Latest posts by Alvin Bryan (see all)
- Millionaire Tyupkin Malware ATM Hackers May Come to US, India After Hitting Europe - October 23, 2014
- BitLicense Will Allow Bitcoin Spying in New York - October 22, 2014
- Australians are Fighting Data Retention Laws - October 22, 2014
The experience of Wired journalist Matt Honan gives us a picture of how devastating it can be to have your online presence ruined. Read on after the story to see how you can prevent the same devastating hack from destroying your digital life.
What Happened to Matt Honan
Matt Honan described a sophisticated hack that destroyed his online presence in just one hour. Many users who have fallen victim to online scams can probably relate to the signs that Honan saw prior to the complete devastation of his digital life. This attack led to the hijacking and loss of his Google and Twitter accounts, the breach of his Apple ID account and total loss of all iPhone, iPad and MacBook data. His iPhone was killed as well.
Hackers were able to get Honan’s Amazon password, then from there they got into his Apple ID account. This in turn got them access to Honan’s Gmail account, which led them to Twitter. Hijacking the Twitter account was the hackers’ main goal. They simply liked his Twitter handle and wanted to steal it. So Matt Honan was not probably targeted because he was a writer at Wired.com or was linked to Gizmodo’s Twitter account. What happened to him can happen to anyone. Regular Internet users have been victims of account hijacking before. Some hackers just do this for fun, enjoying the havoc they create.
Most hack victims notice something is wrong, but just like Matt Honan, they rarely connect it with an attack. It started when his iPhone suddenly powered down and he went to plug it in. He thought it was a software glitch when it automatically rebooted to the startup screen. He had his iPhone set to back up every night, so he entered his iCloud logins to restore the phone. When the codes were not accepted, he again assumed it was a glitch. He connected the iPhone to his computer to restore from backup there. An iCal message appeared telling him that his Gmail account information was wrong. Then the screen went gray and another message requested a four-digit PIN, which Honan didn’t have. This is when he began to suspect foul play. He unplugged the router and cable modem, and turned off connected devices.
Honan called AppleCare on his wife’s phone and found out after 90 minutes that someone else had called in about his account 2 hours before. The caller complained of not being able to access Me.com email, and was issued a temporary password even though he did not give correct answers to the security questions. But the first problem was really when AppleCare mistook Honan for another account holder. Then Honan learned that all he needed to provide was a billing address and the last four digits of his credit card to be granted access into his iCloud account. Both are easily obtainable online and over the phone. There was also another earlier call that AppleCare did not disclose. This call Honan learned about directly from the hacker who made the call.
In the space of 22 minutes from receiving the temporary password, the hackers had reached their goal. They reset Honan’s Me.com account and used it to permanently reset his AppleID password. The Gmail password recovery and reset followed, and then the deletion of his Google account. Then his Twitter account was compromised and the hackers identified themselves as Clan Vv3 and Phobia. Finally iCloud Find My was used to remotely wipe his iPhone, iPad, and MacBook.
The hackers had full account control of all the accounts. The Google account deletion and MacBook remote wipe were only done to prevent Honan from regaining access. He lost more than a years’ worth of irreplaceable data including documents, photos and messages. Apple assured Honan that customer data protection procedures were not followed in this one case and that’s why his account got compromised. But Wired duplicated the hackers’ technique three days later and were successful.
How It Happened
Honan admitted that he was partly to blame for the invasive hack on his online accounts. He did not the recommended Google two-step verification which complicates account recovery. He also used the same ID for multiple email accounts, and did not have a separate, secret, recovery email. The rest of the blame falls squarely on the lack of security protocols at Apple and Amazon. The hackers manipulated serious security flaws in customer service systems.
It all started with Twitter, where the hackers got Honan’s Gmail from his website that was linked to from Twitter. From Google’s account recovery page, they guessed the Me.com recovery email from the characters displayed. Using the Apple Me.com email led the hackers to the vulnerable AppleID account. The hacker Honan later spoke to revealed that any email associated with Apple was vulnerable.
Next, the hacker obtained the last four digits of Honan’s credit card and his billing address. A billing address can be found after a simple WhoIS lookup, or a search on Spokeo, WhitePages, and PeopleSmart. Amazon readily gives out the last four credit card digits of account holders. One of the hackers called Amazon as the account holder to add a credit card number. Fake credit card numbers that conform to industry self-check algorithms can be easily generated by a certain website known to hackers. The account name, associated e-mail address, and billing address was provided to grant access. The hacker then called back to complain about loss of access to the account, providing the name, address and fake credit card number that was newly added. A password reset from Amazon.com allowed them to see the last four-digits for the credit cards on file. Amazon declined to comment on their security policies. But most everyone you do business with will use these last four digits as a security verification. Anyone could call someone’s favorite fast food delivery and ask them to verify the card they have on file. The guy reads back the last four digits and Bob’s your uncle.
Honan’s hacker told him that he also likes to hack and publicize his work so that services will become aware of the security issues and fix them. He was unaware that his partner wiped Honan’s MacBook and was sorry. His goal, he said, was for everyone to eventually gain the ability to beat hackers.
How to Stop It with a Secure VPN
Hacking is not always about guessing passwords or using brute force attacks to crack them. Matt Honan’s experience is a testament to bad security practices, both his own and of the services he used. But there are additional security measures that can help you protect your online presence from being damaged the same way that Matt Honan’s was.
The first step you need to take is to use a secure VPN for all your online activities. This secures your website activity so that pieces of personal information cannot be connected to you and to each other. But this only works if you are careful not to share those details indiscriminately on the Internet. Honan claimed three other faults that you should avoid doing.
Honan had all his accounts connected, he did not back up the data on his MacBook, and he enabled Find My Mac. But if not for the security flaws in Apple and Amazon systems, these would not have been necessary. First, we are firmly in the era of cloud computing and connected devices and accounts. Second, you have to perform a remote wipe on your Mac before you are asked to enter the four-digit PIN required to restore your data. Third, you cannot secure the last four digits of your credit card number when services easily give it out. The services we use are simply not securing user data.
Honan’s hackers only wanted his Twitter account ID. But they could have accessed his online banking and financial services accounts as well. They could have launched sophisticated email and social media attacks on his contacts to compromise their security and get more money. In Honan’s case, the contacts available on his online accounts are very influential people who could have been victimized at great cost. Having a VPN can prevent hackers from snooping valuable details that can give them access to financial accounts.
Graham Cluley shared more tips two years ago on preventing Gmail account hacking. They stand true still. High profile users of Gmail are still experiencing Email hacks using phishing scams that involve password sniffing. He gave the following steps in that 2011 article:
- Set up Two step verification
- Check if your Gmail messages are being forwarded without your permission
- Where is your Gmail account being accessed from?
- Choose a unique, hard-to-crack password
- Secure your computer
- Why are you using Gmail anyway?
Read the full article on additional tips to secure your online presence.