This past week, writer Mat Honan had the unthinkable happen. Someone got into his iCloud account, and they were able to remotely wipe his iPhone, iPad and Macbook Air and delete his Google account that was attached to his iCloud account. The initial assumption was that this happened because the hacker brute-forced his way into Honan’s account. After some further digging, it came to light that the hacker was simply able to use social engineering to trick Apple Support into resetting his password.
As much as we like to trumpet the use of good passwords, this is one instance in which this would not have made a difference. You can use the best password in the world, but if someone can socially engineer you or someone from the site or service itself to reveal your password, it will make no difference. That isn’t to say that strong passwords are not important; having a strong password will protect you against the majority of common attacks. But you should definitely not bet the farm on a password.
There are a number of questions that this brings up, of course:
Honan learned the answer to this first question the hard way: Make regular backups in multiple locations. Do not just rely on the Cloud to store your backups–websites are not bulletproof, companies go out of business, disasters happen. Honan may recover the accounts that were compromised during this hack, but that is in no way certain in every case. He may not be able to recover the year’s worth of data he hadn’t backed up in another location. (Though he was fortunate that the remote wipe did not complete, so it may not all be lost.)
For the second question, we’ll define the attack as a compromise on any online account that contains a whole lot of your important data; whether that be your contacts, your calendar, entire backups, or selected files, or just links to a lot of your other accounts (social networking, banking, online shopping, etc). This could be iCloud, this could be Google, it could be any number of different services.
We have to assume that you can’t trust the protection of your password alone, as that could be stolen by social engineering or hacking of some other sort. But this is another place where a layered defense strategy comes in handy. We already covered the need to back up your data in multiple places. But what else can you do?
And lastly, how likely is this to happen to you? The exact situation that Honan describes is fairly unlikely. Most of us are in more danger of our devices being stolen than of having someone go to the trouble of gaining access to our important passwords and then destroying the data. This was a very clear case of a targeted attack. And hopefully this is something that Apple will address by strengthening the requirements for remote wipes. You should not be able to destroy your data by an accidental mis-click or two.
As this story is still unfolding, it will be interesting to hear what changes this may bring and how Apple responds to this incident, and whether any more information comes to light about how exactly the hacker conned the support rep into resetting Honan’s password.
What questions do you hope are answered after this incident? Have you gone to Apple’s support for a password reset request? If so, what was your experience?