Every CIO knows that tools like Google two-factor authentication are an easy, automated way to stop hackers, but not everyone follows security best practices -- particularly on our personal accounts. Unfortunately, the line between work and personal life has blurred, meaning that your business' data privacy is only as good as your users' best security practices. Last Friday -- ironically, the very day we urged everyone to change their Dropbox and Yahoo passwords -- journalist Mat Honan was iHacked. Hackers were able to wipe his iPhone, iPad and MacBook remotely, while taking command of two Twitter accounts and wiping his hacked Gmail account and personal iCloud.
It was the iHack heard around the world. When Honan's iPhone powered down late Friday afternoon, he learned that someone claiming to be him had called Apple to get a password reset on his .Me email. Apple had complied because the caller provided Honan's billing address and the last four digits of his credit card -- two pieces of information that everyone from your online shopping merchants to your pizza delivery boy have at their disposal. (In this case, they got it easily from Amazon, which reveals the last four digits of Honan's credit card -- and yours -- to anyone with an Internet connection.)
But wait, how did the hackers know that Honan had an Apple account? Because they looked at his personal website, which showed his Gmail account. The hackers tried to log into his Gmail account -- knowing they wouldn't get in -- and Gmail helpfully revealed his alternate recovery email -- a .Me account. One call to Apple, and the iHack was on.
The hackers weren't using brute force, cracking algorithms, keystroke logging or stolen passwords. They used good old-fashioned social engineering.
They wiped Honan's iPhone, iPad and MacBook Pro (thanks to the Find My Mac feature in Apple's Lion OS). Because Honan hadn't enabled Google two-factor authentication, they hacked his Gmail account. Once they had what they needed, they deleted his entire Google account and wiped his iCloud. Then they posted offensive tweets on his Twitter account to troll his 17K-plus followers. Honan also was a contributor to the Gizmodo Twitter account, so they nailed that one too. They could have used his email accounts to access his financial services and medical records, as well as his online banking system. Luckily for him, they were only after the Twitter accounts.
Strong passwords useless in iHack
The important takeaway from the iHack hijinx is this: The hackers weren't using brute force, cracking algorithms, keystroke logging or stolen passwords from Dropbox and Yahoo. Honan was using strong passwords, but that didn't stop the hackers. They used good old-fashioned social engineering, and exploited Apple and Amazon's own security weaknesses.
Using one or two emails for most of our cloud services is extremely convenient, but it also provides hackers an easy access point to do a lot of damage in a short amount of time. In this situation, if Honan had activated Google two-factor authentication to stop hackers from accessing some of his cloud-based social life and accounts, he would have saved some of his data and accounts. His Apple devices and iCloud still would have been wiped, however.
More from CIO Matters
Are your users' passwords safe from hackers?
Marissa Mayer sets example for women in technology
Water depletion managed with BI strategy
Correlation, not causation: Business hypothesis fails
Apple asserts that its password-change identity loophole has been closed and that it now follows best security practices for authenticating its users. Amazon has quietly responded as well, making sure it no longer shows the last four digits of a customer's credit card. Of course, that doesn't mean that hackers can't get that information -- they just won't be getting it from Amazon. As Honan said, "every time you call Pizza Hut, you've giving the 16-year-old on the other end of the line all he needs to take over your entire digital life."
Honan's iHack should serve as a solid reminder to CIOs that the best security practices against technological attacks can still falter in the face of socially engineered hacks. Tools like Google two-factor authentication can prevent the total annihilation of cloud computing services, but it's not going to stop anyone from calling a help desk agent and getting a password reset if the company has lax processes. When it comes to best security practices, we're all susceptible to a well-executed social engineering exploit. It's people, rather than processes, that CIOs really need to worry about.