The web was buzzing this weekend with Mat Honan's tale of woe. Mat, a former writer for Gizmodo, had his iCloud account compromised by a known hacker group who was apparently intent on gaining access to GIzmodo's twitter account and ufnortuantly used Mat as the conduit. Mat has revised his original post with several updates throughout the weekend and plans to discuss the event in more detail in an upcoming Wired piece.
What struck me was the amount of damage that can be done when an iCloud account is hacked. For example, as Mat experienced:
- If "Find my iPhone" is enabled an iPhone, iPad, iPod Touch or even a Mac can be remotely wiped
- The hacker will have access to your synced contacts, calendar, notes and reminder data
- Full access to your iCloud email which in many cases can be used to access other accounts by requesting a "password reset" (in Mat's case, his Gmail account was then compromised by requesting a password reset that was sent to his iCloud account)
- Conceivably the hacker could access your iCloud data if they restored your account to one of their devices.
- If you store your credit card information with Apple (which I believe is done automatically if you use a credit card for iTunes or Apple Store purchases) they can run up charges
To make matters worse for Mat, he did not have a recent backup so when the hacker wiped his computer and iOS devices he lost data, possibly forever.
While initial reports seem to indicate that Mat's iCloud account password (which hadn't been updated in several years and was only seven characters long) was brute force hacked, new evidence seems to suggest that the hackers got in through Apple's own tech support via some "clever social engineering" that allowed them to bypass security questions. As it turns out, this may not be the first time a user's data was compromised by Apple. Marko Karppien relayed a similar event from 2008 where an attacker was able to get an Apple ID password reset with a pathetic email to Apple Support. If this is true, it makes the whole situation all the more terrifying as there's only so much an individual user can do to protect themselves. My hope is the publicity surrounding this most recent event will cause Apple to take a closer look at their internal security policies.
For now, what can we do to protect oursleves? Here's what I've come up with and the security procedures I've implemented, some of them new since this news broke:
- Use a strong, unique password for your Apple ID and/or iCloud Account - This is tough because your Apple ID is entered frequently on an iPhone where entering long complicated passwords can be a pain. I use 1Password (disclaimer: 1Password is a long time sponsor of Mac Power Users) to generate a random password that I then copy and paste into iTunes and on my iPhone when necessary. I'll admit, it's a pain but given the potential consequences, I deal with it.
- Change your Apple ID/iCloud Password Regularly - In a tip I picked up from David Sparks, I change this password along with other "critical" passwords at least twice a year when the time changes. More often if I feel then need. Again, this is a bit of a pain because every time I change my Apple ID password, for days I'm finding random places where I forgot to update the password because it's used for so many things. (Like on my Airport routers!)
- Use your security questions - Recently, Apple implemented security questions for resetting or changing the password on your Apple ID. Use them. Some people suggest the answers to your security questions should be nonsensical or gibberish so they're not prone to social engineering attacks. Obviously if you choose to do that make sure you keep track of your answers. (Again, you could use 1Password for this.)
- Enable 2-step Verification - Unfortunately iCloud email doesn't offer 2-step authentication, but Google does. I have a Gmail account that is my backup account and I'm considering sending more of my mail to that account, especially using that as my default account for password resets and critical information since it does support this feature. Google has a nice video explaining out hit works. While I've had some complaints about Google services in the past, I have to admit, Gmail is pretty awesome and for the fist time I actually find myself considering switching over to Gmail as my primary email with 2-step Verification being a big reason.
- Use a virtual credit card number - I learned this one the hard way a couple years ago and blogged about how I use a feature from my credit card company called "ShopSafe" to create a virtual credit card number that I use exclusively in the iTunes and App store. Using this virtual card I'm able to set specifics stores and spending limits so that if my account was compromised any transactions outside my set limits or approved merchants would be declined. The one drawback is that when I do make a large purchase from the Apple Online Store I have to enter an alternate card number, but the default that is stored on Apple's servers is the virtual card.
- Have good backups - When bad things do happen, at least you can recover. In my book you have to have three things to have a good backup strategy: 1) It must be automatic 2) It must have built-in redundancy and 3) it must have some off-site component.
- Develop a contingency plan - I'm still working not the details of this one on myself, but the realty is if you find yourself in the situation of having been hacked you're going to need to act quickly and probably won't have the clearest head. Probably a good idea to take some time now to figure out what services you need to disable, who you need to contact and steps you need to take to minimize damage as quickly as possible.
I'm sure this isn't the last we've heard of this story. I'm waiting for Apple's response in the coming days.