Over the weekend, Wired posted a digital horror story outlining how Mat Honan’s digital life was completely erased by malicious hackers. In about an hour, hackers comprised Mat’s Amazon, Twitter, Google, and Apple accounts and then proceeded to delete data, post tweets, and wreak havoc on Mat’s life both on and offline.
One of the most frightening parts of the story is that Mat’s accounts weren’t comprised by a team of elite hackers using unknown attack vectors. Instead, they were breached by a combination of social engineering, bad luck, and a lapse in security protocols. Looking at what happened to Mat, the linchpin of the attack was the compromise of his various email accounts.
Unfortunately, access to a user’s email accounts has become the ultimate gatekeeper to their digital lives. Need to reset a Twitter password? Just check your email. Need to confirm adding a new authorized credit card user? Confirm via email. Need to contact support? Only via email. Mat’s story highlights just how critical protecting your email account is, the most important link in the chain should also never be the weakest.
So how can you take steps to improve the security of your email account? If you use Gmail, you absolutely MUST enable “two-factor authentication” right now. The basic premise behind two factor authentication is that in order to access your account you need to “know something” (your password) and “have something” (your phone). This effectively protects you against an attacker simply compromising your password because without your phone they’ll be unable to access your account. Google’s Matt Cutts posted a good write up detailing the benefits and myths associated with Google’s two factor authentication this morning.
Unfortunately, not every email provider supports two factor authentication and its surprisingly rare to find it available on other “cloud” applications. Even most financial service companies don’t support it. If you’re a developer looking to support two factor authentication, check out Google’s open source “Google Authenticator” on Google Code.