Wired reporter hack reveals perils of digital age
Password reset security flaws show the ease at which hackers can steal a person's identity in the digital age.
Sun, Aug 12, 2012 at 07:05 PM
Photo: Frederic J. Brown/AFP
SAN FRANCISCO — The perils of modern dependence on Internet-linked gadgets and digitally-stored memories remained a hot topic on Aug. 10 in the wake of a hack that wiped clean a Wired reporter's devices.
Mat Honan laid out at wired.com in gripping detail how his "digital life was destroyed" right down to irreplaceable photos of his baby daughter. Honan next week is to share his quest to repair the damage.
"The take-away from his bad experience is that people need to be careful with using an online service, especially a backup service," Lookout Mobile Security engineer Tim Strazzere told AFP on Aug. 10.
"The main part is to mitigate risk; he lost a lot of personal information."
Basic hacker skills were combined with "social engineering," the art of sweet-talking someone like a customer service rep into bending rules during a phone call, to compromise Honan's Google, Twitter, and AppleID accounts.
Honan told of his @mat Twitter handle apparently being the coveted prize for hackers who deleted his Gmail account and erased the data from his iPhone, iPad and MacBook laptop computer to hide their trail.
The data-wiping feature was created by Apple to let people protect digital information if devices are lost or stolen.
He said his Twitter account was used to fire off offensive messages.
"In many ways, this was all my fault," Honan wrote. "My accounts were daisy-chained together."
"But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's."
Hackers were able to get bits of information from Apple and Amazon tech support that helped them achieve their mission, according to Honan.
Apple did not respond to an AFP request for comment, but reportedly gave Honan a statement saying his data was "compromised by a person who had acquired personal information about the customer."
"In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected."
The "daisy chain" mistake Honan described is especially perilous when it involves making links between work and personal accounts, according to Strazzere.
An example would be using one's personal email address as the place to send password reset messages automatically generated by online services that require login information.
Getting access to a personal email account could then give hackers keys to any password protected services someone uses — such as Twitter, Facebook or office email.
"It is an interesting twist to the new age," Strazzere said. "These new capabilities are great tools, but it is a scary thing that if one gets compromised it can hurt you so much more."
His recommendations included keeping work and personal online accounts separate, even going so far as to have "throw-away" Web-based email accounts for matters such as password resets.
Pictures, documents or other data stored in the Internet "cloud" or on personal devices should be backed up as well as being encrypted.
Some online services provide the option of "two-factor authentication" that tightens security on password resets.
Copyright 2012 AFP Global Edition