When Wired journalist Mat Honan's online accounts were hacked last week, the domino effect that followed stirred up an industry debate on identity verification – and how easily these systems can be compromised.
After a hacker gained access to Honan's Amazon account, they were then able to break into his AppleID account, thus wiping clean his iPhone, iPad and MacBook and gaining access to his Twitter account.
It wasn't the fact that Honan was hacked that raised eyebrows, but rather the way it happened. Armed with a few bits of Honan's personal information, the hacker called Apple and Amazon support and was able to retrieve enough data to access his accounts.
In response to the occurrence and the subsequent attention in the media, Amazon changed its policy earlier this week. Now, customers can no longer call in to change account settings, such as linked credits cards or email addresses.
Apple also beefed up its security policy, temporarily suspending the option for users to reset AppleID passwords via their call centers. The measure is in place as Apple implements a more secure way to verify the identity of customers wishing to reset passwords.
In a blog post, Honan wrote about the vulnerability of Apple and Amazon's identity verification methods, and how they expose an underlying problem in the tech world.
“The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices,” Honan wrote.
Eduard Goodman, chief privacy officer at identity and data risk management firm Identity Theft 911, told SCMagazine.com that the hacking saga highlights the thin line between convenience and security along which companies often teeter.
Today's breed of hackers has learned to exploit these weaknesses.
“Rather than having to know how a network or system actually operates, what they are exploiting are the administration and policy aspects,” Goodman said. “It's a whole different level of brilliance, because it's one that looks at social interactions rather than the IP protocols, codes and databases.”
Graham Cluley, senior technology consultant at Sophos, told SCMagazine.com in an email that setting up additional authentication steps at various accounts is necessary.
“Turning on additional security, when available, like Google two-factor authentication, is a must,” he said. “Sites like Facebook, for instance, allow you to assign roles to those staff who can edit a business' fan page rather than give them all 'god' rights that could widen the opportunities for abuse by a malicious attacker.”
Goodman advised companies and end-users to move away from having all of their devices and accounts connected.
“For one, if you are using Google Docs and Google Apps, maybe you shouldn't be using Gmail,” Goodman said. “Don't put all your eggs in one basket.”
Taking a few extra steps now could save users a major headache in the future, he said.
“Have an email address that's used for no other reason than for password retrievals and resets," he said. "It also pays to go through and get rid of old emails. Distribute your services, which isn't convenient, but is a bit more secure."