Mat Honan’s story (as covered by Todd in the latest podcast) showed me that the strongest password in the world is worth nothing if it can be reset by a straightforward social engineering-based attack. I’m sure Apple and Amazon will be looking hard at their policies and procedures but for the individual, there’s also much to learn from the episode.
i) Two-factor authentication. There’s no doubt that this is a good thing and I enabled it on my Gmail account last night. Turning it on is easy, but it’s a pain in the ass for the first few hours as you re-login to all your Google-based services. With several regularly used PCs, email clients and umpteen mobile devices, it takes a bit of time to get them all setup correctly. Touch wood, now that I’ve been through the re-login process, things are largely back to normal.
ii) Backup, backup, backup. For at least part of the story, Mat is entirely to blame. If there’s only one copy of any piece of data, it might as well not exist. Never mind hackers; theft, damage and accidental deletion make it all too easy to lose data, especially with mobile devices. Disk space is cheap, so even if you have just one PC, have a working set of folders, a backup set of folders and also make copies on a regular basis to a USB drive, which you disconnect from your PC when not in use and preferably store somewhere else.
iii) It’s your data. Convenient as “the cloud” is, remember it’s your data and your responsibility to keep it safe. If you push information directly to the cloud, don’t forget to include this information in your backup routine. Google has tools to download data from its services. Or don’t bother with someone else’s cloud and build your own, using a PogoPlug or similar.
iv) Download email using POP3. I use web-based Gmail and IMAP-enabled apps to manage my email and if email is deleted from Gmail…poof, it’s all gone. By using a POP3 email client like Thunderbird, you can have a copy on your PC as well.
v) Spread the load. Convenient as it might be to have all your eggs in one basket, either with Apple or Google, consider spreading your digital assets across different services, e.g. email on Gmail, work files on Dropbox, personal files on Box, photos on Flickr. If someone does compromise one of your accounts, all is not lost in one go. But don’t use the same password across all the systems.
vi) Remote kill-switch. The ability to kill mobile devices remotely is very handy if they are stolen but there’s a risk that the kill-switch can get into the wrong hands as in this case. However, the benefits probably outweigh the risks in that you are far more likely to lose your device than be hacked, so it’s perhaps better to focus on minimising the fall-out from both physical loss and a remote wipe.
There’s certainly plenty of food for thought there and even if you only take on one or two of the suggestions above, you’ll make yourself much harder to attack while lessening the impact.
Picture courtesy of Brian Ronald.