Here's the original story that recounts all of the security failings by Mat himself, by Apple, Amazon and Google in detail.
Here are articles about changes that Amazon and Apple are making to their customer care procedures in the wake of this attack,
and here's a good article which gives a lot of good advice on how to avoid being hit by the same or similar fate.
A lot of the advice in the article has been preached by security professionals like me for years. This story is a great illustration of why I think reliance on "security questions" by businesses as a way of establishing identity of an individual is totally ridiculous in 2012. By "security questions" I mean the type of questions a business asks you like what town you grew up in, or your mother's maiden name or what year you were born etc. etc. The ones they think will really let them be 100% sure it's really you they're talking to. The problems is, anyone can find the answers to these questions about you on Facebook, or by searching other public information sources.
Photo by Dave Delaney on Flickr |
The only way that "security questions" can actually work as an effective identification mechanism is if you use intentionally false and random answer that only you could ever know, (and you keep a record of it).
For example, if you set up an account and are asked for your mother's maiden name - why not answer "geranium", "roulette", or "haddock" (assuming none of those are correct answers for you). Make a note of the answer you've given to this organization, and in future even someone who can google your entire family tree will never find the correct answer in any kind of online public record. You'll be able to supply the correct answer, because you made a note of the answer you gave when creating the account. You did remember to do that right?
In the case of Mat Honan, unfortunately customer service staff gave attackers access to his online account EVEN THOUGH the attackers could not answer the security questions required. So, obviously the method I outlined above will not help you in this case. Check out the third article in the list for other helpful advice that would have helped Mat, and can help you avoid sharing his fate.
Do you have any suggestions of other advice that would have helped? Leave a comment below.
[Updated Aug 8 2012 to add a link to story about Amazon's changes to their procedures after this attack.]