The news is full of reports of large companies and internet services being compromised by attacks from perpetrators of internet fraud. From Sony to Yahoo to LinkedIn and beyond, the chances that your credit card information or passwords have been compromised is increasing every day.
A recent disturbing story is that of Mat Honan, a writer for Wired and Gawker blogs, who had his entire online life hijacked and his Laptop, phone, and iPad remotely deleted. By agreeing to not press charges on the hacker, known as Phobia, Honan was given the details of how the exploit was achieved. Phobia contacted Amazon and Apple Computer customer support and managed to gain access to both accounts by just doing a a little homework, no delicate intrusion required. Correct answers to security questions allowed Phobia to reset his password and access Honan’s Amazon account, which allowed him to view partial credit card numbers. He then contacted Apple, and with those four numbers and Honan’s home address was allowed into the iCloud account, which is Apple’s online service that backs up users’ calendars, photos, and email from Apple devices. All of those devices were wiped clean, destroying Honan’s photos of his newborn daughter, along with everything else. Everything was pretty straightforward then, allowing access to Honan’s Google account, which was deleted, and Gawker and Honan’s Twitter accounts, which ran haywire for the course of an evening. Honan worked diligently to reconcile the situation, but the jury is still out on his hard drive’s contents. The miscreant maintains that he was not out to hurt anyone, but to expose publicly security flaws in the networks of our most relied-upon online retailers that hold access to all of our financial and personal information. The attack could have continued to access Honan’s financial accounts, but stopped short. Regardless of his intentions, the hacker has definitely proved his point. Amazon has since made changes to keep accounts from being accessed, and Apple is, “reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
What does this mean to you?
Computer users feel safe logging into online services, and for the most part they are. Banks often have two-part login procedures that make it very tricky to break in, and many users protect their gmail with the same type of security. too many, however, have one password for all of their accounts, and it is not even a very secure one. Simply complying with minimum requirements for password creation is not near enough to protect you. Passwords need to be a scrambled string of letters, numbers, and special characters. The easiest way to do this is to make an acronym of a sentence that can be remembered, such as “One day at the zoo I saw a grizzly bear!” = “1d@tzIsagb!” As you can see, the days of using your cat’s name are over. You will need to remember some passwords, but you can use online services like LastPass to help keep track. You can use LastPass to automatically enter your passwords on your own computer, or you can login to their site from anywhere to see your passwords. Obviously, the password you use for that needs to be as unique and secure as you can remember! It may seem like a chore, but it can save you a ton of trouble. You definitely need different passwords for email, Facebook, and any account that stores financial information (banks, PayPal, Amazon, etc). If you want to use a simple shared password for insecure registrations and the like, do so with caution. Keep an eye on account by logging into the bank site regularly, or set up alerts to inform you of suspicious activity. Make certain you have a backup of irreplaceable photos and documents on a flash drive or portable hard drive, not just on the cloud. While the attack described here did not take advantage of brute force, many do, so keeping yourself safe should be easier if you follow just these few steps.