacker Kevin Mitnick explained in Ghost in the Wires, hackers use “social engineering” to convince workers to reveal private information over the phone, sometimes in violation of their companies’ policies.
What happened to Honan was tragic and traumatic, but by learning from Honan’s experience and taking these steps, we may be able to keep safer from hackers.
Had you heard about Honan’s nightmare hacking experience? Have you taken steps to protect yourself from hacks? Let us know in the Comments section below!
*Broken padlock image by Mark Kjerland (altered)
** MacBook Air photo by Robert S. Donovan