Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Welcome to Tech Stuff, a production of I Heart Radios,
How Stuff Works. Hey there, and welcome to tech Stuff.
I'm your host, Jonathan Strickland. I'm an executive producer with
How Stuff Works and I heart Radio and I love
all things tech. And today we're gonna talk about a
really pretty serious issue about hacking and personal information. That
(00:28):
this was inspired by a real world incident that happened
several years ago. This particular episode actually originally published on
September three, two twelve, and at the time it was
extremely topical. But I would argue that the message behind
the show is one that we still should heed today,
even though the actual incident now is more than seven
(00:50):
years old. But this episode was called More Data, More Problems,
and I hope you enjoy now when we're recording this,
it's in August, early August twelve. It's August ten, actually,
and earlier this week, there was a news story that
broke throughout the Twitter sphere really first and then beyond
about a tech journalist named Matt Honan who has written
(01:15):
for various UH publications including Wired, and how he had
his essentially his entire digital life hacked over the course
of about thirty minutes and uh, and to kind of
explain what happened. First, we'll sort of talk about the
(01:35):
way he discovered this through his personal experience, and then
how the hackers did it, and then what needs to
happen so that we protect ourselves against such things happening
in the future. So to start, he was he was
playing with his kid and he noticed that his iPhone
had shut down. It was so it crashed essentially, and
(01:58):
he thought, oh, well, that's annoying. I guess I'll have
to go and uh connected to my computer over store
from back up and just get this thing going again.
He didn't really think much of it, because you know,
technology occasionally fails. Yes, So then he goes and he
goes over to his computer and tries to start that up,
and that also isn't loading up properly. It's asking him
(02:20):
for information that he doesn't have and it won't accept
his password, and so he's thinking, well, that's weird, but
he doesn't again panic yet. Uh. He then thinks about
trying his iPad, which also isn't working, and he tries
logging into his Google account using a different computer, and
(02:41):
that also gives him a failure, and it's at that
point where he's thinking something seriously wrong is happening, and
eventually he starts noticing that his own Twitter handle is
posting stuff uh, and he's not the one doing it,
and so he can't access his Twitter account anymore either.
And they are these horrible Twitter messages with various you know, uh,
(03:07):
inappropriate tweets going out things that are racist or homophobic
or having lots of foul language in it um and
it's just, you know, it's it's just beyond his control.
He gets on the phone with Apple trying to find
out what's going on, uh, to explain that his his
(03:28):
account has been hacked, and it takes him quite some
time before they're able to sort this out. Part of
the reason is that they, for a while, we're looking
at the wrong account. They had his name wrong, and
so they were looking at an account that had none
of the issues he was explaining. And then when the
Apple representative repeated his name back to him, that's when
(03:50):
he said, wait a minute, that's not who I am.
I'm Matt Honan. You've got the wrong name. And then
once they switched their focus, then they started seeing oh,
well before you called in, and actually I think Honan
had to ask about this. They didn't. They didn't volunteer
this information. But before Honan had called in, someone else
had called in to regain access. They said, to regain access.
(04:14):
Really it was to gain access for the first time.
It was the hackers who had called in too, because
they had claimed that they no longer had the password
or security question answers, so they could not get the
password normally. They were trying to get into his dot
me email right and the the reason for all of
this is probably the craziest part of the story, although
(04:37):
the pathway of how the hackers got to the point
where they were able to do all these things. You know,
once they got access to his iCloud account, they were
able to do things like wipe his devices, which is
what happened. They wiped his iPhone, his Mac, and his
iPad in part to prevent him from being able to
head them off. While they were going down this trail
of hacking his digital life. They were also able because
(05:00):
of the way he had interconnected various accounts. They were
able to do things like reset his Google password, send
the message to the dot Me address, which they already
had access to. Yes, because they had gained it from Apple.
Once they got the password for the Google account, then
they were able to get the password for Twitter because
(05:20):
that's where he had his Twitter account attached to his
Google account, So it was kind of a leap frog thing, right,
he would they could do a password recovery from one system,
It would send the message to one of the email
addresses that was already compromised, and then they would get
access to the next thing. Turns out what the hackers
were interested in from the very beginning was getting hold
(05:42):
of his Twitter account and posting these messages. That's really
just for laughs. That's all they really wanted to do.
They weren't really out to make a big show that
you know, it should be Matt Honan that should suffer
for this. Uh. They had nothing to do with Gizmodo,
which Owen had written for, and his account was linked
(06:04):
to Gizmoto's account. It never been unlinked, even though he
no longer wrote for Gizmoto, so they also had access
to Gizmodo's Twitter account and hijack that for a while.
Um so, you you know, it turned out the only
reason they wanted to get his Twitter account was because
he had one of the most rare things in Twitter.
A three letter Twitter handle, yes, you know, because most
(06:28):
people had to go with a longer Twitter handle because
of course, once one's taken, it's gone. Yes, so people
who managed to land one of those three letter accounts
are rare, and so they thought, oh, this is that's
that's why they targeted this particular Twitter account. Had nothing
to do with him personally, had nothing to do with
who he worked for, and had nothing to do with
the fact that he was a tech journalist. It was
(06:49):
just because his Twitter handle was three letters long. And
that's crazy to me. First of all, that you know
that that was the that they were were willing to
go through, the steps that they had to go through
in order to get this one Twitter account. Well, that's true,
although it only took them a little less than an
hour to accomplish. Once they had, once they had determined
(07:12):
their route of attack, it was all over. So the
way they did this was not through any kind of
crazy sit down at the computer, type in the password
three times and then you managed to get in type thing.
And it certainly wasn't a Hollywood style hacker brute force
attack where there was uh, you know, some group of
(07:36):
of hackers trying everything they could to brute force their
way in. Yeah, it wasn't like a computer program that
was just running password after password and you see the
little like digits flip up each time you hit one.
That's correct, That wasn't what happened. What happened was much
more simple, really in a way, because I had nothing
to do with using code. It has everything to do
(07:59):
with manipulating SISS stems, but from a person perspective, not
or or a policy perspective, not from a technological one. Yeah.
And it's it's also clear that although Apple's security procedures
are in part to at fault, um, they are not
the only ones the hackers targeted to get more information
(08:20):
on on Honan and that um, it just so happened that, uh,
the information they needed coincided across multiple companies with his accounts,
and once they got some information from a couple of places,
they were easily able to go in and fiddle with
other stuff. There are really three parties that are I
(08:43):
don't want to say at fault you don't blame the victim.
There are three party There are three parties that made
this possible for the hackers to get the access to
to the accounts. One of those is Honan himself. Yeah,
and he freely admits that, yes, if you he has
written an incredible uh uh article that that documents this
entire process and what he went through. He he blogged
(09:06):
about it when it happened, but then he wrote up
a much more comprehensive account of it for Wired and
uh and it's a very interesting read. I highly recommend
you read it, especially if you're concerned with your own
potential security computer security. So he was at fault and
not at fault. He was. He some of his choices
(09:26):
made this possible. Uh. The Amazon, Amazon dot Com also,
its policies made this possible, and Apple's policies made this possible.
So those three parties together made it possible for the
hackers to achieve this and uh and it's kind of
interesting how how they came about it. Yeah, and and
(09:50):
some of the irony as we get into this, is
that some of the very things that made this possible
are in place specifically to make it more difficult for
someone to steal identities. So it actually uh, some of
these some of these procedures actually worked in exactly the
opposite way in which they weren't intended when they were implemented.
(10:15):
So the way this started off was it was fairly clever.
So they they first they started the hackers did a
little recon work and they wanted to find out, um
about how they would get uh the access to the
Twitter account. And then they were able to find out
(10:36):
Honan's uh email address because he has a website. They
went to the website, they did a who is look
up on Honan, which gave them two things, like two
things they needed. They needed the email address and they
needed his physical address. Yeah. Now, if you register a
domain name, you are required to have contact information available. Um,
(10:59):
and that information is publicly available now um some well
we could talk about that too, but anyway, the the
who is record for the domain had his information in it. Yeah.
So once they had that information, the Google account and
the just the email address didn't have access to the
account yet. Um. They figured out that the Twitter account
(11:21):
was linked to the personal website. That's what That's where
they found the Gmail address, That's where they found the
physical address. And then they started to look at the
account recovery for a Google and without actually sending in
a recovery request, they saw that the address, which was
only partially obscured per Google's policy, wasn't at me dot
(11:45):
com email address. That was the recovery address. Yeah, well
that's an Apple thing, right. So that's where they said, Ah,
now we know how to get at him because it's
because his Google address, uh will go back if we
did a password recovery, because that will go to an
Apple address. And because we know how to manipulate the
(12:08):
system so that we can get access to his Apple account.
It's all over. And the way they got access to
the Apple account was kind of interesting. Now, they did
not have the password, they did not have the answer
to security questions. So calling up Apple and getting access
to this account would require that they have some other information.
(12:29):
What Apple requires is that you have to have the
building address and the last four digits of the credit
card you used to establish that account. So what the
hackers did was they said, well, there's a good chance
that the same credit card this guy used to establish
his iCloud account is the one that he uses for Amazon.
(12:55):
And so instead of calling Apple first, they called Amazon first,
and they said that they wanted to add a credit
card number to the existing Amazon account. That's right, So
they weren't trying to get the credit card number. They
wanted to add a credit card number, right, So then
they add a credit card number to the Amazon account.
(13:15):
Then they hang up. Then they call Amazon back and
they say that they have lost access to their account
and that they will provide the name, the billing address,
which they already have from the who is look up
of the website, and then the credit card number they
gave at the at the call they made earlier. So
(13:37):
there's now this credit card number that is legit because
they provided it. It's not the same one that was
used to establish the account in the first place. So
then Amazon says, oh, all right, well we'll send you
the password to the account. Here's which email addressed you
wanted to go to. So they hackers give their email
(13:58):
address or an email address that they have created for
the purposes of this hack. So now Amazon sends the
log in information to UH to Amazon dot Com to
that account, to the email they log into the Amazon
dot Com account, and then they look for the other
(14:18):
credit card number, the one that was actually used to
establish that account. So this is Honan's actual final four digits,
because those are unmasked in the Amazon dot Com system. Yes,
they mask the rest of it, right, Yeah, the rest
of the numbers are mass So it's not that the
hackers ever had access to the credit card, other than
they could have bought a whole bunch of stuff on
(14:39):
Amazon and had it sent somewhere. But that's all. That's. Yeah,
that's what they could have done if they had wanted to,
But they could not actually pull the credit card number
itself other than the last four digits. But those last
four digits are what Apple needs for account verification, right,
So they take those four digits, they've got the building address,
(15:00):
they give a call to Apple, they give that information,
and because Honan used the same billing address and the
same credit card for both services, Apple said, oh, well
then you're clearly this guy. We will send you the
account retrieval information to your email address. So then they
now have the way to log into Honan's iCloud account.
(15:23):
They do that. That's where they then disable his devices.
They wipe them to help slow things down so they
can continue to do this stuff. Now they have access
to his Apple email, they have access to his Amazon account.
That's when they go to the Google password recovery asked
for the recovery information so that they can access his
(15:45):
Google account. Well, that goes to his Apple address, which
they already have access to. The information comes to the
Apple address, they go into the Google account. They immediately
delete the password recovery UH email out of his account
so that if he has any other devices that would
alert him that his password had been changed, that he
(16:08):
would not be aware of it. So they they hide
that they changed the password, so that now they've locked
him out, they have access to his Google account. They
then were able to go and get access to the
Twitter account. Um, this is kind of scary, and again
it has nothing to do with sitting down encoding stuff.
It is hacking. You're hacking a system, but you're doing
(16:31):
it more through social engineering and manipulating policies and systems.
So if you guys remember we had that discussion and
I think it was episode three ninety nine where we
interviewed Brian Brushwood and we talked about social engineering. Now
with Brushwood, his approach to social engineering is more about
you know, having fun and uh, like, you're in a
(16:52):
social situation where you you know, you never have to
buy a drink because you're doing these cool things and
convincing other people to buy drinks for you, or you know,
you're doing something so that you can get the phone
number of someone you're interested in. So you're still social
engineering people. But it's not necessarily this as nefarious as
as what these hackers were doing. Yeah, and it's not
(17:15):
typically what one thinks of when one thinks of identity theft.
I mean again, Um, a lot of us would look
at the specifically maybe the Amazon portion of this or
an online retail portion of this and say, oh, well,
they got access to his credit card number, they can
buy stuff well you and and in a lot of
cases that maybe what a hacker might try to do.
(17:37):
After all, we have talked about uh online systems being
hacked for financial information and financial gain, but that's not
the point of this. Um, the system that I was
speaking of a few minutes ago, when I was saying
that ironically, some of these things were turned against him
tools that would be used to protect him. Um, if
(17:59):
you're not in an Apple customer, you may not be
aware there's a there's a uh an I cloud system
called find my and there're a couple of them like
to find my iPhone. Yeah. Um, so let's say Uh,
you know, we're talking completely behind here. Let's say you
have an iPhone and your kids run off with it
(18:21):
and stuffed it somewhere in some piece of furniture or
dropped it and or you left it in a cab,
or you left it in a cab. Well, if you're
if you're Natalie Dell Conti, well yeah, um, well, I
was going to start with the the easy one. You
can make it. You can make your phone make a
noise so you know it's in the house, but you
can't figure out where it went. I'd like to have
(18:41):
one of these for my keys and maybe the remote.
But you know you can you can make it make
a noise, or if you've left it in a cab,
you can have it tell you roughly where it is. Uh.
This is especially useful if you can't remember if you
left it in a cab, or if you at a
restaurant whatever, or you know, you were at bar and
you had a prototype version of the newest iPhone and
(19:05):
it was sitting on the stool next to you when
you were sitting there at the bar, but then when
you turned around, it was gone, and then it ends
up at some tech blog. Yeah, that could happen. Yeah,
there their Twitter feed could be hacked to UM. But yeah,
I mean, so you can find out where it is.
You can have it make a noise so that if
it is in the same location as you are, Uh,
you know you can you can track it down. UM
(19:27):
if you don't know where it is, Let's say you
did leave it in a in a bar somewhere and
uh you say, oh, well, you know it's not I
don't know where that is, and you could see a
location it shows you on the map where where it
might be. Oh, it's no longer in my control. It's
somewhere where I don't know where it is. I'm I
have sensitive information on there. My my calendars on there,
my contacts are on there. Um as as Honan himself said,
(19:51):
you know he had um information from many other tech journalists. UM,
so he might just let's say he was still in
control of his accounts, but no longer in control of
the device. He could say, wipe this device. I don't
want anything on it anymore, you know, I want to
wipe it clean so that nobody else gains information in
(20:11):
my personal stuff. It's only a matter of time before
they figure out my my pass code, wipe it clean.
You know, you can tell it to do that and
will remotely do that. Apple has added that for the
Mac to find my Mac. So in that case, let's
say he had corporate information. Many companies have have this
(20:32):
policy in place. Yes, you can check your corporate email
on your personal device, but if you do that, um,
we retain the right to wipe the information on the device.
If it should fall into somebody else's hands. Or let's
say that you were to uh, you were to to
either be fired or you you know, you left or whatever,
(20:53):
they might retain that right so that they can protect
themselves as a corporate entity. Yeah, so there there are
positive reason uh to be able to do this in
this case. Once the hackers gained information about his account
and we're able to get access to his account and
lock him out, um, they also chose to completely wipe
(21:14):
his phone, his iPad, and his Mac laptop. And in
doing so, they not only wiped out any you know,
corporate information. He's he's a freelance writer, so any articles
he might have been working on that we're on his
hard drive gone. He also lost a year's worth or more,
I guess the photos of personal photos personal stuff that
(21:38):
that he had created. And yeah, Liz leads us to
the the thing that we have said a billion times
on this podcast that is an exaggeration, but back up
your data. Yeah, and he admits he admits he was
not regularly backing up his hard drive. This is not
to pick on him or anything else. It's something that
(22:00):
he wishes in retrospect he had been doing on a
regular basis. Because, um, oddly enough, this is where this
this is where the story takes an unusual turn. He
has been in contact with his hackers and has agreed
not to in return, they were telling him how they
did it. Yes, and uh, I think first of all,
(22:21):
the first thing we can agree on easily is that
Amazon has to change its policy. Well, yeah, because because
that's the first step that means that anyone could access
anyone else's Amazon accounting. This Well, um, I wasn't going
to get there quite yet. I wanted to make the
point that this is where it kind of gets a
(22:43):
little weird, because they they shared all this information with him.
This is how he was able to write such a
comprehensive post on onn Wired about it was. They told
him what they were doing, what the point of it was, Um,
they admitted, look, you know, we weren't trying to deal
your your stuff. We weren't really trying to wipe out
your your personal life. We have nothing against you personally.
(23:06):
We wanted your Twitter account. Um. The guy that that
that he talked to primarily UM was saying, essentially, hey,
you know, my partner was the one who wiped out
your computer. And now that you tell me, all your
personal files, your your the pictures of your your kid
were on here. I'm really sorry. I'm actually really sorry.
(23:29):
I didn't mean to to cause you personal harm as
a result of this. And and they say, now, I
don't know, you know, I don't know whether their motives
are are as pure as they say. You know, they
say part of it was that they wanted to point
out that it really is this easy to hack into
your personal account. They wanted to draw attention to that. Now,
(23:50):
I say that all the time. I suspect, based upon
the messages that they posted on Twitter, that that's something
they they that's covering the tracks. I think they were
doing it for the kicks. Yes, exactly. Well, if you're
looking at again, if you're reading the Twitter, the Twitter
posts that he that were posted under his name, and
(24:11):
there were a lot that he left there. He says,
I wanted to keep a record of it. He did
delete some because they were overly hurtful offensive. Yes, and
he said, you know, these could actually cause people to
feel badly about themselves, and I don't want that. I
do want there to be a record of what had happened,
but not at that, not that, not at the expense
of someone else's feelings, um, other than my own obviously.
(24:35):
So then he went out and he deleted the ones
they felt were particularly offensive, and then the rest he
left up. If you read those, I think it's it's
pretty hard to defend yourself with. I'm just showing how
the system can be hacked. It's more than that. It's
also hey, you know, ha ha, we did it, you know,
(24:56):
And and it's so it goes beyond that. And I
think it's very telling the hacker he got in touch with,
assuming that the what he the information he gave was
accurate about himself, about the hacker himself as a young
guy nineteen years old, might not quite really get be
mature enough to realize, you know, what the consequences are
(25:20):
of those actions. And what how they could affect the
target beyond just oh, you know, they're thinking, we have
a goal, we want to get hold of this Twitter account.
They're not thinking of what consequences are going to be
felt by the target beyond just the fact that our
Twitter handle has been taken over. And so some of
them may just be that they were very narrowly focused
(25:42):
on what they wanted to do and they didn't really
consider what could happen or how it would feel for
that sort of stuff to happen to a person. Um.
So that's that's something there too, and we see that
a lot. I mean, there are a lot of hackers
out there who because they can do something, they'll do
it and they don't realize or they don't care what
the consequences of that action are going to be to
(26:04):
the people who are also involved in that whatever that
situation is. Hey, guys, Jonathan from two thousand nineteen, just
interrupting this episode to say, we're going to take a
quick break, but we'll be right back. So maybe maybe
now this According to the article, it sounds like this
(26:28):
guy is at least a little remorseful, and remorseful yes,
that he's feeling some remorse for this, and you know,
we don't know if really, like he was at all
culpable in the actual deletion. He claims that it was
the other guy who did it, but you know, you
never know. So it's interesting to look at that. And
(26:53):
you know, if if you kind of put yourself in
the shoes of the the hacker, um, you know, especially
if you're thinking of somebody who is doing it for
for fun, to mess with somebody, and and the person says, hey, look,
I'm not going to press charges against you, but I
want to know how how you did it. He started thinking, hey,
this guy is working with me. You know, the heat
of the moments off, the sense of accomplishment you get
(27:16):
from hacking in and gaining access to all this information.
You know, after the fact, you've had a chance to
cool down, they've had a chance to cool down. You
start thinking about it like, well, you know what, this
guy is not angry enough with me to to press
charges with the cops. You know, we kind of damaged
this guy and he's willing to talk to us about
(27:37):
it and share the story online. You know, they kind
of got something out of it too. They kind of
got a little anonymity anonymous press, so they get to
point to themselves and say, hey, look he's talking about us.
He doesn't seem like such a bad guy. I guess
we kind of you know, burned a lot of stuff
of his online that kind of stay ex We were
(28:00):
really kind of doing it for the fun of it,
and now it's so much fun as a decent guy.
Now you know that there's a real person on the
other end of that account. That's the other thing is
there's a dehumanizing effects sometimes with the whole you know,
you don't really identify the fact that there's a person
on the other end of these accounts. Sometimes you don't.
It doesn't the concept isn't fully formed. For for a
(28:23):
lot of us, we would have gone out and if
we had found out who did it, we would have
pressed charges. We would have wanted to take them. Now
some of us would have re enacted the film taken
but I will find you. But yeah, that that's that's
what makes this story more interesting than other hacking stories,
I think is that that it's got a humanizing factor
(28:46):
to character for both parties. The person who or people
who took advantage of of honing and honing himself, and
it does point to security issues. Now, these are sitimate
for UM. You think about your Amazon account, for example,
Let's say you don't have anything else except an email
(29:07):
account and an Amazon account. By and large, you probably
wouldn't have a lot of these security issues. The security
issues that Amazon would have in place would make it
very difficult for them for someone else to get that
information from them. But then you start sharing. You start
using this UM email address with Amazon and every other
(29:28):
company that you do business with online. That makes your
email address a a key to getting information from other companies.
And then you start doing business with other pieces. You've
got the same credit card number across these different companies,
and once you have the last four digits of your
social Security number or a credit card number, that makes
(29:52):
it possible to use that information as a key across
multiple entities. And all of a sudden, if you do
business with a whole bunch of places, they get something
like your physical address, your name, your email address, a
credit card number, any of that stuff, and they've got
the keys to open lots and lots of accounts for
(30:14):
for them to get more information. And once they've hacked one,
they can get information that will let them into lots
and lots of other places. Oh, they have an Amazon account.
I wonder if they have a Barnes and Noble account.
We could find out in about ten minutes. Yea. So
Honan admits that his password was not the strongest. It
was a seven seven digit alpha numeric password, but that
(30:35):
it was one he had used for many years. But
they haven't. They didn't really use it, right, So that's
that's the point of this thing, is that even if
he had had the strongest password in the world, it
would not have mattered because they circumvented that, right. They didn't.
They weren't attacking through that direction. And this this demonstrates
why security is so tough, because you think about the
(30:59):
most obvious point of entry, which would be the log
in right your user name and your password. That's the
most obvious point because that's the way we access our information.
Hackers are looking at a system and saying, what's the
best vulnerable spot to go in at And if the
front door is heavily locked, you look for a window
or a backdoor, You look for something else it's gonna
(31:21):
let you get into there, and not even you just
bypass the place where you've got all the security and
you go in through a different entrance. So when I
said that Amazon really needs to work on its policy,
mainly the reason for that is that the only thing
you need in order to get that that lug and
recovery information was the credit card number that's associated with
(31:43):
the account, which they did by adding in one the
building address and an email address, and that's it, um uh.
And in order to add the credit card number, all
you need is the building address and the email address
that is associated with the account. So you know, using
some guesswork, thinking that okay, well he's got an Amazon account,
(32:07):
he's probably got an Amazon account. He's probably using this
address for that Amazon account. We know his address because
we looked it up from his website. We can create
fabricate a a a credit card using a generator that
creates a realistic but not actually activated credit card number
(32:28):
and assign that to the Amazon account and then use
that to get the entry point. So obviously Amazon needs
to fix that because if all you have is a
person's address, and you have a good guess at what
email address they use for that Amazon account, then you
could do the same thing. And so that's that's a.
That's number one. Number two would be the fact that
(32:51):
Apple uses the last four digits of the credit card,
the building and the building address as a security recovery method.
Clearly that needs to to change in some way. Yeah,
I think I think this is a uh they're there
are a couple of things. Now, if you read uh,
there's an account on Honan's tumbler and if you want
(33:13):
to read some truly hurtful comments, I would suggest reading that.
Um because some people blame him for owning Apple devices,
which is ridiculous. In fact, that the one that that
bugged me probably the most was the one that said,
serves him right for owning I crap. And I'm going
you know this, this really could have happened with pretty
(33:34):
much any manufacturer or it's just I mean, Apple had
policies that they were able to leverage. That's not to
say that other companies don't have those same policies, and
it's just that Apples were well known to them. So
that's how they, once they saw the me dot com addresses,
said all right, we know how to do this. Yeah.
And the thing is, I would say the vast majority
(33:57):
of online retailers or or companies that have that offer
services online. UM, I mean they knew how to get
into a Google account to um and and a lot
of them have the same policies. So if you can
get as they did, if you can get one piece,
then you can apply it to other pieces and get
information from them and put the whole puzzle together that way.
(34:21):
So it's not while while I've seen people singling out
Apple and Amazon and um And, they should to some
degree be uh considering new stuff, it's not just their fault.
The catch twenty two here is once you make an
account so locked down that it's extremely hard to get into,
(34:44):
it's also hard for you to get into when you
do forget your password, when you do forget what credit
card you used. Say you've got ten credit cards. UM,
let's say you you shredded one of them because you
don't use that card anymore. But that's the one that
you set up the account with two years ago. Now
you can't get back in. So and so if they
(35:06):
lock it down this too hard, then you can't get
back in either. So that's why they make a Yeah,
that's why they make those those pieces available. Well, can
you tell me the last four digits of your social
Security number. Oh yeah, I know those. Well they got
that from somebody else. So there there's a catch twenty
two here. How how how secure is secure enough and
(35:28):
not too secure to lock you out forever? So so
there there is that is a challenge. UM. The part
of it is to UM when we're talking about the
domain name. They were able to get information from his
domain name, UH, and you can. There are things you
can do there too. UM. A lot of the services,
(35:50):
the places where you can register domain names offer a
secure UH service where you pay an additional fee per
year or or per however often you you renew your
domain name, that will lock it down so that it
has a Basically the the registrar is responsible for it.
So if you want to contact the owner of the
domain name to say make them an offer, Hey, we
(36:12):
want so and so dot com. You've got it, Can
we offer you ten thousand dollars and buy the domain
name for you? It would go through your registrar and
you would get contacted for it. But your information is
not the information out there, so there's a proxy between
you and them. UM. That would have helped him too,
If he had had something like that in place, it
would have helped lock it down Google um the uh
(36:36):
it's it's kind of interesting because what Google showed them
was uh M, star star star star star star n at,
you know, the Gmail name. They were pretty right in
guessing that it was his first initial last name. He
had that address at at several places. He points that out,
and that was that was easy. Could Google fix that
(36:58):
and make it more or obscure so that it wouldn't
be so easy to guess? Maybe? Could he have picked
a more difficult name to use as his backup email address? Probably?
But these are there are lots of little stuff that
everyone involved could have done to make it more difficult.
And there's Google also has a a two step verification process.
(37:20):
That's exactly what I was going to mention next to
two part authentication is um is a useful approach it
also and I've used it, Yeah, I've used it. It's
so two part of authentication is kind of what it
sounds like. You need. You need to have two different
things in order to be able to access the account.
(37:40):
And a typical approach is that you register a phone
number with whatever the services of like a cell phone.
You register that cell phone with whatever the services and
then when you try to access it, you have to
be able to provide not only the password, but then
an authentication code is sent to your device that you
(38:02):
have registered and you have to insert whatever that that
number is, and then then you can and then and
only then you can actually access whatever the account is.
And that helps a lot because as long as that
device remains in your possession and no one has been
able to intercept it in any way, you should be
(38:24):
fairly safe. So even if they try to reset the password,
they can't get access to it because they're trying through
a different device that has not been registered. Uh, And
then you get that that message. And we've seen very
variations of this as well, not just too part authentication,
but also registering devices with services like UM Lots of
(38:48):
them do that so that you can look at the
different sessions that are logged in through a particular service
and then if you if you see that there's one
there that you don't recognize, someone might have access to
your account. So, for example, Facebook does this where if
you try and access your UM Facebook account through different devices,
it may tell you, hey, I don't recognize this device.
(39:10):
This isn't something that you've used to access this account
before um, and it'll send an email to you and
let you know if you are that that, hey, someone's
accessing this. Is this you? Because if it's you, it's cool.
But if it's not you, then you need to look
into this. Johnathan, I'm two thousand nineteen. Again. Uh, well,
(39:31):
you know, we still have some more information to give
you about this particular story, but before we can dive
into that, we need to take one more break. Now. Again,
this is this is a good tool for people who
(39:53):
feel like they may have been hacked. However, let's say
that the person who is trying to access your Facebook account, um,
you know where they're trying to hack into your Facebook
account also has control of your email address. Then when
they say that, hey, is this you, and they send
that to your email address, well they've got that email address, yes, yes,
(40:15):
if it's gotten to that point. It's this particular approach
doesn't really help you. But other things that that you
can do, because there's some things that you can't have
any control over. It's it's the pole, it's the companies
you work with. Well, one, you can choose which companies
you you associate yourself with, but beyond that, you know
you have to hope that they put in the right
(40:35):
stuff in place to protect you. What you can do one,
continue to use strong passwords and don't don't use the
same ones across multiple platforms because it just makes it
way easier if one if one account does get compromised,
it makes it way easier for all the others to
get compromised. It's the domino effect. Yeah, so you we
wanna you want to start picking some pretty tough passwords
(40:57):
and and vary them across and change the UM you
know fairly regularly because the longer they stay, the more
likely you're going to UM encounter a problem. Use some
sort of password manager so that you can keep track
of them all, because I know it is you know,
the flip side of a strong password is it's really
(41:18):
hard to remember. So if you're if you've got lots
and lots of online accounts, then it's going to be
really challenging to keep all those straight. So some sort
of password manager is important. UM Also, think about what
you share before you share it online, because some of
the details you share may also serve as answers to
(41:41):
various security questions, or they may give off other information
that companies use to verify identity, So be careful about that,
you know, don't don't be too free with personal information
if that means that information could be used to circumvent
security systems. One suggestion I've always heard is that when
(42:03):
you create answers to security questions you create, you're essentially
creating another password. You don't you don't answer the question.
You and you put something else in there, and you
put something something unrelated but something you will easily remember,
all right, So something that doesn't have to be a
strong password. In other words, it just needs to be
a keyword that doesn't have anything to do with a question,
(42:25):
but it's a keyword you are guaranteed to remember. So
so for example, if you, uh, maybe I've seen something
that ask for the name of your friend, model of
your first car, you could say something like grapefruit, yeah, which, well,
I know, if I'm asked about my car, I'm going
to say grapefruit. Right. Somebody might go, oh, it's a Chevy.
They might have looked on your Facebook page and you
(42:45):
might have had a thing like this, says man, I
have such great memories of my of my first car,
and then you have a picture of it on there.
But that's all they would need to be able to
answer that question if you use the right answer, the
right or the corresponding answer. So if you've done, say
a thing on genealogy, and you've uh, you know, talked
about your parents and say, well, you know my mother
(43:08):
who was so and so, and it's like, what's your
mother's maiden name? Oh? Well, I know it was Steven's
because I saw it on the on their Facebook account.
Well that's pretty easy to track down. Um. And and
speaking of Facebook, uh, it occurs to me that a
lot of sites these days are using Facebook connect or
Google or Yahoo, and you can say, hey, would you
(43:30):
like to sign in with your blank account? Some of
them exclusively do that where you cannot access it unless
you happen to have one of those are their accounts? Yes,
Like I believe Pinterest you had to log in through
Facebook when it was when it first started. I don't
know if that's still the case. And Spotify, Uh, Spotify,
you know had had switched to requiring Facebook. Um. Okay,
(43:54):
So if they gain access to your Facebook account, all
of a sudden, they've got access to every their account
that you've used that log in with when they offer
you an opportunity to create a separate log in. Maybe
you should take that opportunity. Yeah, it's a pain. It
is a pain. And the whole point about the whole
Facebook connect is that it makes it much more convenient.
(44:15):
You know, you you know, Facebook loves it because it
becomes the platform for the Internet, and people love it
because it means that it's one less thing they have
to worry about when they want to log in. But
it does mean that there is this point of vulnerability
that is incredibly attractive to someone who wants to get
access to your stuff, because it's going if they get
access to one thing, they get access to a dozen more.
(44:38):
And it doesn't I say Facebook, but like Chris was saying,
it's not just Facebook. Google is the same way. There
are lots of different services that if you have a
Google account you could potentially access. UM. Another another suggestion
I've seen is that there are a lot of services
out there that some of us will sign up for
(45:01):
and then stop using and then forget about um. It
might not be a bad idea to if you never
use those services, it might not be a bad idea
to go back and check and delete those accounts because
those are other points of vulnerability, especially if it's going
to you know, if you do tend to use the
same group of passwords over and over and hackers get
(45:24):
access to something, particularly if it's something that isn't terribly
popular anymore, and maybe as a result, the security measures
aren't as up to date as they could be. It's
a possibility you might want to get rid of that stuff.
So you know that my Space account that you haven't
checked in four years, maybe it's time to just go
ahead and close that out, you know that kind of stuff. Yeah, uh,
(45:49):
and we've already mentioned back up your data. It's also
very important. So yeah, so basic basic tips that you
can follow to try and protect yourself and keeping in
mind that you know, a lot this also depends upon
the other parties involved. Yeah, and so looking back at
at at Matt hone and did he do something wrong
(46:10):
or you know, deserving of being you know, you know,
really he could have been any of us. And even
though he's a known tech journalist, he you know, sort
of succumbed to being human. You know, he had the
same password, he didn't change it for a long time.
He's probably told he didn't back up and I'm sure
he's probably told people to do that a thousand times,
just like we have. You know, we're all guilty of
(46:31):
doing these little things because their pains in the neck.
We don't want to do it, we don't have time
to do it. I mean, he's got kids times of
premium for him, just like it is for so many
of us. Um, you know, is it is it Apple's
fault in particular? Is it Amazon's fault in particular? The
only people who are are really at fault of the hackers. Yeah,
it's it's it's the combination of all of these things
(46:52):
together that made it possible. It's the hackers that are
really at fault. Yeah. And the thing is, yeah, we're
all busy and none of us really wants to make
up a new, you know, twenty four digit password for
each thing and worry about them. No, none of us
really wants to mess with that. But the truth of
(47:12):
the matter is that all these systems worked together to
make this possible, and it's true for all of us.
I mean, these these vulnerabilities are vulnerable for all of us.
It's I know that Amazon and Apple both have thought
about this. It's still kind of fresh. Um as the recording. Yeah,
as they're recording this podcast. So you know, neither of them,
(47:34):
I don't think, have made some public proclamation about how
they're going to fix this going forward quote unquote fix
it again. How what do you do? It's not obvious
to do this, so I think the two part authentication
is probably one of the the more obvious approaches. And uh,
well we might see some other elements thrown in there too.
(47:58):
And and however, I have seen people say yeah, and
I turned this on and it was the point I
was making earlier. It made it so difficult that it
took me two weeks to figure out how to get
back into my account, and it was a real pain
in the neck. I got in, but it took me
a while because I kind of, uh laid myself a trap.
So it's it's one of those things where I think
(48:19):
you kind of have to work into it and think
about this stuff when you set it up, and go
back and look at your accounts and see how it's
laid out to fix this for yourself. Yeah, this is
this is why it's really important for companies to uh
to hire white hat hackers who I mean, all they
do is look at systems and try and find ways
(48:40):
to to breach systems so that those systems can be
improved over time. And it's important to get a third
party to do it because when you design a system again,
you may be thinking of the obvious points of entry,
which is where you've really really put in great security,
right like you know, like there's no way anyone's gonna
get through this, at least not in the next five years.
(49:01):
We require people to use non alpha numeric characters. Well,
that's great if they're going to use the password in
case the door. Yeah. So again, that's why you want
to have a third party, because they're not thinking the
way you think. They're thinking how do I get into
this system? Not not how strong do I make this door?
And that wraps up another classic episode. Hope you guys
(49:22):
enjoyed this walk down memory lane and the reminder that
things can get pretty dicey out there. Uh though, sometimes
you can find out that the people who attacked you
aren't really terrible people, but sometimes do questionable things for
weird motivations. I don't know how much comfort we can
(49:44):
take in that, but I guess it's something anyway. If
you guys have any suggestions for future episodes of tech Stuff.
Feel free to reach out and let me know the
email addresses tech Stuff at how stuff works dot com,
or pop on over to our website that's tech stuff
podcast dot com. You will f links to our presence
on social media. Over there, you also find links to
(50:05):
all of the archived episodes of tech Stuff, all of
the episodes that have ever published, obviously not including the
legendary lost episodes of tech Stuff. And you also find
a link to our online store, where every purchase you
make goes to help the show. We greatly appreciate it,
and I will talk to you again really soon. Y.
(50:28):
Tech Stuff is a production of I Heart Radio's How
Stuff Works. For more podcasts from my heart Radio, visit
the i heart Radio app, Apple Podcasts, or wherever you
listen to your favorite shows.