Online Identity Protection – A Wired Writer’s Cautionary TaleAugust 10, 2012
Last week, Mat Honan had a very bad day online. So bad, in fact, that you may have seen him on the news or heard his story on the radio. His online identity was stolen, all of his important online accounts were hacked, and the hackers wiped the data from his devices to cover their tracks.
“Data” like all of the photos of his daughter.
Mat is a smart guy. He works for Wired magazine and he had pretty good procedures for his online identity protection—but he still got hacked. You can read his whole story at Wired.
Protecting your online identity is a critical component of data security, so we thought we’d share how the hackers gained access to his information—and how you can prevent it from happening to you.
Online identity theft—A hacking how-to
Mat’s hackers used two main tactics.
- They tricked the website/tech support of one organization into revealing a tiny piece of innocuous information, and then used that information to gain even more information from another organization. Rinse, lather and repeat.
- They continued until they had enough information to convince someone that they were Mat, and gained access to his account.The hackers were able to guess the email addresses he used for each account. In some cases they only had parts of the email address, but because Mat used a reasonable address based on his real name, and because he used that same name on multiple sites, they were able to put two and two together.
Now remember, Mat didn’t really do anything wrong. He used strong passwords, and used a different password at each site. (If you’re not already doing that, check out our article on managing your passwords with LastPass.)
In Mat’s case, the hackers got their information from Amazon and Apple. While both companies have since revised their policies to prevent this sort of attack, there are still some measures we recommend you take to prevent this sort of data escalation.
Always, always, always use different email addresses for different accounts
This is certainly more of a pain than simply having multiple passwords, as you need to create multiple email accounts, but it’s well worth your time. Just ask Mat.
For accounts you care about, you can create email addresses at Hotmail, Gmail, or Yahoo. For quick confirmation emails, you can use “disposable” addresses from 10 Minute Email, Mailinator, or similar sites. Temporary addresses are great because they cannot be used against you, but remember—if you forget your password, no one can send you a password recovery email. Alternately, Gmail allows you to create your own addresses by tacking any arbitrary string onto your username using a plus sign.
When creating custom addresses, keep these thoughts in mind:
- In some systems, the first and last few characters of the email address name are shown to attackers. Make sure your combined name isn’t guessable from that snippet. Use a long string.
- Some systems don’t allow the plus sign in an email address. Although the plus is allowed by email standards, some older systems don’t allow it.
Another nice Gmail feature is that it ignores periods. So you can be email@example.com and firstname.lastname@example.org, and messages to those accounts will both go to the same mailbox.
Security questions? Lie like a rug
“Security questions” are exactly the opposite of secure. As you know, they’re a way to access your account when you cannot provide the correct security information. Most of the famous celebrity photo hacks were executed by answering security questions with publicly available information.
So, your mother’s maiden name? Pass on “Franklin” and go with “telephone507.” Your first pet? You’ll not be dishonoring “Bandit’s” memory when you answer, “3.14.”
Sure, it’s another form of password that you’ll need to record, but this is one of the biggest security holes out there.
Use “Second Factor Authentication” to protect your online identity
“Second Factor Authentication” (a.k.a “multifactor authentication”) means you have to use two methods to authenticate your identity: something you know (your password) and something you have (your phone, a digital authenticator, a fingerprint, etc.)
If you turn on “Second Factor Authentication,” on Gmail for instance, every time you attempt to log in, Google will send you a text message with an authentication code. If you don’t have your phone, you can’t log in.
This is extremely secure. However, it can be a huge bother if you use multiple computers, multiple accounts, or any of the Google services that don’t directly support multifactor authentication.Where the data is critical though, you might consider this option.
Second Factor Authentication is available for a number of services that deal with money: PayPal/eBay, Google, Facebook, various banks, and Blizzard games (e.g. “World of Warcraft”).
You can take your online security a step further, by increasing the security of your LastPass account. For example, you could use a YubiKey, a USB device that uses a dynamically generated key to confirm your identity. LastPass also supports fingerprint readers and “smart” cards on some devices.
These security and authentication systems aren’t just for online accounts, mind you. Just this week, Starbucks announced a partnership with Square. Soon some Starbucks will be using the Square geo-fencing system and accepting payments via Square. The two factors in this authentication system being the phone in your pocket and your face.
Now, Mat’s story should have a happy ending, his laptop drive is being recovered and his accounts are being restored. But you may not be so lucky. If you haven’t put much thought into protecting your online identity, now’s the time.
On August 13, 2012, Xata became XRS Corporation. Learn about our new name and new direction.