commentary Whenever I hear a case of a high profile subject being hacked, I start to look for which common security recommendation was overlooked or ignored. Was it a poor password that was shared among several sites? Or was it something a little more exciting, like Bluetooth being left on and data stolen that way?
Everyone, myself included, stress the importance of strong passwords, putting PINs on devices, never letting your smartphone out of sight and turning off unnecessary sharing services, so usually when someone is breached, it's because they failed to implement one or more of those similar measures. However, none of them would have helped former Gizmodo journalist Mat Honan, who had his digital life wiped.
If you haven't read my colleague Emil Protalinski's write up on how the hack went down, I urge you to go read it.
In a nutshell, Honan lived through a geek's worst nightmare: his MacBook Air, iPhone and iPad were all wiped; his Gmail, .mac email, iCloud and Twitter accounts completely compromised. The hack even had consequences for his former employer, which had still not revoked Honan's access to the Gizmodo Twitter account.
But this isn't a dig at Honan, as his case demonstrates that even if he had followed all of the traditional advice that security gurus usually dole out, it wouldn't have made much difference in preventing the wipe of his data.
Sure, he had a seven character weak-by-today's-standards alpha-numeric password on his iCloud account and no PIN on his iPhone, but that didn't really matter.
What did matter was that an Apple employee was socially engineered into providing a stranger with access to Honan's account. It effectively meant that even if Horan was a paranoid security geek and had an extremely long password and a PIN that changed every few hours, he still would have fallen victim to the attack. Honan could have implemented all the security measures he wanted on his devices and physically locked down his MacBook Air, but at the end of the day, he still would have been compromised by the duped customer support employee, sitting in a call centre on the other side of the world.
What's most worrying about the situation is that Honan wrote on his blog that Apple's staff chose to bypass his security questions. Honan could have been blamed if he had poorly chosen his security questions and answers, which could have been pulled from social networks or by social engineering Honan himself, but these never came into the equation.
Two-factor authentication may have prevented this, yes — but, again, that has been shown to (at least temporarily) have flaws on the provider's side, and when it comes to high-profile targets, even the token providers themselves may be vulnerable. And the onus is still on Apple to provide this service, which it currently doesn't.
The fact is, Honan's case demonstrates a gaping loophole in the effectiveness of one's own security. You can't just trust yourself to implement great security, you have to trust that your provider cares about it as much as, or even more than you do. And when it comes to determining how much we can trust a provider, it's a bit of a stab in the dark.
You might trust Apple, given that it may be more vigilant following this episode, but more realistically, you're probably stuck using it, as only Apple can provide iCloud services. Even when it comes to other services that may have multiple providers, it's almost impossible to tell how good their security is. Who is manning their call centres — who ultimately holds the keys to your accounts? Are they an easily bribed kid, looking for some money over the summer break? Or someone who can be easily manipulated through threats on their family? Is the call centre even internal to the company, or is it outsourced? The sad fact is, we'll likely never know, but we still have to trust them.
At this level of scrutiny, you could accuse me of being too pedantic about security — and in the past, I might have agreed with you — but security is risk based, and the risks are, again, beginning to shift. There was minimal risk in the past that someone would actually call up and try and dupe call centre staff, so we lived with it. There was also less information online that fraudsters could use as ammunition. Honan's case, however, shows that you only need to be a journalist, one that may not have even deeply offended anyone, to have your digital life erased for someone else's entertainment.