How The Icloud Hack Happened And How To Avoid Being Next

More than one party at fault

Honan admits that he’s partly to blame, for daisy-chaining three online accounts so that the failure of one would lead to the failure of the next; for putting his street address on his personal website’s domain registration (when a P.O. box would have worked); for not backing up his laptop to a physical disk; for not using two-factor authentication on his Gmail account; and, worst of all, for enabling his iCloud account to wipe his laptop’s hard drive.

“While that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers,” Honan wrote. “You are almost certainly more likely to have your computer accessed remotely than physically.”

An Apple spokeswoman told Honan that “in this particular case,” the company had “found that our own internal policies were not followed completely.”

Honan and his Wired colleagues wanted to make sure. They tried the same method on a different Apple account — and got in.

“You honestly can get into any email associated with Apple,” a Twitter user who claimed to be part of the crew that hacked Honan told him.

Who didn’t mess up

Ironically, the hacker who spoke to Honan said he and his friends were only after his Twitter account, which was linked to Honan’s Gmail address. Honan’s erased iPhone, iPad, iCloud account and all the lost data on his MacBook, including every photo he had of his year-old daughter, were collateral damage.

“If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here,” Honan wrote. “But using the .Me [iCloud] email account as a backup meant told the hacker I had an AppleID account, which meant I was vulnerable to being hacked.”

Avoid the dark clouds behind the silver lining

In a way, it’s better for everyone that such a disaster happened to such a high-profile person at this stage in the growth of cloud computing.

Honan, to put it bluntly, believed too well in the virtues of always-connected, available-from-everywhere services. He doesn’t believe in it any more.

“My experience leads me to believe that cloud-based systems need fundamentally different security measures,” he wrote. “Password-based security mechanisms — which can be cracked, reset and socially engineered — no longer suffice in the era of cloud computing.”

Until those new security methods arrive, here’s how to avoid becoming the next Mat Honan:

— Do not use a credit card at all to pay for iTunes purchases. Instead, use gift cards that you buy at physical stores.

— Turn on two-factor authentication in Gmail. It can be a hassle to set up, especially for mobile access, but once it’s done, it’ll be much harder for someone to hijack your Google account. (Facebook also offers two-factor authentication.)

— Split your Apple accounts: Create one account for iTunes, another for iCloud. Again, that’s inconvenient, but it’ll protect your Apple devices in case your iTunes account gets hijacked, which happens more frequently than you’d think.

— Do not “daisy chain” your accounts so that one password-reset attempt leads to another. Instead, create a new email account to be used only for such notifications, perhaps even a new one for each account. If you’re the kind of person who runs his or her own Web server, make it an email address based on a server you control.

10 Pros and Cons of Jailbreaking Your iPhone or iPad
Cracks in the Cloud: Security Issues Loom Over Online Backup Services
10 Best Mac Anti-Virus Software Products