This week I read something very scary. A lengthy and well-researched article, (read it here if you want the detail) about a guy who got hacked – and what the experience taught him.
The guy is Mat Honen, an editor at Wired UK, – someone who already knew a fair bit about online security. But he managed to come to the attention of malicious hackers for the crime of having the prestigious 3-letter twitter handle @mat. He would not give it up so he got hacked – but since like for nearly all of us Mat’s Twitter account was linked to his Gmail and Apple accounts (each protected by unique robust complex and lengthy passwords), they decided to delay him recovering it by wiping every one of his device, including email, documents, and every picture he had ever taken of his 18 month old daughter)
Following that horrendous experience, Honen started to investigate how they did it and the results were devastating. It was just so easy. Starting with email: “Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.”
From email, you have access to everything email controls. Online banking? Simply use the ´Forgot Password?’ link, and a new one is sent to the compromised email account. So many online accounts work in this way – how long before they are into your Paypal, Amazon, app store and every other account you own?
Online application control walks a line of continuous tension between security and usability. Some online banking applications are utterly maddening, demanding PINs, passwords and security questions that they force you to change too often anyway and then still randomly dump you out of on an arbitrary basis requiring helpdesk calls and resets… And complaints. So for that reason, all over the web, our email address has evolved into a kind of universal username. And now that we bank, store data and live our lives increasingly in the cloud, that single point of failure is terrifyingly vulnerable.
Remember, this is stuff that can hurt us even when we do passwords properly, using unique complex passwords for every log-in (even though every year surveys of password popularity for major sites indicate that consistently the number one is ‘password’ and in second place ‘123456’. Seriously, if you are one of these people, don’t even both reading on).
Even when you do use a good password hackers can get at them by a variety of means, if they want to. Phishing we have discussed at length in this column – much easier than cracking a password is to persuade the owner to freely hand it over to you by pretending to be someone they trust. Honan describes an example where a board member of an energy company in Pennsylvania had her email broken by a phishing page where she was persuaded to enter her AOL password, so he had access to all her financial information and passwords. The hacker took time analysing her email mannerisms and patterns of communications, before instructing her accountant on her behalf to wire hundreds of thousands of dollars from her account.
Malware is another way passwords are obtained, often by installing keyloggers that watch what you type in password boxes and sending that back to the hackers – banks working around this now by getting you to click on images of numbers to enter a code.
But whilst we can fight technology using technology, and billions of dollars are invested in this arms race, the most alarming vulnerability is ‘socialing’, the compiling of bits of information available publicly along with persuasiveness and human interaction. Honan’s Apple password was reset over the phone, once the hackers had obtained the last 4 digits of the credit card associated with the account. And how many ‘security questions’ are that secure? Lots could be googled, guessed or otherwise found out. My bank thinks knowing the name of my school is vital security data, but LinkedIn and Facebook want me to put this on my public profile!
Honan´s depressing conclusions are that the whole system needs to change, to a range of complex biometric indicators that we are who we say we are, that actually works for the digital age. But for now we have to work with what we’ve got, and his recommendations for maximum security are as follows:
Use a unique, non-dictionary, strong and long complex password, for every online service you use. They can still be hacked but it’s harder.
Enable two-factor authentication whenever you are offered it, even if it’s more hassle. For example, google sending you a text code to verify your identity when you log in from a new location
Give bogus answers to security questions I like this recommendation, think of security questions as another password, something unique and memorable that no-one could guess. So, as far as Paypal knows or cares, your first pet was a pink albatross.
Scrub your online presence. Check what information is available about you online, can YOU find your home address via Google, because if you can then anyone can.
Finally, and this is a new idea on me and a good one, Honan suggests creating a unique email address that you never publicise and that you ONLY use for password recovery. Because if the hackers don’t know the account exists they are unlikely to get into it. You can use any online email service, but choose a username completely unrelated to your own name, and never use it for anything else or mention to anyone. I like this idea a lot.
Stay safe!
Published in Costa Blanca News, 30th November 2012