all micro contact rss

Username/Password Needs to be Taken out to Back and Shot in the Head

How Apple and Amazon Security Flaws Led to My Epic Hacking | Gadget Lab | Wired.com: “In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

Those security lapses are my fault, and I deeply, deeply regret them.”

(Via. Wired)

While it’s tempting to say he’s right here, that it really is his own dumb behavior that led to this, it’s also important to remember that this is a nerd with major street cred we’re talking about. Compared to the average computer user, this guy is way ahead of the curve when it comes to security. And he still got hacked.

Worse yet, he didn’t get hacked by some brilliant but malicious programmer who figured out a secret path through the back door via sharp technical skills. The guy just called Amazon and Apple and was handed the keys to the kingdom.

Remember that next time your customer support rep doesn’t believe you’re you, and won’t let you in without proper identification.

The bottom line is that we have a broken system. Period. Tech companies (I’m looking at you Apple and Amazon) need to be innovating in this area more. The whole username/password thing is way past its expiration date. We’re storing our lives on these machines. We’re trusting companies with our most precious data and private information. We need a better way for the computer to know who it’s talking to.

No matter how many times you tell people to turn on two-factor authentication, use better passwords with numbers, letters, and symbols, use different passwords for all your accounts, etc., it’s not going to happen. 90% of people are still using their dog’s name with a 1 or 2 tacked on the end. It’s human nature.

So while I applaud Google for having a better authentication system than Apple on this one, it still puts the burden on the user, and thus is essentially useless. The vast majority of people, even if they were scared into turning two-factor on by this story, will turn it back off again after two weeks of being inconvenienced by it.

In other words, don’t tell me I have to type a 16-character password every time I want to use my phone. Make a better phone that knows the difference between me and a stranger without me having to do anything.

The thing that’s made Apple products better than everyone else’s over the last few decades is that they always put the user’s needs ahead of the designer or programmer. It’s time Apple stepped up and did that again, this time with an authentication system that works with near zero effort on the user’s part. Yes, that’s hard. Too bad. It’s the only way we’re going to fix this.

And meanwhile, Apple, stop using the last four digits of a credit card number as proof of anything. Wow. Talk about bone-headed. That’s worse than the bank using your mother’s maiden name.