Earlier in August, a cyber-attack on Wired writer Mat Honan’s digital life attracted a good deal of media attention, much of it driven by his lengthy article on how the attackers gained access to his Google, Apple, Amazon, and Twitter accounts.
Those attackers obtained the last four digits of Honan’s credit card number by engaging in a little social engineering with Amazon tech support. Armed with that bit of information, as well as the credit card’s billing address, they convinced AppleCare to issue a temporary password to Honan’s Apple ID. From there, wiped his MacBook, seized control of his Gmail and other identities, and humiliated him on Twitter.
In the wake of that assault, Apple reviewed its process for resetting passwords. “We’ve temporarily suspended the ability to reset Apple ID passwords over the phone,” Apple spokesperson Natalie Kerris told Wired and other news outlets in an email. “We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com).”
Amazon also reportedly plugged its security hole, removing customers’ ability to change account settings such as email addresses over the phone.
Even as those companies’ teams moved to patch the holes, others moved to offer security tips. Matt Cutts, head of Google’s Webspam team, used his personal Website to urge Gmail users to embrace two-factor authentication.
“Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked,” he wrote in the August 6 posting.
Two-factor authentication involves entering a numerical code that Google sends to the Gmail user’s phone, preventing a hacker from accessing the account unless they possess both that code and the user’s password.
A standalone app, Google Authenticator, lets users obtain a code from their phone even without a signal (such as during travel to a foreign country). For those users who don’t want to enter an extra code every time they sign into Gmail, Google also offers the option to “trust this computer” for 30 days or longer.
“One last tip,” he added. “Use a different password on Gmail/Google than on other services. If you reuse a password and a hacker cracks into one company, they can use the same password to crack into your Google account.”
Not to be outdone by other tech companies’ renewed enthusiasm for all things security-related, Facebook announced a new effort targeting phishers and other devious characters.
“Today, Facebook is proud to announce the launch of firstname.lastname@example.org, an email address available to the public to report phishing attempts against Facebook,” read a note posted Aug. 9 on Facebook’s Security page. “Phishing is any attempt to acquire personal information, such as username, password, or financial information via impersonation or spoofing.”
Reports to that email address could help Facebook investigate and request for Website takedowns and browser backlisting. “We will then work with our eCrime team to ensure we hold bad actors accountable,” the posting continued. “Additionally, in some cases, we’ll be able to identify victims, and secure their accounts.”
Although users can bolster their online security with two-factor authentication, strong passwords, and decoupling their accounts from the same email addresses, those methods also make online life more inconvenient. But that inconvenience may pale compared to the costs associated with a cyber-attack.