The Vulnerabilities of Convenience: How To Protect Your Life In The Cloud
Over the past few days, a massive intrusion into the private accounts of celebrities was made public. As a result, many nude pictures and videos they never meant to share are now public.
The truth however is that nearly everyone who uses the Internet is at risk in ways that are as destructive if not more so than someone publishing your private photos. Identity theft, financial theft and even being framed to look responsible for crimes like cyber-stalking and child pornography can be much more damaging long-term.
The Risks Apply to Everyone
I’ve heard a number of people tell themselves how they perceive that they themselves aren’t at risk. For example, none of these methods in and of themselves will keep you safe:
- I never take embarrassing pictures or video
- I store all my files on my local hard drives and don’t use cloud services
- I only use services from Apple/Microsoft/Google/Whoever because they are the most secure company out there
None of these methods protect you. The reason is that there is a misconception about what “hacking” really is. Usually when we think of hackers, we picture people in movies with monstrous displays cracking through layers of security and stealing brightly labeled files from their enemies.
In truth, it takes only a few bits of information for someone to seize access to your accounts and do anything they want to with your data. This is because hackers don’t have to outsmart flaws in computer code, they need only know what tricks are currently possible and then literally get that information provided to them over the phone from your various account holders.
While there are many ways to gain access to someone’s account, the main component that must be overcome is the password. If a hacker can get your Facebook password, for example, she can mine all the information your friends make available to you. In some cases this means birthdays, addresses and cell phone numbers. Facebook continues to be a common target because it is used by so many people. In some cases, it is the only thing some people use the Internet for.
How Hackers Get Your Password
There are numerous ways to get a user’s password, but I want to focus on the two most successful methods I know about.
1. Popular Service Password Reset
The method that is currently being exploited in the celebrity photo leak is a rather smart loophole in how password reset procedures work differently on different sites. Here is how one such procedure works:
- Hacker finds out your name, email address and billing address. These are usually very easy to find with a couple of web searches
- They generate what’s called a “test” credit card number, basically a bogus credit card number that will pass the credit card company’s algorithm as a valid card, but cannot actually be used for purchases
- The hacker then calls Amazon pretending to be you and says that they want to add a credit card to your account. They verify themselves using your name, address and email address and give Amazon the phony number.
- They hang up and call Amazon a second time, this time telling them they have lost access to your email account. By providing the name, billing address and bogus credit card number, Amazon will allow them to change your email address on file to an address owned by the hacker
- Now they can log into your Amazon account and look at your valid saved credit cards. Amazon doesn’t show you the entire card number, just the last four digits
- Next they contact Apple and tell them they lost the password to that account. Apple requires the name, address and the last four digits of your valid credit card and will then reset your password
By following that process, anyone who has both an Amazon and Apple account can be hacked in three phone calls. With the AppleID, the hacker can download any of your iCloud files (including photos and videos) and, if you are using Apple’s Find My iPhone or Find My Mac they can send a command that will wipe all data from your device.
2. Phishing / “Man In The Middle”
Phishing requires a little more effort from the hacker, but is one of the most prevalent ways of getting passwords. Phishing makes the device you are using think that a site you are trying to log into is hosted on the hacker’s server.
For example, the hacker could set up a public computer to send people to a server that is not Facebook but looks like Facebook and says “facebook.com” in the URL.
In this case, you go to log into Facebook and unknowingly fill out the hacker’s Facebook login form which gives the hacker your username and password. They then pass you to the real Facebook, saying your authentication failed and you try again, thinking you must have made a typo. Sure enough, the second attempt works and you’re using Facebook none the wiser that you just gave away your credentials.
How To Protect Yourself – VPN and Two-Factor Authentication
Virtual Private Networks (VPNs) are great for protecting your data on unknown networks. They can help you avoid being hacked at public WiFi locations or keep your Internet Service Provider from being able to tell what you’re doing. All they see is that you’re talking to the VPN provider and everything else is private! Fortunately, this is a very simple and cost-effective method. You can protect up to 5 devices at once for just $40/year using Private Internet Access.
You may have heard the old adage that Macs get less viruses and malware than Windows because more computers run Windows. The thinking here is why bother attacking a small percentage of users when you can focus on a much larger number.
With the iPhone, that same rule applies. If a hacker is going to come up with ways to hack cell phones, you better believe they’re going to focus on iPhones – especially now that iCloud is in play.
Two-Factor Authentication is one of the simplest ways to protect online accounts like Facebook, iCloud and Gmail. This works on all of the major online services with a few important caveats on iCloud.
Two-factor authentication requires you to know your password AND a randomly generated number that changes every minute or so. This number is only required the first time you log onto a new device (if you trust it) or every time you log into a device (for example, the computer in a hotel lobby.)
The number can be sent to you as a text message or organized into a mobile app. Further, you can authorize a secondary phone in case your primary phone was stolen and your account is at risk. For example, you could request a one-time SMS (text message) code to be sent to your spouse’s phone instead of your own.
Major caveat for AppleID users (iCloud, iTunes, iPhone, iPad, Mac): Apple’s Two-Factor Authentication does not protect your Backups or Photo Streams. Specifically, it protects:
- Signing in to My AppleID to manage your Apple account
- Making iTunes, App Store or iBookstore purchases from a new device
- Receiving Apple ID-related support from Apple
It is still well worth doing, and I’ve included steps to protect the other services as well by disabling them in iCloud. Hopefully Apple addresses this in the future so that your photos and backups are safe.
If you do not use Apple products, you can skip down to “Setting Up Two-Factor Authentication” below.
Protect iCloud Backups and Photo Stream
A major caveat for AppleID users (iCloud, iTunes, iPhone, iPad, Mac): Apple’s Two-Factor Authentication is incomplete and does not protect your Backups or Photo Streams. This is thought to be how the celebrity photo leak was perpetrated and makes a strong case for disabling certain iCloud services until Apple better secures iCloud. For example, a hacker can “restore” your account to their own iOS device without ever entering the verification code.
BEFORE YOU BEGIN
Copy ALL of your photos from your iOS devices or iPhoto to an external hard drive or network storage. Be safe, don’t lose data!
To delete iCloud backups from iOS 5 or later (recommended):
- Go to Settings > iCloud > Storage & Backup, then tap Manage Storage.
- Tap the name of your iOS device.
- Tap Delete Backup. You’ll be asked to confirm this change. Deleting the backup also turns off backup of your iOS device. Choose Turn Off & Delete if you want to turn off Backup and remove all backups for this iOS device from iCloud.
To protect your iPhone/iPad/iPod Touch photos from iOS 5 or later (recommended):
- Delete your “My Photo Stream” to remove photos currently on iCloud using an iOS device, iPhoto, Apple TV or Windows using the corresponding instructions from Apple.
- Make sure the delete propagates to the cloud (if you don’t let it complete or skip the previous step, you will only be protected from FUTURE photos going to the cloud. All your current stuff will still be vulnerable)
- Go to Settings > iCloud > Photos
- Switch “My Photo Stream” off (to the left)
- Switch “Photo Sharing” off (to the left)
- Repeat steps 1-5 for all of your iOS devices
To protect your iPhoto or Aperture photos from Mac iPhoto 9.2.2 or Aperture 3.2.3 or later (recommended):
- Select a photo or group of photos from the My Photo Stream view in iPhoto or Aperture.
- Press the Delete key.
- Click Delete.
- In iPhoto choose iPhoto > Preferences and then click Photo Stream
- Deselect My Photo Stream, and then click Turn Off
Setting Up Two-Factor Authentication
- AppleID (iCloud, iTunes, iPhone, iPad, Mac)
- Go to My Apple ID
- Select Manage your Apple ID and sign in
- Select Password and Security
- Under Two-Step Verification select Get Started and follow the onscreen instructions
- Register one or more SMS (text message) capable number to receive your verification codes. It does not require the cell phone receiving the verification codes be an Apple product, so any cell phone that can receive text messages can be registered
- You will also get a 14-character Recovery Key for you to print and keep in a safe place. Use your Recovery Key to regain access to your account if you ever lose access to your trusted devices or forget your password.
- Google (GMail, YouTube, Google+, Google Drive, Docs, etc.)
- Go to the Google 2-Step Verification page and click Get Started
- Follow the instructions provided.
- I recommend using the Android, iOS or Blackberry app as your primary way to receive codes.
- You should also add your cell phone number to use SMS as a backup
- Add another trusted person (spouse, etc.) in case you lose your phone entirely
- Print or download the “backup codes” from the bottom of the screen for one-time use codes if you get locked out of the process.
- Log onto Facebook in a web browser and select the down arrow in the top right corner and click Settings
- Near the top left click “Security”
- Next to Login Approvals click Edit
- Check the box to require a security code when you log in from a new browser and follow the instructions to verify your phone
- Microsoft (OneDrive, Outlook.com, etc.)
- Login to your Microsoft Account
- Go to “Security & Password.”
- Under “Password and security info,” tap or click “Edit security info.”
- Under “Two-step verification,” tap or click “Set up two-step verification.”
- Click “Next,” and then follow the instructions. Microsoft may require you to enter a security code that the company will send to your phone or email before you can turn on two-step verification.
- Log into Twitter
- Click the Gear icon by the top right and click Settings
- From the left menu select “Security and Privacy”
- Click “Add a Phone” under the second option and add your cell number (if the second option already shows your phone number, skip this step)
- Select “Send login verifications to yourPhoneNumber” and follow the instructions to verify
- Note: if you choose to use the Twitter app, you will only be able to use two-factor authentication for a single Twitter account. SMS is unlimited and recommended at this time.
- Sign in to Dropbox
- Click on your name from the upper-right of any page to open your account menu
- Click “Settings” from the account menu and select the “Security” tab
- Under “Two-step verification” section, click “Enable”
- Click “Get started” and follow the instructions. You will need to re-enter your password to enable two-factor verification. Once you do, you’ll be given the choice to receive your security code by text or to use a mobile app.
I hope you found this information helpful and enlightening. By getting ahead of some of these vulnerabilities you can stay safe online. This isn’t meant to be a complete guide to online security as we didn’t really touch on backups, updates and so forth. I sincerely do hope that Apple get a better handle on iCloud as the iPhone 6 is only going to be more reliant upon it. Feel free to comment or ask questions and I’ll do my best to answer.