Part 1: How Apple and Amazon Security Flaws Led to My Epic Hacking
Mat Honan
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.
Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.
Those security lapses are my fault, and I deeply, deeply regret them.
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
This isn’t just my problem. Since Friday, Aug. 3, when hackers broke into my accounts, I’ve heard from other users who were compromised in the same way, at least one of whom was targeted by the same group.
Moreover, if your computers aren’t already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use iCloud. Google’s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system yet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.
I realized something was wrong at about 5 p.m. on Friday. I was playing with my daughter when my iPhone suddenly powered down. I was expecting a call, so I went to plug it back in.
It then rebooted to the setup screen. This was irritating, but I wasn’t concerned. I assumed it was a software glitch. And, my phone automatically backs up every night. I just assumed it would be a pain in the ass, and nothing more. I entered my iCloud login to restore, and it wasn’t accepted. Again, I was irritated, but not alarmed.
I went to connect the iPhone to my computer and restore from that backup — which I had just happened to do the other day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four-digit PIN.
I didn’t have a four-digit PIN.
By now, I knew something was very, very wrong. For the first time it occurred to me that I was being hacked. Unsure of exactly what was happening, I unplugged my router and cable modem, turned off the Mac Mini we use as an entertainment center, grabbed my wife’s phone, and called AppleCare, the company’s tech support service, and spoke with a rep for the next hour and a half.
It wasn’t the first call they had had that day about my account. In fact, I later found out that a call had been placed just a little more than a half an hour before my own. But the Apple rep didn’t bother to tell me about the first call concerning my account, despite the 90 minutes I spent on the phone with tech support. Nor would Apple tech support ever tell me about the first call voluntarily — it only shared this information after I asked about it. And I only knew about the first call because a hacker told me he had made the call himself.
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his Me.com e-mail — which, of course was my Me.com e-mail.
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
At 4:50 p.m., a password reset confirmation arrived in my inbox. I don’t really use my me.com e-mail, and rarely check it. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password.
At 4:52 p.m., a Gmail password recovery e-mail arrived in my me.com mailbox. Two minutes later, another e-mail arrived notifying me that my Google account password had changed.
At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack.
By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access. And crazily, in ways that I don’t and never will understand, those deletions were just collateral damage. My MacBook data — including those irreplaceable pictures of my family, of my child’s first year and relatives who have now passed from this life — weren’t the target. Nor were the eight years of messages in my Gmail account. The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in.
Lulz.
I spent an hour and a half talking to AppleCare. One of the reasons it took me so long to get anything resolved with Apple during my initial phone call was because I couldn’t answer the security questions it had on file for me. It turned out there’s a good reason for that. Perhaps an hour or so into the call, the Apple representative on the line said “Mr. Herman, I….”
“Wait. What did you call me?”
“Mr. Herman?”
“My name is Honan.”
Apple had been looking at the wrong account all along. Because of that, I couldn’t answer my security questions. And because of that, it asked me an alternate set of questions that it said would let tech support let me into my me.com account: a billing address and the last four digits of my credit card. (Of course, when I gave them those, it was no use, because tech support had misheard my last name.)
It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.
Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. “That’s really all you have to have to verify something with us,” he said.
We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. We were successful. This means, ultimately, all you need in addition to someone’s e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of how the hackers got them.
On the night of the hack, I tried to make sense of the ruin that was my digital life. My Google account was nuked, my Twitter account was suspended, my phone was in a useless state of restore, and (for obvious reasons) I was highly paranoid about using my Apple email account for communication.
I decided to set up a new Twitter account until my old one could be restored, just to let people know what was happening. I logged into Tumblr and posted an account of how I thought the takedown occurred. At this point, I was assuming that my seven-digit alphanumeric AppleID password had been hacked by brute force. In the comments (and, oh, the comments) others guessed that hackers had used some sort of keystroke logger. At the end of the post, I linked to my new Twitter account.
And then, one of my hackers @ messaged me. He would later identify himself as Phobia. I followed him. He followed me back.
We started a dialogue via Twitter direct messaging that later continued via e-mail and AIM. Phobia was able to reveal enough detail about the hack and my compromised accounts that it became clear he was, at the very least, a party to how it went down. I agreed not to press charges, and in return he laid out exactly how the hack worked. But first, he wanted to clear something up:
“didnt guess ur password or use bruteforce. i have my own guide on how to secure emails.”
I asked him why. Was I targeted specifically? Was this just to get to Gizmodo’s Twitter account? No, Phobia said they hadn’t even been aware that my account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy. He said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted. They just wanted to take it, and fuck shit up, and watch it burn. It wasn’t personal.
“I honestly didn’t have any heat towards you before this. i just liked your username like I said before” he told me via Twitter Direct Message.
After coming across my account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.
Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot.
This was how the hack progressed. If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here. But using that Apple-run me.com e-mail account as a backup meant told the hacker I had an AppleID account, which meant I was vulnerable to being hacked.
“You honestly can get into any email associated with apple,” Phobia claimed in an e-mail. And while it’s work, that seems to be largely true.
Since he already had the e-mail, all he needed was my billing address and the last four digits of my credit card number to have Apple’s tech support issue him the keys to my account.
So how did he get this vital information? He began with the easy one. He got the billing address by doing a whois search on my personal web domain. If someone doesn’t have a domain, you can also look up his or her information on Spokeo, WhitePages, and PeopleSmart.
Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. Phobia says that a partner performed this part of the hack, but described the technique to us, which we were able to verify via our own tech support phone calls. It’s remarkably easy — so easy that Wired was able to duplicate the exploit twice in minutes.
First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.
And so, with my name, address, and the last four digits of my credit card number in hand, Phobia called AppleCare, and my digital life was laid waste. Yet still I was actually quite fortunate.
They could have used my e-mail accounts to gain access to my online banking, or financial services. They could have used them to contact other people, and socially engineer them as well. As Ed Bott pointed out on TWiT.tv, my years as a technology journalist have put some very influential people in my address book. They could have been victimized too.
Instead, the hackers just wanted to embarrass me, have some fun at my expense, and enrage my followers on Twitter by trolling.
I had done some pretty stupid things. Things you shouldn’t do.
I should have been regularly backing up my MacBook. Because I wasn’t doing that, if all the photos from the first year and a half of my daughter’s life are ultimately lost, I will have only myself to blame. I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together. I shouldn’t have used the same e-mail prefix across multiple accounts — mhonan@gmail.com, mhonan@me.com, and mhonan@wired.com. And I should have had a recovery address that’s only used for recovery without being tied to core services.
But, mostly, I shouldn’t have used Find My Mac. Find My iPhone has been a brilliant Apple service. If you lose your iPhone, or have it stolen, the service lets you see where it is on a map. The New York Times’ David Pogue recovered his lost iPhone just last week thanks to the service. And so, when Apple introduced Find My Mac in the update to its Lion operating system last year, I added that to my iCloud options too.
After all, as a reporter, often on the go, my laptop is my most important tool.
But as a friend pointed out to me, while that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers. You are almost certainly more likely to have your computer accessed remotely than physically. And even worse is the way Find My Mac is implemented.
When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed. But here’s the thing: If someone else performs that wipe — someone who gained access to your iCloud account through malicious means — there’s no way for you to enter that PIN.
A better way to have this set up would be to require a second method of authentication when Find My Mac is initially set up. If this were the case, someone who was able to get into an iCloud account wouldn’t be able to remotely wipe devices with malicious intent. It would also mean that you could potentially have a way to stop a remote wipe in progress.
But that’s not how it works. And Apple would not comment as to whether stronger authentification is being considered.
As of Monday, both of these exploits used by the hackers were still functioning. Wired was able to duplicate them. Apple says its internal tech support processes weren’t followed, and this is how my account was compromised. However, this contradicts what AppleCare told me twice that weekend. If that is, in fact, the case — that I was the victim of Apple not following its own internal processes — then the problem is widespread.
I asked Phobia why he did this to me. His answer wasn’t satisfying. He says he likes to publicize security exploits, so companies will fix them. He says it’s the same reason he told me how it was done. He claims his partner in the attack was the person who wiped my MacBook. Phobia expressed remorse for this, and says he would have stopped it had he known.
“yea i really am a nice guy idk why i do some of the things i do,” he told me via AIM. “idk my goal is to get it out there to other people so eventually every1 can over come hackers”
I asked specifically about the photos of my little girl, which are, to me, the greatest tragedy in all this. Unless I can recover those photos via data recovery services, they are gone forever. On AIM, I asked him if he was sorry for doing that. Phobia replied, “even though i wasnt the one that did it i feel sorry about that. Thats alot of memories im only 19 but if my parents lost and the footage of me and pics i would be beyond sad and im sure they would be too.”
But let’s say he did know, and failed to stop it. Hell, for the sake of argument, let’s say he did it. Let’s say he pulled the trigger. The weird thing is, I’m not even especially angry at Phobia, or his partner in the attack. I’m mostly mad at myself. I’m mad as hell for not backing up my data. I’m sad, and shocked, and feel that I am ultimately to blame for that loss.
But I’m also upset that this ecosystem that I’ve placed so much of my trust in has let me down so thoroughly. I’m angry that Amazon makes it so remarkably easy to allow someone into your account, which has obvious financial consequences. And then there’s Apple. I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can’t put a price on.
Part 2: How I Resurrected My Digital Life After an Epic Hacking
When my data died, it was the cloud that killed it. The triggers hackers used to break into my accounts and delete my files were all cloud-based services — iCloud, Google, and Amazon. Some pundits have latched onto this detail to indict our era of cloud computing. Yet just as the cloud enabled my disaster, so too was it my salvation.
Yes, you can die by the cloud. But you can live by it too. Here’s how I regained my digital life after it was taken away from me.
When hackers broke into my iCloud account and wiped my devices, my first assumption was that someone had broken into my local network. So the first thing I did was shut down the internet and turn off all of my other machines. I wanted those assholes out of my house. But that also meant I had no way to send or receive data.
AppleCare’s phone support was useless. The 90 fruitless minutes I spent on the phone accomplished nothing at all to regain control of my AppleID. Nor did a follow-up help to stop the remote wipe taking over my MacBook Air. I had to get online. So to reconstruct my life, I started off by going next door, where I borrowed my neighbor’s computer to use their internet.
Ultimately, I was able to get back into my iCloud account by resetting the password online. Once I did, I began restoring my iPhone and iPad from iCloud backups. The phone took seven hours to restore. The iPad took even longer. I could use neither during this time.
From my wife’s phone, I called my bank and completely changed my logins. Then I set about checking online to see which other accounts might have been compromised. By now I felt safe turning on our own home internet and using one of my other computers to check these accounts. But I hit an immediate problem: I didn’t know any of my passwords.
I’m a heavy 1Password user. I use it for everything. That means most of my passwords are long, alphanumeric strings of gibberish with random symbols. It’s on my iPhone, iPad and Macbook. It syncs up across all those devices because I store the keychain in the cloud on Dropbox. Update a password on my phone, and the file is saved on Dropbox, where my computer will pull it down later, and vice versa.
But I didn’t have it on any of our other systems. So now I couldn’t get to my keychain. And so I was stuck in a catch-22. My Dropbox password was itself a 1password-generated litany of nonsense. Without access to Dropbox, I couldn’t get my keychain. Without my keychain, I couldn’t get into Dropbox.
And then I remembered that I had also used Dropbox previously on my wife’s machine. Had I stored the password there?
Five hours after the hack started, still locked out of everything, I flipped open the lid of her computer, and nervously powered it up. And there it was: my Dropbox. And in it, my 1Password keychain, the gateway to my digital life.
It was time to get cranking. I set up a new Twitter account. And then, with my now-found password manager, I logged into Tumblr.
Here’s the thing: I probably got my stuff back faster than you would have. I’ve been a technology journalist for more than a dozen years, and in that time I’ve made lots and lots of contacts. Meanwhile, my Tumblr post spread like warm butter across the piping hot English muffin of the internet.
A lot of people saw the post, some of whom were executives or engineers at Google and Twitter. I still had to go through official channels, but they pointed me to the right place to start the recovery process on both of those services. On Friday night, I filled out forms on both sites (Google’s is here, Twitter’s is here) to try to reclaim my accounts.
Someone else saw my posts on that night too: my hacker.
I had posited that the hackers had gotten in via brute forcing my 7-digit password. This caused my hacker, Phobia, to respond to me. No, he bragged, brute force wasn’t involved. They got it right from AppleCare, he said via a Twitter DM. I still didn’t know how that worked, exactly, but this piece of information led me to start digging.
As it turned out, breaking into Apple accounts was ridiculously easy. On Saturday, when I fully understood just how Phobia and his partner had gotten in (and how easily it could happen again), I made a distressed phone call to Apple to ask that the company lock everything down, and issue no more password resets.
It was on this call that I confirmed someone else had called in about my account at 4:33 p.m. the previous day — someone who I now knew to be Phobia. Chandler McDonald, the tech who helped me on that call, was the first person at Apple to take what was happening really seriously, and was one of only two positive experiences I had with Apple that weekend (or since). McDonald reassured me that he was going to get my account locked down, and promised to call me the next day. And he did. I’m still grateful.
Also on Friday night, I began the process of restoring my Google account. Because I couldn’t send a backup to my now non-functioning phone, I had to fill out some forms online that asked me questions about my account usage that, presumably, only I would know. For example, I was asked to name the five people I e-mailed the most.
On Saturday morning, I received an automated e-mail from Google asking me to go online and define even more personal information. This time, I was asked for things like the names of folders in my Gmail account, and the dates on which I had set up various other Google accounts, like Google Docs. It was a little flummoxing, and I wasn’t sure I knew the answers to these questions. But I tried, and I guess I got the answers right.
That same day, while still waiting for access to my Google account, I was having another Google-related problem that was keeping me from being able to use my phone. Although the restore from backup was complete, and I could use over-the-air data to access internet services, it would not send or receive calls. At first I couldn’t understand why, and then realized it was because I had linked my number to Google Voice.
Since Google has integrated sign-ons across all accounts, not only was my Gmail nuked, but so was every other associated Google service as well. That meant my Google Voice number was dead. And because I (obviously) couldn’t log into Google Voice, I couldn’t opt to disconnect it from my phone. I called Sprint and asked the tech support rep there to do it for me. Done.
Almost immediately, my phone lit up with text messages from concerned friends, wanting to let me know I’d been hacked.
Thanks guys, I know. I know.
Just before noon on Saturday, my Google account was restored. Given what I’ve subsequently learned about how long it has taken others to do the same, I think that had my case not been escalated, this process could have taken 48 hours or more. Yes, I went through the normal steps, and had to prove I was who I claimed to be, but the process was likely faster for me than it would be for most.
Once in my inbox, I saw how remarkably little the intruders had done. They had torched the joint just after getting a password reset on Twitter. I went through and checked all my mail filters and settings to make sure new messages wouldn’t be also copied to someone else without my knowledge, and systematically revoked every single app and website I’d authorized to connect to my Google account.
Saturday night, after verifying my Wired e-mail address and exchanging several e-mails with tech support, I got back into my Twitter account too. It was in ruins. There were racist and anti-gay tweets all over the place, as well as taunting remarks aimed at other hackers, and other users. At first I left these up, just as documentation, but then went in and deleted the worst of them.
That night, I stayed up late, direct-messaging Phobia on Twitter.
Sunday afternoon, I found myself at the Apple Store in San Francisco’s worst mall. I was, to say the least, cranky. Although I’d called on a Friday night, the first appointment I could get was at 1 p.m. on Sunday. By 1:20 p.m., I was talking to an Apple genius named Max. He was awesome. He’d heard of my case.
He told me that while Apple couldn’t recover my data, it could probably stop the wipe from progressing further. There was the 4-digit PIN that needed to be entered, as well as a firmware-level password, and I had neither. I told him all I cared about was preserving my data. He scurried away with my machine.
And indeed, Monday afternoon, Max called to let me know that they had been able to reset the firmware password. They couldn’t crack the PIN, but he said I should be able to pull whatever data existed on there off. Good news. I began researching data-recovery firms.
Getting data back from a SSD drive, like the one in my MacBook Air, is considerably trickier than recovering it from a standard HDD for all kinds of reasons — from the way SSDs reallocate data, to the lack of a physical platter, to hardware-level encryption keys. I wasn’t about to attempt to recover it myself. Max, my guy at the Apple Store, had suggested that I call DriveSavers. Several other people I know and respect, like TWiT’s Leo Laporte, whose show I appeared on that weekend, told me the same thing.
And so, on Friday, exactly one week after my system was wiped, I sent my Mac away to Novato to see what could be recovered from the drive hackers had wiped.
In a nutshell, here’s what happens when you take your machine to DriveSavers (and we’ll have a full rundown on this later). First, they remove your drive from the machine and put it in a custom adapter. From there they use a proprietary method to image your system and copy that data to a secure “slicked” disk so there’s no chance of data contamination. This is done extremely rapidly so that the original drive doesn’t have to be powered up for very long.
Next they put the original drive aside to preserve it, and then begin working off the copy to see what’s on there. In some cases, like mine, there are no more files or directory structures to pore over. So they scour the drives looking at raw hex data. When you see this in action, it looks a lot like The Matrix, with rows and rows of random numbers and characters scrolling up a screen, faster than your eyes can focus on.
Except, that’s not what they saw on mine.
When Drivesavers began looking at my machine, the first 6GB of data held a clean install of Mac OS X. And after that, all they saw was row after row after row of zeroes. That data had been zeroed out. Overwritten. No recovery.
And then numbers. That beautiful hex data started rolling across the screen. Yes, 25 percent of my drive was gone and beyond repair. But the remaining 75 percent? Hope for life. DriveSavers called me to come look at what they had found, and my wife and I drove up there on Wednesday morning.
My data came back to me on an external hard drive, organized by file types. The thing I cared most about, above all else, was my photo library. And there, in a folder full of JPGs, was photo after photo after photo that I had feared were gone forever. Subfolders were organized by the year, month and day files were created. I went immediately to the folder that bore the date my daughter was born. They were there. Everything was there. We were floored. I nearly cried.
I am an over-sharer. But the things most intimate in life, I tend to keep private. And so although I have posted picture after picture to Flickr, Facebook and Instagram, the stuff that was really important — the stuff that maybe even was most important — has always been mine alone. It lived nowhere but on my hard drive.
Some of the photos were ancient artifacts that traveled with me from machine to machine with each upgrade cycle. In fact, much of the data was far older than the last device it was stored on. Most of those older images had been backed up to an external hard drive. And some of the newer ones were safe on PhotoStream, one of Apple’s iCloud services. But most of the shots that I had taken with my camera over the past 20 months since I last backed up were lost forever. And here they were again, recovered. Reborn. It was gorgeous.
I didn’t get everything back. DriveSavers was only looking for the things I specifically requested. I’ve lost all my applications, for example, as well as long-established preferences and settings that have been moving from machine to machine with me. But that’s OK. I can live without them. I can buy them again. Whatever. Besides, sometimes it’s nice to start with a clean slate, and I spent yesterday installing a new, clean operating system on my MacBook Air.
The bottom line is that I have all my photos and all the home movies I’ve shot. Every one of them. And seemingly all of my most important documents as well. That felt like a miracle.
The bill for all this? $1,690. Data doesn’t come cheap.
I’ve been asked again and again what I’ve learned, and what I now do differently. I’m still figuring some of that out.
I’m certainly a backup believer now. When you control your data locally, and have it stored redundantly, no one can take it from you. Not permanently, at least. I’ve now got a local and online backup solution, and I’m about to add a second off-site backup into that mix. That means I’ll have four copies of everything important to me. Overkill? Probably. But I’m once bitten.
And then there’s the cloud. I’m a bigger believer in cloud services than ever before. Because I use Rdio, not iTunes, I had all my music right away. Because I use Evernote to take reporting notes, everything that I was currently working on still existed. Dropbox and 1Password re-opened every door for me in a way that would have been impossible if I were just storing passwords locally via my browser.
But I’m also a security convert.
It’s shameful that Apple has asked its users to put so much trust in its cloud services, and not put better security mechanisms in place to protect them. AppleIDs are too easily reset, which effectively makes iCloud a data security nightmare. I’ve had person after person after person report similar instances to me, some providing documentation showing how easily their Apple accounts were compromised.
And due to Apple’s opacity, I have no way of knowing if things have improved. Apple has refused to tell me in what ways its policies weren’t followed “completely” in my case. Despite being an Apple user for nearly 20 years and having generally positive feelings toward the company, I no longer trust it to do the right thing in terms of protecting my data. I’ve turned off its Find My services and won’t turn them back on.
Amazon also had a glaring security flaw, and although it has fixed that exploit, the flaw’s mere existence should serve as a warning to all of us about all of our other accounts. We don’t often know what’s required to issue a password reset, or have someone get into our account through a company’s tech support system.
But hackers do.
I’m working on another story looking at how widespread these practices are, and while there’s much reporting left to be done, it’s already very clear that the vulnerabilities at Amazon aren’t unique. It’s also clear that many of these gaping security holes are common knowledge within certain communities online. Bored teenagers up late on hot summer nights know more about social engineering exploits than I would wager most of the executives at affected companies do. That needs to change.
Previously, when I had the option for ease-of-use versus security, I always went the easy route. I stored my credit cards with the merchants I used for faster transactions. I didn’t enable two-factor authentication on Google or Facebook. I never set up dedicated (and secret) e-mail accounts for password management. I take those steps now. But I also know that no matter what security measures I take, they can all be undone by factors beyond my control.
We don’t own our account security. And as more information about us lives online in ever more locations, we have to make sure that those we entrust it with have taken the necessary steps to keep us safe. That’s not happening now. And until it does, what happened to me could happen to you.
