Everyone should now be already aware of what happened to Wired senior writer Mat Honan. A hacker clan wanted to take control of his @mat Twitter account simply because it only has three letters and in the process managed to break into his Apple, Amazon, Twitter, and Google accounts as well as Gizmodo’s Twitter account thanks to the different processes in how the services handle user password retrieval, the details of which are spelled out in Honan’s account of the events as well as here. Honan is a former writer for Gizmodo.
Although Honan lost a lot of personal data when the hackers cleaned out the contents of his iPhone, iPad and MacBook, he’s managed to regain control of all his accounts and is in the process of trying to retrieve the lost data.
The shocking breach has prompted Apple and Amazon to rethink the way they deal with password retrieval and as of now, both companies have suspended retrieval requests over the phone. Amazon actually instructed its customer service department that it is no longer possible for customers to change key details of their accounts over the phone while Apple’s measure is temporary until the company can find a more permanent solution.
Google actually already has a security measure in place. The two-step verification method introduced in February last year would put a stop to account hijackings by adding a second layer which requires Google’s Authenticator app, available for iPhone, Android, and BlackBerry devices, or SMS verification. Unfortunately Honan did not have this enabled.
Several blogs and other publications as well as Google’s own Matt Cuts immediately brought up this security measure once they discovered that a Google account was involved in the middle of this epic hack.
While two-step verification may be slightly more inconvenient, it is a necessary option for those who value their online data. It’s surprising that when Google announced this last year, it wasn’t followed immediately by companies like Microsoft, Apple, and Amazon.
Many banks and government institutions have already implemented this feature for things such as Internet and mobile banking purposes or access to email and other more sensitive data, but in many cases it requires a separate device to generate the random security codes.
For certain security levels, a separate device may be preferred or even required, but a mobile app should be enough to provide the general public with a secure access to their data online. Although this means that if their phones go missing, they’ll have to quickly reset the app’s permission using their own computers since they won’t have access to their accounts from other computers.
Google’s method offers a failsafe though. It lets you keep a computer generated key to be printed or written and stored elsewhere which will allow account access without the Authenticator app. Just don’t keep this key combination in your wallet. A lost wallet will reveal your personal details as well as your Google key to any random person who has it.
There is a long discussion on Y Combinator regarding Google’s two-step security measure, including its widely considered weak point, application specific passwords.