Learning from Mat Honan’s Epic Breach
This week's news reads more like an urban legend... "This really happened: my co-worker has a cousin, and last week his best friend had one of his accounts hacked. And the hackers were able to use that to get into all of his other accounts, and take over his Twitter identify, and delete all of his email, and wipe his phone and his computer. And he woke up in a bathtub full of ice!"
But it really did happen (except for the bathtub full of ice part). By now, you’ve probably heard about Wired’s Gadget Labs senior writer Mat Honan’s epic hack attack on August 3. (If you haven’t yet, read his full account of the saga on Wired.com.) The compromise of Honan’s digital identity and accounts was purely malicious and resulted in what he called "the ruin of my digital life." But it could have been even worse, if the the hackers had targeted his bank accounts, credit cards, or industry contacts, it could have been the ruin of his financial or professional life as well.
For anyone concerned about online security and identity authentication, the story reads like your worst nightmare. Passwords alone are like weak locks that keep honest people honest, but only create the illusion of security. Even when coupled with "security questions," it’s still just multiple single-factor authentication--something you know--which as Honan’s experience shows can easily be breached remotely.
All security measures are a balancing act between keeping the bad guys out but still letting the good guys in. True multi-factor authentication--something you know combined with something you have or something you are--is an effective compromise that enhances security and, when well implemented, doesn’t place an undue burden on the true account holder.
With an increasingly mobile workforce and the rise of cloud services and systems, the need for strong authentication via two-factor authentication will rise as well. Based on his experience, Honan concludes this too, saying
"Cloud-based systems need fundamentally different security measures. Password-based security mechanisms—which can be cracked, reset, and socially engineered—no longer suffice in the era of cloud computing."
Because of the large megaphone Honan has as a tech journalist, Apple and Amazon have both set to quietly patching the systems and processes that made it possible, simple even, for hackers to compromise Honan’s credentials and accounts. We echo the calls for real two-factor authentication options for Apple and Amazon account holders. Meanwhile, several days later now, the iTunes store still tells its customers "Your account is temporarily unavailable," so the true costs of a high-profile breach like this have yet to be fully counted.
While you can’t control the security of every website and app that you use, you can control access to your own apps, servers, and sites. Sign up for a free Duo Security account today and easily add phone-based, two-factor authentication to any app or server using our built-in integrations for VPNs, Unix, Windows, and popular web apps like WordPress, Drupal, Outlook Web Access. We also have a web-friendly SDK available to add Duo to any web app. Learn more at duosecurity.com.