Over the weekend, technology writer Mat Honan was hacked in spectacular fashion.
Hackers hijacked his Google account and deleted his emails, broadcast racist and homophobic slurs from his Twitter account, and erased data from his Apple devices, including photos of his infant daughter, he said in a first-person account published on Wired.com.
The incident not only exposed embarrassing security practices at two major tech companies -- Apple and Amazon -- but it also offered some lessons to everyday computer users who often fail to secure their email accounts and increasingly store their digital lives in the cloud, experts say.
Use two-factor authentication
According to Honan, the hackers took control of his Google account, erasing eight years of e-mails. But experts say he could have thwarted the attackers at an early stage if he had turned on Google's two-factor authentication feature. (He admits he did not.)
By turning on the feature, Google sends users a text message with a code they must enter when they sign in, along with their username and password. This adds an extra layer of security if their password is stolen.
Graham Cluley, a senior technology consultant at Sophos, said most people don't bother to turn on the optional feature, but they should.
"That way, not only would a hacker need to know your user ID and password, they'd also have to have access to your mobile phone, which most hackers won't have," Cluley said. "It's a great form of protecting yourself, and it's very easy."
Google explains how to turn on two-step verification in its support forum.
Create Separate Apple IDs
Honan said the hackers also broke into his iCloud account to remotely delete the data on his iPhone, iPad and MacBook.
An Apple ID has become the key identifier for accessing the company's various services, from storing data in iCloud to purchasing songs on iTunes to downloading apps from the App Store. On its support forum, Apple recommends using the same Apple ID for all three services.
But the forum also shows how users can create different IDs for different Apple accounts, and security experts recommend it. That way, if their App Store or iTunes account is compromised, hackers can't access sensitive data they have stored in the cloud. In Honan's case, it was photos of his daughter he had not backed up. (My colleague Jason Gilbert offers tips on backing up photos here.)
The devastating consequences of Honan's iCloud account being hacked highlights the tradeoffs of cloud storage, said Harry Sverdlove, CTO of the security firm Bit9.
While the cloud allows people to simplify their digital lives by linking email, calendars, music and photos from multiple Apple devices, it also increases the potential for them to lose much more data if the account is compromised.
"By having everything in the cloud, it makes it that much easier for a malicious actor to really cause havoc in your life," he said.
Companies Should Do More To Verify Users
Security experts also called on Apple and Amazon to improve their security practices.
According to Honan, Amazon's tech support revealed his partial credit card number to the hackers. From there, the hackers used those digits to convince an Apple representative that they were Honan and receive a temporary password for his Apple ID, granting them access to his iCloud account. All of this was done by phone, according to Honan.
But experts say both companies should do more to verify users. For example, the last four digits of a credit card number should never be used to verify someone's identity because those digits can easily be found on paper receipts, Cluley said.
Instead, he suggested companies ask consumers who need change their account settings to identify some recent things they bought on that account.
"They could ask: 'Which of the following purchases have you made in the last month?'" Cluley said. "That way they could prove they are who they said they are."