Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.

Back-ups

It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.

Update

Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/www.carimcgee.com

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

Thanks to social media, ordinary people can now influence elections more than tabloids

The Conservatives spent £1.2m on online adverts – but the internet came up with anti-Theresa May memes for free.

Who or what spread the single most influential message of the 2017 general election? Was it Britain’s top-selling tabloid, the Sun, which chose 7 June to chastise us all with: “Don’t chuck Britain in the Cor-bin”? Was it Facebook, home to Theresa May’s £1.2m anti-Labour adverts that pleaded: “Don’t risk Corbyn in charge of Brexit”? Or was it Jennifer ­Agnew, a 21-year-old administrative assistant from East Kilbride?

You’ve probably heard of the first two. Since the newspaper first claimed as much in 1992, it has been a popular idea that it’s the Sun wot wins elections. This year, much has been made of “dark ads” on Facebook – paid-for messages that political parties can spread across the social network, beyond the gaze of the Electoral Commission. You’ve probably not heard of Agnew, but you might have seen her viral tweet.

After Theresa May disclosed the “naughtiest” thing she ever did on ITV’s Tonight, Agnew took to Twitter to mock the revelation. “Never have I ever ran [sic] through a field of wheat,” she wrote above a picture of May drinking from a glass of water, riffing on the student party game in which one drinker confesses to a misdeed and others take a sip if they, too, are guilty. Her tweet was shared more than 24,000 times and gained an additional 60,000 “Likes”.

“It was just a joke, really, but also poking fun at the difference in classes,” says Agnew, whose post went on to be retweeted by the pop star Ellie Goulding. “I can’t say I’ve ever run around in a field of wheat as a child being chased by farmers. It seems rather middle class.”

On 8 June, Agnew voted for the SNP. She didn’t intend for her tweet to have political ramifications but describes herself as “a big fan of Corbyn”, saying: “As far as politicians go, he’s honest.” Yet, regardless of Agnew’s intentions, her tweet was political. It was a powerful anti-May message – and it didn’t cost the Labour Party a penny.

Since Barack Obama’s first presidential campaign, it has been widely understood that elections are fought across social media. Algorithms, some claim, boosted the fake news that propelled Donald Trump to office. By adding like-minded people as “friends” and deleting any dissenters, we all became entrapped in filter bubbles, unable to see the 2015 election result coming.

Face­book adverts that were micro-targeted to spread specific messages to specific people helped to bolster the vote for Brexit. All of these analyses are true, but each misses the most transformational aspect of social media. You know: the actual media part.

As of December 2016, the Sun had 1,611,464 readers every day. That’s a lot. But nowadays, people don’t need Rupert Murdoch and a printing press to wield political influence (they do, however, still need a witty pun). According to Twitter’s ­analytics tool, Agnew’s tweet reached over 2.9 million people. Everyone now has the potential to have the reach and influence of a tabloid.

Her tweet isn’t remarkable. It is merely one of thousands of viral social media posts that have spread this election, many of which generated headlines (“This Facebook comment about Jeremy Corbyn is going ­viral” read one on Indy100, the Independent’s sister site).

Hannah Thompson, a 24-year-old PR officer from Surrey, is another meme-maker. When the concept was introduced by Richard Dawkins, a meme was “an idea, behaviour or style that spreads from person to person within a culture”. Now, it most commonly means “funny internet picture”. Yet memes might be just as influential as Dawkins’s original definition implied.

“I pretty much exclusively use Twitter as an avenue for my lame political jokes,” says Thompson, who tweeted a zoomed-in picture of Theresa May with the caption: “Nice wheat field you’ve got there. Would be a shame if somebody . . . ran through it” (7,243 retweets, 22,450 Likes).

“It would be helpful if more politicians understood the ‘social’ element of social media,” she adds. “Then, instead of spending hundreds of thousands just getting views for their posts, they can create things that actually engage people and help shift the narrative in people’s minds. I was really impressed by how Labour encouraged their members and activists to share things online. Seeing posts by actual human beings, rather than a party, is way more convincing than seeing a paid-for ad.”

There is a chance that, by the next election, politicians will have realised that a picture is worth a thousand words. Astro­turfing, the practice of masking the origin of a message to make it seem like a grass-roots opinion, is already common online. Advertisers frequently create profiles for fake teenagers, who then tweet about how much they “love” a product in order to make it seem popular.

After the shock election result, analysis by BuzzFeed revealed that stories published on the websites of right-leaning news­papers (such as the Daily Telegraph, the Daily Mail and the Sun) failed to reach large audiences on Facebook and Twitter. BuzzFeed’s headline read: “Not even right-wingers are sharing positive stories about Theresa May on Facebook”. The most shared stories on social media were pro-Corbyn.

For all of the Conservatives’ power and wealth, their social media campaigns did not take off. Why? Because they weren’t inherently social. Theresa May relied on pounds to push her message, while Agnew and those like her relied on people.

As one social media user put it (receiving 8,790 retweets and 19,635 Likes): “Tories spent £1,200,000 on negative anti-Jeremy Corbyn social media adverts ... And the internet came up with anti-Theresa May memes for free.”

Amelia Tait is a technology and digital culture writer at the New Statesman.

This article first appeared in the 15 June 2017 issue of the New Statesman, Corbyn: revenge of the rebel

0800 7318496