We all know the drill: Choose a great password. (Get a new pet every six months as a prompt.) Kevin Roose thought he knew the drill; he is news director of Fusion, and he knows his way around a computer. He also thought he knew what he was doing when it came to his personal Internet security — using strong passwords, a password manager (1password, I use it too) and two-factor authentication, where you have to enter a number that's sent to your phone. He writes, “If I had to give myself an overall digital security grade, I’d give myself an A-.”
As a test of how good his security was, Kevin challenged some hackers to get into his computer and do their worst. He had no idea what he was in for.
Like most of us who write on the Web, Kevin has public profiles on Facebook, Twitter and Instagram. This was a great place to start. Hacker Chris got Roose’s address off a dog tag. His partner Jessica “vished” (voice phished) his cellphone company and changed his password.
But this was nothing compared to what Dan Tentler did. He “phished” Roose into clicking on a fake Web page and essentially took over his computer. He could then do whatever he wanted — and did. He stole the login for the password manager, giving him access to every account. He tapped into Dropcam and could spy on Roose’s house. He started snapping photos through the laptop camera and taking screenshots. When Roose and Tentler met in Las Vegas, Tentler told him how far he could have gone.
“I have control of your digital life in its entirety. I have all your credentials. I have all your access to all your financial information, all your work information, all your personal information. I can pay people with your bank account or your Amex account. For all intents and purposes, he said, 'I am you'.”
Essentially Tentler could have left Reese broke and homeless and on the street.
However, it's not really as bad as it seems. Roose spoke to Morgan Marquis-Boire, a security expert, who wonders why a top-notch hacker would bother with Kevin Roose.
This principle is called “privacy through obscurity.” Basically, the idea is that although anyone can theoretically be hacked by anyone with enough skill and time on their hands, the vast majority of us simply aren’t interesting enough for hackers to care about.
Basically he's saying that if you're not a CEO or a celebrity, why would they bother? Take the basic steps (good passwords, don’t click on suspicious links, turn on two-factor authentication) and don’t panic. He notes:
The goal of these tools isn’t to make yourself hack-proof; no app or service can do that. But using good security practices can deter hackers, or at least convince them to move on to an easier target.
However I wonder now if that's enough. Everyone does online banking now, and I wonder if the most important passwords, like to my bank, iCloud and my Google accounts, should be in my password manager anymore; perhaps the biggies should be written down on a piece of paper and memorized. And if I should then eat that piece of paper.