Saturday, August 18, 2012

Getting Hacked: Who's to Blame?

The details about Duncan are he's pocked with acne scars and his scalp is brown along the hairline every two weeks when he dyes his gray roots. His computer password is "password."
—"Lullaby", Chuck Palahniuk

Mat Honan of WIRED recently fell victim to a pretty nasty hacking incident and wrote about it:

The details are pretty interesting (to me at least), but the gist of it is that attackers got his credit card numbers through Amazon and used the last 4 digits to impersonate Mr. Honan to Apple's phone support. Once they gained access to his Apple email account, they used the password reset mechanism to get his Gmail, and from there his Twitter account. Finally, they deleted all of his data from his iPhone, iPad, and MacBook.

Reading all this, I got to wondering how other people would evaluate the situation. If someone hacked your accounts the same way, how would you assign blame between
  • the attackers
  • the service providers (Apple, Amazon, etc.)
  • yourself

Honan said he blamed himself for not taking better precautions, and even agreed not to press charges against his attackers in exchange for information about how the attack was carried out. I want to hear other people's assessments, but I can definitely see several angles on the situation.

Mat Honan is clearly a pretty tech savvy guy. He might have had some chance of understanding exactly what risks he was taking and how to protect himself, but very few people would. On the other hand, Amazon and Apple are there to provide a service, and there's a limit to how tightly they can secure customer accounts, especially when customers expect to be able to recover their accounts after forgetting their passwords.

Maybe it's just wrong-headed to expect these security systems to be impenetrable. After all, the physical locks on your doors aren't perfect either. Locks can be picked, or you might forget to lock them, or someone can knock in doors or windows. The thing that makes our physical security norms more-or-less work is that if someone does break in, in most cases they will take on some risk of getting caught.

The internet doesn't always work that way. People can strike anonymously on the internet. And since it's international, regulations are much weaker and more scarce. But it's at least worth considering a setup where technological protection ends exactly where legal protection begins, a setup that requires whoever is requesting password recovery to get enough skin in the game that they could be taken to court. Maybe the only way would be for them to request it in-person and be photographed, or maybe there's a more convenient option.

The thing that bothers me the most about the situation is that everywhere I look, people are still acting as if "secret personal information" is a good method of identification. You don't really have to be a genius to see the problem. My SSN, my mother's maiden name, my credit card numbers… I've given them out to hundreds of people to "prove my identity", people that I don't know personally and don't particularly trust, and each of those people can now impersonate me. The Honan article points out that even without involving Amazon, your pizza guy has everything he needs to get into your Apple account. I must have given the last 4 digits of my SSN to at least a dozen people at Comcast in the process of transferring my internet to a new address; the only one that really irked me was the last time, online, when they explicitly told me this was for "security purposes".

So anyway, that's my take on the situation. Now it's your turn. Comment away!