Hackers can do a lot worse than steal your data and identity. They can wipe your digital life almost entirely so you'll never get it back.
Just ask Mat Honan, a writer for Wired who suffered this attack. Friday evening, the San Francisco-based journalist had his iPhone reboot to a setup screen, its storage erased. By the time he realized his MacBook Air had locked him out as part of a remote wipe, he saw that his iPad had also been nuked. And like too many people, he hadn't backed up the laptop.
Honan then noticed that somebody had hijacked his iCloud and Twitter accounts and deleted his Gmail identity, as he wrote in a Tumblr post. Racist, homophobic tweets streamed from his widely followed @mat username – and the @gizmodo account he'd linked when he wrote for that tech blog.
I know the victim, so the crime seems especially vile. A cheerful early adopter of the Internet and one of the most pleasant users online, Honan creates amusing "single-serving sites" in his spare time. And, for one Wired piece, he spent a month broadcasting his location in real-time on various iPhone apps.
Last week, the Net betrayed his trust.
After conversations with one of the hackers and sources at Amazon, Apple, Google and Twitter, Honan explained what happened in a lengthy Wired.com article.
The fault wasn't malware or weak passwords. The bad guys only needed "social engineering" to talk Apple into surrendering access to the iCloud e-mail that Honan had set as a recovery address for his Gmail, which in turn governed his Twitter handle.
First, an attempted Gmail password reset listed an obscured but easily guessed iCloud address as a backup.
Then the hackers tackled Amazon, adding a credit-card number to Honan's account over the phone by producing his street address (listed in his domain-name registration) and e-mail. They called back to say they'd lost access, authenticating themselves with his name, address and the new card; Amazon's password-reset screen showed the last four digits of other saved cards.
Amazon publicist Ty Rogers wrote Tuesday that the company had closed that exploit.
Next, they phoned Apple to request a temporary password and got one after providing only a street address and the last four digits of the saved card (which, remember, could have also come from a stray receipt). Wired was able to duplicate this exploit. Boom.
As of Wednesday morning, Apple PR hadn't answered a query sent Tuesday morning, but Wired reported that the company had stopped resetting passwords over the phone.
Why Honan in particular? The hackers, he wrote, only wanted to play with a three-letter Twitter handle. Everything else, including possibly zapping a year and a half of photos of Honan's baby, was collateral damage.
Most of us aren't such an attractive target, but our risk is not zero either. Five defensive measures come to mind, which Honan endorsed when I talked with him by phone on Tuesday:
Be careful out there, everyone.
Credit: Rob Pegoraro / Discovery