If you haven't already, read the story about the epic hack of Mat Honan that he wrote for Wired. It's a cuationary tale that every iCloud user needs to read.
The hacker's presumed motive was Honan's @mat Twitter account which they wanted to broadcast spam vitriol to his 15,000 followers -- but what they got was much more.
They started with his iCloud account and once in control of it they were able to recover the passwords for his Google and Twitter accounts.
During the Mayhem the hackers also discovered that Honan had linked the Gizmodo Twitter account to his own, so in addition to Honan's 15,000 followers, the hackers were able to tweet to @gizmodo's 400,000+ followers.
But what's most stunning is how they hacked him in the first place. According to Honan's account on Wired, Hackers simply called Apple and -- get this -- gave his name, address and the last four digits of the credit card he had on file. That's it.
Most people's physical address is pretty easily obtained via creative Googling and Honan's hackers were able to obtain the last four digits of his credit card number from Amazon. According to MacRumors:
Honan's hacker used a loophole in Amazon's security systems which don't protect the last-four digits of their user's credit card information. The hack requires a two-step phone call to Amazon. In the first call, Amazon allows you to add a second credit card to the account by simply offering the account's billing address, name and email address. Then, a second call allows you to add a second email address by verifying the previously added credit card. This second email address then has access to the account information including the last four digits of the original credit card.
With this information Apple technical support reset Honan's iCloud account and issued the hackers a "temporary password." Sounds innocuous enough, but it was the equivalent of them giving hackers the keys to his digital life.
It's not all Apple and Amazon's fault though.
Honan did a couple of foolish things along the way, like using his iCloud address as the recovery address for his Gmail and Twitter accounts and not backing up the baby photos on his MacBook Air. But none of this would have happened if an Apple representative had not given hackers access to his Apple ID with simple social engineering.
Until Apple fixes its porous iCloud security, here are some things you can do to protect yourself:
- Make sure that you have a strong iCloud/Apple ID password. (Here's how to change it).
- Use unique passwords to protect different accounts (I recommend 1Password for this). If you're using the same password for your online banking as your webmail account you're asking to be hacked. At a minimum, use tiered passwords: a superstrong one for anything financial, another one for your email and a third for everything else.
- Use a throwaway email address (that's not linked to anything) for forms and retail-related spam. The less personal information that's in it, the better.
- Enable two-step verification on your Google account and protect it. Don't use your primary email address for every retailer and web form that asks for it. (See #3 above.)
- Buy a domain name, host it with an ISP you trust and set up email accounts on that domain for your high security/financial accounts. Use email accounts you control (not webmail) for high security applications and for password recovery.
- Use different credit cards for Amazon and your Apple ID.
- Back up your most important data to physical media that you control. Ideally two copies on-site and one off-site (at work, your parent's or a friend's house).
Apple needs to address this breach swiftly and definitively or it risk losing the goodwill and trust that it's built up in iCloud.
Update: Apple spokesperson Natalie Kerris gave this statement on the issue (via CNET):
Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected.