Mat Honan is supposed to know better. He's a technology writer at Wired. Before that he was a technology writer at Gizmodo.
It's not quite what you think, though. Honan explains that hackers didn't use "brute force" to obtain his passwords, they simply convinced Amazon to give up some innocuous information (the last four digits of a credit card) through clever trickery and then used that information to convince Apple to reset his iCloud password.
Because he had connected many of his online accounts, once the hacker was in at Apple, he was in everywhere else, as well. In to the tune of remote wiping his mobile devices as well as his MacBook.
To add insult to injury, Honan hadn't backed up with any regularity, and he lost every piece of personal data stored across those devices.
Honan self-deprecates, here:
In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.
Serial fabulist Jesus Diaz -- an editor at Honan's former employer Gizmodo -- isn't quite as reserved:
My question is: who was assclown that designed this security protocol? He or she should be fired, along with all their supervisors. If I were Mat, I would sue the hell out of Apple.
This is an interesting change of pace for Gizmodo, a site which tends to ridicule those who make bad security choices (much like those Honan takes immediate credit for) but then, this victim is an alumnus. It's worth nothing that Gizmodo's Twitter account was also impacted -- and infiltrated -- as it was part of the daisy chain of accounts tied to Mat's hacked iCloud account. Diaz should probably think about that, but he won't.
So, a couple issues:
Apple is apparently willing to do a password reset so long as the person on the other end of the phone is able to provide a billing address and the last four digits of an on-file credit card. The argument is that this data is far too easy for a malicious third party to obtain.
I'm just not sure that information is any easier to obtain than the answers most people give to security questions. I know I tend to go through the list and pick the questions that I'll immediately know the answer to:
My favorite subject in High School? I'm not so sure that what I think that was today is what I'll think it was a year from now. What else?
City I was born in? The answer is unambiguous, so I'll go with that.
Mother's maiden name? There's only one possible answer to that as well. Good enough.
I am not kidding: I have one (non-essential) account which includes the security question: "Am I awesome?"
I have no doubt that someone with an interest in getting into my accounts could crack the code with a fairly minimal amount of research.
How many of us are connected to our mother on Facebook? Does your mother include her maiden name on her Facebook account?
We may as well be storing the key to our front door under the doormat.
I've been through the process of not being able to answer my own questions (I have a lot of favorite childhood pets!) and being forced to call customer support to request a password reset. Answer some questions and it's done.
I'd sure hate it if I were in Mat Honan's shoes right now, but when I need to reset my password for legitimate reasons, I grumble and piss and moan like everyone else when I'm forced to jump through even the simplest of hoops.
Therein lies the problem: Everyone wants security but no one wants the hassle that comes along with it. We choose the easiest passwords, we reuse those passwords over and over, and we skimp on the steps that would provide extra security.
Then, when we're hacked, hacks like Jesus Diaz immediately spout off about suing a company that doesn't include pentagon-level security on our accounts -- even though most of us barely bother with security at all.
Perhaps it was easier than it should have been for someone to hack Honan's accounts, but his description of the hacker involves someone who sure seemed bound and determined to accomplish that goal, and who was willing to do some digging to get there.
The good news is that there are steps we can all take to avoid some of the fallout, even if we can never hope to be 100% secure. The bad news is that security involves compromising convenience.
My advice, which I'm only just now following myself, is to use a program like 1Password which can securely manage multiple accounts and passwords. The compromise? I have dozens of online accounts, each of which now has a unique password, all of which are random, over 10 characters long, and impossible to memorize.
It took me half a day to accomplish this and I don't doubt that it'll take me a week or so before I'm sure I've changed everything that needs to change.
No sarcasm here: What a fucking hassle!
On the other hand, I suspect Honan wishes he had made that compromise now that he's lost a great deal of personal data, based on the whim of a hacker. Hindsight. 20 blah blah.
Next: Back up.
Apple makes it particularly easy to back up -- a full restore from a time machine backup only takes a few hours from start to finish -- and external hard drives are practically impulse priced these days.
Neither of these actions will stop someone from getting into one of your accounts, especially if they are determined to do so, but the stronger, unique passwords will limit the damage and the backups will limit the heartache.
Last: We've got to stop expecting corporations to care more about our security than we do.
If we can't be bothered to take our own password and security options seriously, why would Apple, or Amazon, or Google?
Taking steps to be secure is a hassle, yes, but if we get angry or lax about having to deal with the things that are actually in our control we can't get angry (or litigious) when companies provide a way in through the back door after our negligence causes the shit to hit the fan.
If we demand an easy solution for ourselves, we also demand an easy solution for hackers.
Your data, your move.