Posts Tagged ‘Mat Honan’

If you’ve been traveling to Pluto or somewhere recently, and are unaware of the spectacular hack carried out against Mat Honan of Wired Online, see my previous post, which also links to his own description of the whole dismal proceeding.  Read it first, so you have an appreciation for the magnitude of the damage he suffered.  Herein is my analysis and a prescription for how to reduce your chances of being subjected to the same kind of abuse.

First of all, I note that there were no bits involved in this hack — this was not a technical attack, they did not guess any passwords or execute some esoteric  bombardment of his digital assets.  No, this was purely “social engineering,” the hackers put together data they fraudulently obtained from Amazon’s and Apple’s customer service desks to take control of Honan’s Apple customer account and then leverage that to other services.  In short order they controlled every digital asset he had.  But the penetration was not “techie” and so no amount of hard-to-guess passwords or whatever would have helped him avoid it.

A great part of his problem was that the two customer-service desks the hackers contacted had procedures in place that allowed them to ignore the fact that the hackers couldn’t answer the security questions Mat had entered.  They therefore got in with relatively simple, relatively public data  they had figured out or augured out of somebody else.  You can’t fix this, Apple and Amazon (and others) have to, and to an extent they may already have. But still, there are steps you can take to help insulate yourself from their stupid procedures.

And remember, there is always a balance between security and convenience in everything you do, online as well as offline.  The problem is, most people are pretty good at evaluating and deciding how to find this balance offline, but not at all experienced at doing so online.  So, my objective is to help you find that online balance.


First, back up your data! If it doesn’t exist in three places, you really don’t want it all that badly.  So, it’s on your machine, second, buy a terabyte external drive and copy it there once in a while, and finally subscribe to a secure online backup.  I use Carbonite, $55 per machine per year to do it automatically, but there are others.

Second, use a password-vault system  and let it generate your passwords (at least some of them), I use LastPass but there are others.   In my opinion, LastPass is the best.   If you don’t bother to do these two things, stop reading here, you have a prodigious appetite for risk.

Now I’m going to make some suggestions to help you deal with the two biggest exposures Mat had, how his accounts were linked, and how his email accounts were guessable.


This is the biggest convenience – security tradeoff area.  You log onto your gmail account, and lo and behold you can be logged into your calendar.  Or, you log into Facebook, and you are seemingly logged into Instagram, or any number of other services that authenticate (because you told them to “log me in using Facebook, or whatever”) through another application.  Yahoo, Facebook, Twitter, and Google are the largest authentication providers.  Well, when you do this you are linking your logon credentials among those services., so if they have a failure, or if somebody gets your credentials to the host service, they are into all of the ones that are linked.

So then, the obvious solution to this is to not do so much cross-app linking.  Unlikely to happen, linking is waaaay to convenient.  For example, I myself link Foursquare and Instagram to Facebook, so I can cross-post checkins and quickie pictures to my Facebook timeline.  And my Google services are linked, but linked through Google, not Facebook’s ID and password.

So where you link services, be aware of it.  I usually link only within the same “company,” but not always.  Figure out where you’re linked and consider unwinding some of them.  One of the reasons I use LastPass (see above) is that I can offload some of the “I’m here, log me in over there” work to LastPass instead of letting Google et.al. do it — I control LastPass myself, I don’t control Google.


All this is fine, except that even the most sophisticated passworded and unlinked-services approach is useless if their customer service desk hands out your credentials even if whoever is trying to get in can’t answer the security questions.  Their password-reset approach almost universally relies on email to send you a temporary password, so if the attackers have hacked / accessed that account, they now own you because they’ll get to set the new password on your account, and you won’t know it.  This is what happened to Mat.

So then, two suggestions.  First, set up an email address that you use for essentially nothing else, to receive any password resets you ever have.  This is the address that you usually give them when you register with the service.   Sign up with somebody’s email service and give your username as “duckspit491” or the like, not “yourname”.   And put a different password on it than any other of your email accounts.

Second, do not use the same ID or address prefix across all the email accounts you happen to have.  Don’t make it yourname@gmail.com andyourname@yahoo.com and yourname@facebook.com.  If you do this, if all the accounts have one prefix, the attackers just try all the other services to see if you’re using that name there too. And of course, don’t use the same password for the lot of them!  I have always done this, and I’m surprised that it’s not obvious to others that this is a good idea, but it’s not.  But now, for you, it IS a good idea, right?   Again, LastPass will manage these passwords for you so logging in won’t be a chore.


Just a few additional thoughts; if you do the above you will have already reduced your exposure by quite a bit, but here’s some more good practices:

  • Password your phone – the most likely device to be lost. Most people have their phone apps set for auto-login, so if you lose your phone you have lost 90% of your control right there.
  • Consider Gmail’s 2-factor authentication, which can tie logons to Gmail from only the devices that you personally have or use.
  • Don’t log into things you don’t have to. Google wants you to log into your browser, some other services offer that too.  Don’t.  You don’t get much benefit and they get your data. And of course a hacker will get just that little bit more leverage.

Mat Honan was in one sense extremely lucky — the hackers were out to sow chaos and destruction, not out to rob or swindle him, and indeed they didn’t.  But if that had been their intention, they could really have caused him some losses, and he wouldn’t have known where to even start looking for them.

Read Full Post »