This is a both a fascinating and sad story and a wakeup call for those of us who have built up a complex life online. It’s also a wakeup call for those of us who do not back up our computers, iPhones, iPads, and other devices connected to a single or even multiple connected digital ecosystems.
This story scares the shit out of me. I’m paranoid enough right now so that I have serious mixed feelings about posting this (it might be looked at as a potential challenge to a hacker).
I urge anyone reading this post to read Mat’s story slowly and carefully and make note of every detail described and put yourself in Mat’s shoes. He may have made some mistakes that you haven’t made but no doubt we all have vulnerabilities, I know I do.
In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
It isn’t just having an Amazon account, an Apple ID and an iCloud account, or having “Find my Mac” turned on in iCloud that brought Mat’s digital life down, it’s also a seemingly insignificant fact that he had a short, desirable three character Twitter handle and enough followers to make that account useful to hackers who wanted a high profile account so they could send a message: “we got into this account via a complex ID hack.”
But, even if you’re nobody of import on the internet, reading this article is a useful wakeup call if for no other reason than to hear that a person like Mat who’s a relatively sophisticated tech journalist stupidly did not back up his home computer and so it was vulnerable when hackers took over his iCloud account and found “Find My Mac” turned on. They did a remote wipe on his Mac for no good reason given the reason he was hacked and he lost the complete early photographic history of his daughter because he had no backup.
Here’s how I map myself into this
I’m a much less desirable target but who knows what makes a person a desirable target?
I use an Apple AirPort Extreme router between my local network of computers and iOS devices and our cable modem and the internet. It has a built-in firewall. We do not use local file sharing although I trust the AirPort firewall to protect us. If you have a computer directly connected to a cable or DSL modem you are extremely vulnerable and you need to do something about that.
I back up my iPhone and iPad to my computer daily (sync – backup). If they are mistakenly or maliciously remote wiped I can get the data back easily.
I use iCoud’s Find My iPhone and Find My iPad features (like David Pogue) so I can find and if necessary, remote wipe my iPhone and iPad if they fall into the wrong hands. I do not use Find My Mac which means my Macintosh isn’t visible and vulnerable to a complete wipe from my iCloud account (I hope).
I back up my computer daily in two different ways (SuperDuper and Time Machine) which means I have a complete back up of my computer and my iOS devices in case of accidental or malicious remote wipe. I actually have multiple complete backups: I have two external drives that I swap daily one being kept in the basement in a fire proof box.
I’ve only lost everything once in my life, in the very early days of personal computing before there were easy ways to back things up. It felt bad enough so that I swore I’d never let that happen to me again and hopefully it won’t. But, all it takes is once and that ought to be enough of a wake up call to get your attention and get you doing something about it. Since the early ’80s (pre-Mac) I’ve had a backup scheme in place that I’ve used religiously. Some people who hear about this think I’m nuts but their time will come and when it does they’ll get it.
I may be vulnerable via the online methods that got Mat in trouble and rather than blaming Apple and/or Amazon I need a plan to do something about this. I’m working on it and for obvious reasons I’m not posting that plan here. Your ideas are always welcome in comments, email, chat, phone.
I’m quite sure that some reading this are even more vulnerable than I am and I urge you to read Mat’s story and make note of both his mistakes and how your digital life maps onto his. Even if you feel you’re not a target because you have no status online there may be other aspects of your life that make you a desirable target for a hack or an ID theft.
Hacking and ID theft like this should bring on the most severe legal punishment no matter what age the hacker (Mat’s hacker is 19). Life in prison sounds about right. Of course, the stiffer the penalty the greater the challenge for a motivated hacker.
[via Dale Allyn]