Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.


It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.


Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Show Hide image

“There will be an absolute meltdown in 2020” : what’s holding back the introduction of electronic voting?

The government's reluctance to implement electronic voting will affect our future, and in – the case of Brexit – may have already dramatically affected our past. 

Imagine, just for a second, that the situation was reversed. Imagine if, for a hundred years, we had scanned, swiped, and tapped our votes into a secure, fool-proof electronic system and someone waddled along and said, “Alright lads, how about we try pencil and paper?”. How about we desperately try to find a spare hour to shuffle to the village hall in the rain and scratch an “X” onto a scrap of paper with a stubby bit of lead, and then let a volunteer named Deidre count it at two am? What could possibly go wrong?

If you picture this scenario – posited by my colleague Anna – then it quickly becomes clear how ridiculous it is that the UK has not yet implemented electronic voting in any lasting way, shape, or form. Not only are we not on board with popping online to vote, we’re also reluctant to use technology when it comes to marking our ballots, authenticating voters’ identities, and counting votes. Despite the success of electronic voting in countries such as Brazil, Estonia, and India, the UK continues to reject reform. Why?

 “I think the problem is political at the moment,” says Mike Summers, the program manager at Smartmatic, an electronic voting company who have run three national elections in the Philippines, have a 15 year contract with Belgium, and have counted around 3.7 billion electronic votes in 12 years. “I think there is a fear that if you enfranchise groups of younger people, then you don’t necessarily know how they’re going to vote.”

We can, however, make a pretty good guess. Smartmatic’s own research shows that 57 per cent of 18-24 year olds would be more likely to vote if they could do so online and 55 per cent said they would have used online voting at the last general election. As Labour's vote share could have been boosted at the last election if only more young people had turned out to vote, this might make electronic voting an uninviting prospect for Theresa May.

“Prior to the last parliamentary election the Labour party were vehemently in favour of electronic voting,” says Summers. “Things are moving very slowly compared to other developing and developed nations so our reading of the situation is that it’s a largely political one.”

The consequences of this inaction are severe. Holding off on a voting system that provides greater accessibility to all compromises the very notion of democracy, but it also has potentially more immediate repercussions. “In 2020 everything is going to hit the proverbial fan we’re going to be a laughing stock,” says Summers.

The reason for this is because of the wide array of elections sheduled for 2020. Not only will there be a general election, there are also police and crime commissioner elections, the London Assembly and the London mayoral elections, and also local elections. “There is real concern that because of the complexity of this event there is going to be an absolute meltdown.”

Electronic voting would help prevent such a meltdown by ensuring, among other things, that voters couldn’t accidentally mark a first past the post ballot with a preferential voting system (or vice versa), that votes could be counted faster, and that overseas votes would not be lost in the post. The last is of particular importance as the government are now planning to scrap the 15-year rule that bans long-term expatriates from voting in UK elections.

“That’s a potential five million additional expats who will be eligible to vote,” says Summers, “How are you going to service them?” The answer to that is via the postal vote, and the limitations of this traditional method make the case for electronic voting even stronger.

“Postal voters authenticate themselves with a signature – mine is easily forgeable – and their date of birth,” says Summers. “The traditional methods are not secure. With online voting we can use facial biometrics to compare a person’s digital facial portrait – a selfie, if you like – with their ID, and we can verify there is a match.

“The next problem is security, and putting your ballot in an envelope is not secure. We have very, very strong application level cryptography. The moment a voter casts their ballot we encrypt it on the voting side and digitally sign it as a method of proving the integrity. Additionally, when postal voters put their vote in the post box they have no way of checking it was received or counted, so you have no verifiability. We have a number of tools that voters can use to verify their vote was received and was included in the final tally.”

Nowhere is the importance of the postal vote clearer than in the case of Brexit. “You could argue that the outcome would have been different,” says Summers. “Lots of expats voted by post and a lot of the votes didn’t come back before the close of the election count. We have an office in Amsterdam and one of the guys plays in a local rugby club in The Hague. There are ten Brits on that team and six of them received their postal vote after the close of the election. If you’re an expat living overseas then are you going to vote for or against Brexit? If those voters had voted then the outcome could have been completely different.”

Yet the benefits of accuracy, transparency, verifiability, and accessibility are easily side-lined by one bloodcurdling word. Hackers. If Hillary Clinton’s emails can become your bedtime reading, isn’t it possible – nay, probable – that elections will be hacked, falsified, and corrupted?

“The easiest election to hack is a paper election,” says Summers. “It is important to educate people on the difference between election information systems, which the DMC use, and voting systems. The protections of voting systems are above and beyond anything you will use in any other online application, including online banking and ecommerce solutions.”

As a representative of Smartmatic, Summers would say this, but they and other companies have created a wide variety of solutions which – even if imperfect – are vulnerable to fewer mistakes than Deidre in the village hall. Even if there are flaws, it seems important to iron these out now – before 2020 – to ensure the success of electronic voting in the future.

Although the House of Commons’ Commission on Digital Democracy recommended that the UK should adopt electronic voting by 2020, there is little evidence that steps are being taken towards this goal. “I’d love to turn around and say I think steps are being taken but there is a lack of willingness to acknowledge the shortcomings that we have in terms of UK elections,” says Summers. For now, then, the debate rages on. Should we stick to the tried-and-tested, or should we transform the electoral process forever? I know – let's vote on it. 

Amelia Tait is a technology and digital culture writer at the New Statesman.