Mat Hanon experienced the worst nightmare of his digital life when he got hacked and irrevocable damages were made to his personal data.
This story reminds me of my own story of how I became more aware of security and privacy, because not long ago I was also hacked. I never fully understood how the perpetrators gained access to my e-wallet account, whether it was an inside job or a if I somehow leaked the user logins on an insecure network, but I figured out multiple weaknesses in my security routines. In that respect this was a good thing for me, believe it or not; it was a wake up-call. It all becomes real when it happens to you, and when it does it sucks.
What we can learn from this incident is a plenty, but judging from the article there also seems to have been a flaw in the identifyment procedures over at Apple and Amazon. The worst part is that Apple customer support issued a temporary password to the hacker despite him not being able to answer the security answers. This is worse because that’s something out of our control. Hopefully Apple (and maybe other companies) gets that sorted.
Still, besides security 101 here’s some pointers in how to avoid suffering the same fate as Mat Hanon:
- Actively try not to reveal too much personal information
Your name, address, phonenumber and so on can be used in identity theft, but it also exposes you to more direct threats of which I’m sure you can imagine. According to the hacker in Hanon’s case he retrieved the address by WHOISing the domain name. Some domain registrants offers you a proxy solution which means they register the domain in their name and address instead of yours. Many people also broadcast (intentionally or unintentionally) their address and contact information publicly on online “phone catalogues” or on social media sites like Facebook. For “phone catalogues” I suggest checking your communications service provider, wheras for social media sites you could revise the privacy settings or delete the information all together from public view. - Be aware when chaining services together like iCloud and GoogleMail
The hacker got access to Hanon’s Google Mail account using the iCloud (me.com) e-mail. As services gets more and more intertwined, we get more and more dependant on one or more key services. If that is the case then consider two-way authentication for the most dependant services. Imagine losing control over your Google account, how many services are affected? Maybe you have many apps linked to the Google account on various sites, e-mail, Google Drive etc. - Don’t store cards on e-commerce sites
A key component used in the hack was the last numbers of a credit card retrieved after breaching his Amazon account. If the credit card was not stored in his Amazon account then the hacker could not have used the last four digits to breach his iCloud account through Apple’s customer service (at least I hope so). - Other than that I suggest everyone to use unique passwords for each different service
Imagine if the hacker has somehow obtained Mat’s password. By using the e-mail address as login he could have breached a lot more services with a lot less effort.
Finally, his article also touches upon the backup subject which indeed is very important in this digital age. I’ll probably cover that in a later blog post.