Until yesterday, the only information necessary to take over an iCloud account was (1) a me.com email address, (2) your billing address, and (3) the last four digits of your credit card number, none of which are particularly difficult to find. Depending on how your accounts are set up, that could lead to a breach of lots of other accounts.
Apple has stopped this practice while it works out a change to it’s procedures (so has Amazon, which was not compromised but played a key role in the hack). Still, I think it’s fair to put iCloud in the yellow alert category for security, for now.
Here is how to avoid a huge security breach and data loss like Mat Honan suffered.
Perhaps the worst effect of Honan’s hack was the loss of data, like pictures of his daughter. He may be able to get some of his stuff back, but that depends on whether Apple can recover the data on his drive, which is not at all a guarantee. And while I sympathize with Honan over the loss, I can’t understand why that stuff wasn’t backed up. External hard drives are dirt cheap. So is a secure backup service like CrashPlan that encrypts your files before they leave your computer.
How would you like to be sitting around waiting to see if a disc recovery service can recover enough of your client files in time for a trial the next day?
It is equally important, by the way, to back up the information you have in the cloud. For example, I sync up my Gmail account with Outlook so I have the files locally even if Gmail goes down or someone gets into my account.
Use two-factor authentication for key services
Many services that take security seriously offer two-factor authentication. When you turn it on, you must use something you know (your password) and something you have (your phone) to log in to your account. I have been using two-factor authentication with my Google accounts for a while, and it is easy to use, very well implemented, and reduces the risk of my account being compromised considerably. If Honan had been using two-factor authentication, it would have substantially reduced the damage.
Two-factor authentication is spreading. Dropbox promises to offer it soon, and LastPass already does. You don’t need to turn it on for everything, but you should use it for the big stuff like your email, passwords, and files.
Don’t use unsecure email accounts (like me.com) for password resets
Most cloud services ask for a primary email address and an alternate address to use for password resets. If you use an email address from a service that is not secure, a hacker can compromise the easy account, then use the password reset feature on your secure accounts to send password resets to your insecure email address. That’s exactly what happened to Honan, who used his me.com address an an alternate address for his Google account.
Instead, create a secure email address that you will only use for things like password resets. A free Gmail account would be a great idea for this.
Use good passwords
Still using the same password for multiple websites? You are a hacker’s dream victim, because all a hacker has to do is get into your least-secure account. Getting into everything else is cake.
Use LastPass (with two-factor authentication turned on) and start using better passwords. This would not have stopped a hack like Honan experienced, but it’s a no-brainer.