What happened to Mat Honan can happen to Everyone. After Mat Honan was hacked he got in contact with his hacker, who explained how and why he did it if Mat promised to not press charges. Everything can be found in his very interesting article in Wired. The good thing was: it was not personal. The hacker was only after his three-letter Twitter account @mat. In order to get that he did some background research and had to compromise his Amazon account, his iCloud account, his Gmail and after all his Twitter. The wiping of his iDevices and the compromising of the @gizmodo account was collateral damage and was also publicity to make clear to the companies that these security flaws have to be solved. The hacker himself did not wipe the Macbook with all the personal information of Mat, it was his partner. This hacker felt sorry for that loss.
I don’t want to go into detail about what happened. Read it for yourself, it is a good read. But also be warned, because what happened to Mat can happen to everyone. Security can be as good as it can, but if I can grab a phone and (re)gain access to an account by answering some simple to research questions then no account is safe anymore. In my opinion the biggest flaw was with the Amazon account, but the second biggest flaw was Apples account. After that everything was possible.
How can we protect ourselves against these risks? In the article Mat claims that if he was using Gmail’s two-factor authentication he was safe. But I’m not sure about that. True, because he was not using that the hacker could partly see his me.com address. I tested myself that if you have access to the backup-address associated to Gmail you can even (re)gain access to a Gmail account with two-factor authentication enabled. You “only” have to fill in a form with a lot of personal questions like your security questions but also some account details like what labels you use most and who you email most, including some difficult to find or remember dates. I must admit that Google only disabled my two-factor authentication and didn’t have to also reset my password. But I suspect that they would have also reset that if I asked them.
So again: how can we protect ourselves? I don’t have the answer yet. Until this hack I always considered the companies that deliver these services trustworthy. But I didn’t take such simple social engineering techniques into account. I have to rethink and reconsider what it means to store all our data in the cloud when the security guard swings the door open for everyone pretending to be me. If companies like Amazon, Apple and Google don’t have good procedures in place to be sure of the authenticity of the owner than I can assure you that this is not the last hack we saw in this simple manner.