Last Friday evening, hackers entered the apple account of Mat Honan (Matt huonan) and used his Twitter account to remotely erase data on the iPhone, iPad, and MacBook of Mat Honan, deleted his Google account. Then I posted a series of annoying things on Mat Honan's microblog. Mat Honan is a writer in Wired. Once working in Gizmodo, his Twitter account is still linked to the tech blog. in about 15 minutes, hackers have posted something on it.
Why can hackers do this? Because hackers know that most people do not know this. If you cannot answer your security questions, Apple will send you a new password. If you can prove who you are, you can say that you are using another form of recognition. What creden are required to reset your password? A bill address and the last four digits of your credit card number.
Billing addresses are easily found online, and credit card numbers are only a little hard to find. The hacker's data is Honan. He found the billing address by searching for the personal website of Honan.
He calls another tech giant Amazon on the support line to get a credit card number. A hacker has asked Amazon to place his email address in the Honan account, and Amazon will do it as required. Then the hacker posted a forgotten password request on the Amazon website, which sent an email link to the hacker, and he could change the Honan password, you can access his Amazon account in full, including the last four digits of Honan's credit card.
Now, a hacker can access his Honan account, which allows him to delete all iCloud profiles (his iPad, iPhone, and Mac) connected to Henan ). Because Honan sets his apple account as the alternate address of his Google account, hackers only need to send another request to forget the password in Google Mail.
This is a pity story. There are many mistakes in Apple and Amazon. If you study hackers carefully, you will find something that you can learn from.
Here there are four methods that users and companies can do to immediately reduce these types of attacks:
1. Everyone should enable the current dual Authentication
To access most online accounts, you only need to mine data, that is, the usual password (when a user registers, there are many services including email accounts, Twitter, and Facebook, which are your public processes and provided to everyone ).
For a while, the password does not satisfy us. But now we all have a lot of online accounts to protect so much valuable information. In addition to passwords, we still need something.
Fortunately, such things do exist. Unfortunately, few people use it. This is the so-called "dual authentication". When you enter a security system account, two creden。 are required. The first is your password, and the second is something related to you: a biological tag (such as your fingerprint), an electronic key tag, or the easiest to remember, a mobile phone, you can generate a unique code.
Last year, Google began dual authentication. This system works well: when you open it, install the "authenticated" application on your smartphone. Now, when you log on, you enter your password, and the generated code will be generated on your mobile phone (which can also be generated when your mobile phone is shut down ). If you don't have a smartphone, send the code to you via text message. Facebook also added dual authentication last year.
2. Register a backup service and do it now. What are you waiting?
Now the time is perfect, even though you have heard that backup is easy and cheap. A few years ago, people started to use Mozy When testing a cloud backup service. Since then, I have changed to a service called CrashPlan, which is the cheapest and easiest way to back up your data.
CrashPlan (with a 30-day free trial) is really great. You only need to pay $1.50 a month to store the 10 GB Data you get from a computer, you only need to pay $3 a month to store the infinite data you get from a computer. You only need to pay $6 a month to store the infinite data you get from 10 computers.
3. Remote deletion is unnecessary. You can encrypt your data to disable "Find My Mac"
It sounds great to find your lost device. You paid a lot of money on tablets, mobile phones, and laptops. If something happens to it, don't you want to locate it? If someone else controls it, don't you want to remotely control your data and delete it?
Apple has come up with a better way to prevent others from wiping your data (maybe by requiring a form verification to remotely Delete the phone), you should turn off Find My Mac.
It turns out that there is a better security system than remote deletion, which is called full disk encryption. It is integrated into Mac and some versions of Windows. The encryption of the entire disk appears on your entire hard disk in sequence. You can only obtain data by entering a password (two forms of authentication are preferred ). Encryption slows down the speed of a computer, which has no effect at all. When your computer disappears, you can be sure that your data is safe unless the hacker knows your password and your data is hidden from him.
4. Password restoration is a threat that ensures that your account is not in harmony with the computer.
What do you do? Create a single, confidential, and ultra-secure email address. You specify a place to send a password reset. What do you mean? I mean a new Google mailbox, people are keen on betyoucantguessthis@gmail.com, a very strong password and double authentication open. Now go to all your other accounts and ask them to send password requests to this secret address. It is important that you do not use this address to send an email, do not use it to register newsletters, and do not let anyone know about it. As long as this is a secret, your things won't be leaked.