Mark Honan writes about
what
happened when his iCloud account was hacked,
and in a matter of five minutes the hackers remote wiped his iPhone,
iPad and MacBook Air and more than a years worth of data. In his own
words:
At 4:50 PM, someone got
into my iCloud account, reset the password and sent the confirmation
message about the reset to the trash. My password was a 7 digit
alphanumeric that I didn’t use elsewhere. When I set it up, years
and years ago, that seemed pretty secure at the time. But it’s not.
Especially given that I’ve been using it for, well, years and
years. My guess is they used brute force to get the password (see
update) and then reset it to do the damage to my devices.
The backup email
address on my Gmail account is that same .mac email address. At 4:52
PM, they sent a Gmail password recovery email to the .mac account.
Two minutes later, an email arrived notifying me that my Google
Account password had changed.
At 5:00 PM, they remote
wiped my iPhone
At 5:01 PM, they remote
wiped my iPad
At 5:05, they remote
wiped my MacBook Air.
A few minutes after
that, they took over my Twitter. Because, a long time ago, I had
linked my Twitter to Gizmodo’s they were then able to gain entry to
that as well.
In the case Mark Honan,
the problem was once his iCloud account was compromised, all this devices were. I do not use iCloud, but the same thing could happen to me, or any or us. For
most of us the key to the online world we live in revolves around our primary email address.
If a hacker is able to
gain access to our primary email address, the hacker can use that email
address to reset passwords in our Facebook, Twitter, Google+,
Dropbox, Box or any other online service that we use. I doubt if
any system can hold off a skilled and determined hacker forever, but
there are a few things we can do to make your online persona and
data more secure.
Use Gmail and enable
two step authentication. Most email services rely on a user created
password to provide security. Gmail uses two step authentication.
First you have your password. Second, the device you access your
account to has to have been authenticated. When you log on to Google services you will
be asked for your password. If this is the first time you log on
with a particular device, you will be asked for an authentication
code. This code is generated by an app on your smartphone or you can get the code via voice call or SMS. You can set
it up to keep your device verified for 30 days, after which you have
to authenticate the device again.
So basically,
accessing your Gmail account means that a hacker would have to find
out what your user generated password is, and that figure out the
corresponding Google authentication code, which changes every minute.
I would not say hack proof, nothing is, but much safer.
But I do not want to change email addresses? You do not have to. You can continue to use you Hotmail, Outlook, Yahoo or other address but you should consider using a second email address, a Gmail the address, the place where emails for password recovery are sent.
No comments:
Post a Comment