New security concerns with cloud storage

Mat Honan, a writer with Wired, detailed in an August 6 article how a hacker was able to get at just about all of his online information by getting into his cloud storage account. He said his tale highlighted pitfalls of relying on the cloud for secure storage of information and files.

“My experience leads me to believe that cloud-based systems need fundamentally different security measures,” Honan wrote. “Password-based security mechanisms – which can be cracked, reset, and socially engineered – no longer suffice in the era of cloud computing.”

In particular, Honan said he thought his experience brought to light concerns relating to interconnected cybersecurity. He wrote that a hacker used information released by Amazon to convince Apple tech support to release login information. Apple gave the hacker a temporary password even though the person was not able to answer most of the security questions Honan had set up. Once the hacker got into Honan’s iCloud, his Google and Twitter accounts were compromised as well. He lost all of the data saved on his devices, and didn’t have backups.

“In short, the very four [credit card] digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” Honan wrote. “The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”

In the aftermath of the cyberattack, Honan said he spoke with representatives from Apple about the company’s security policies. Additionally, Honan wrote that the hacker’s tactics were easily replicated with other accounts, demonstrating that he is not the only one whose interconnected accounts could be in danger.

“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password,” Apple spokesperson Natalie Kerris said to Wired. “In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”

How Honan could have prevented this
While Honan wrote that Amazon and Apple security flaws led to him losing all of his files, he did say that there were certain additional security measures he could have undertaken. For one, Honan was storing his information only in iCloud and was not backing up files anywhere else.

“Your stuff will be more secure if you spread it around,” Jack Schofield, computer editor for The Guardian, wrote in an August 9 column. “If you must use a single supplier, make sure you have backups elsewhere.”

In addition, Honan said he did not have a two-factor authentication procedure for his iCloud account. With two-factor authentication, information beyond just a password is used to access an account. Schofield recommended having password reset notifications sent to a mobile phone as an added layer of security.

Also, Honan had the same login information for multiple accounts, which was part of the reason hackers were able to access so much of his information. Schofield also cautioned against using one account as a hub for your online identities, as critical files should be spread across multiple accounts.

Cloud computing and increasingly easy access to important online accounts will mean that cyberattacks of this sort might become more common, Schofield said. As an extra layered security measure, he recommended accessing sites through a more secure https connection when possible.

Who is more to blame for the security breach: Honan or Amazon and Apple? How do you maintain total control over your cloud storage accounts?