Wired writer Mat Honan had a very bad digital day recently.
First hackers used the "whois" function on Mr. Honan's website to get his mailing address.
As Mr. Honan explained in a posting at wired.com, Amazon allowed users to add a credit card number to an account simply by calling and providing a name, email address and billing address. After hackers used this method of adding a credit card number to Mr. Honan's account, they called back to claim they'd lost access to the account.
At this point, they provided the fake credit card number, convincing Amazon to let them add a new email address to the account. The next step was going to the Amazon website and requesting that a password reset email be sent to that email address. From there, the hackers could view the last four digits of Mr. Honan's credit cards on Amazon's website.
With those four digits (and Mr. Honan's user name and billing address), hackers convinced Apple to send a temporary password that let them take over his iCloud account.
"The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification," Mr. Honan wrote.
Once the hackers had control of the iCloud account, they used Apple's "Find My" feature that allowed them remotely to wipe everything on his iPhone, iPad and MacBook Air.
And then they took over his Twitter account and used it to send unsavory messages.
To his credit, Mr. Honan admits his actions in some ways made the hack possible.
It is a cautionary tale for all of us.
With so much material stored online and so many ways to get to it, it is time for people to start using two-factor authentication instead of just relying on a single password.
Two-factor authentication requires two credentials to let you into an account. The first is your password. The second is something you have with you: a biometric marker like a fingerprint, an electronic key tag, or a cell phone that can generate a unique code.
Last year, Google turned on two-factor authentication for its accounts. After you activate it, you install the "authenticator" app on your smartphone. Now when you log in, you type in your password and the code generated by your phone (it works even if your phone is offline).
If you don't have a smartphone, you can have the code texted to you. Facebook also added two-factor authentication last year. Other sites also should enable it.
Secondly, don't have your accounts daisy-chained together. If they're all pointing to one another, a single hack could let an attacker get into everything else.
For instance, if Gmail is set to send password resets to your Apple account, and your bank is sending requests to Gmail, then all the hacker needs to do to wreak havoc on your finances is steal your iTunes password.
Slate.com recommends you create a single, secret, ultrasecure email address that you designate as the one place to send all password resets. Create a new Gmail account with a very strong password and two-factor authentication turned on. Now go to all your other accounts and have them send password requests to this secret address.
For accounts where two-factor authentication is not available, don't use the same logon and password for multiple accounts.
Also sign up for an online backup service or back up your data to a hard drive that is unplugged from your computer and turned off when it is not being used.
If you do these things, you will have gone a long way toward not having a very bad digital day.interact
Read TechMan's blog at post-gazette.com/techman. View or listen to TechTalk at multimedia.post-gazette.com.