Bad Bad Batz

I followed this the other day, but the Wired piece adds more details. And it is absolutely terrifying. In some ways, it’s like the perfect storm, where everything had to align — the accounts had to be connected, Mat had to do some stupid stupid things, and tech support had to be easily duped — but still, a shit-ton of things went wrong.

It’s kind of weird that yesterday and today there are suddenly all of these posts about two-stage verification of Gmail. I mean, yeah, sure, by all means. I do it and highly recommend it. It’s a tiny hassle but so worth it for the peace of mind. Once you read a story like Mat’s or like James Fallows’s, you realize how central that one email account is to everything.

But all Gmail two-stage verification would have saved him was the Twitter hack. The rest of it — the wiped phone, tablet, and computer — was done without Gmail. The key was his AppleID, and all that required was a billing address and the last four digits of his credit card on file.

So as far as I’m concerned the one thing he could have done that would have saved him almost all of this trouble, and which I haven’t seen anyone else mention, would be the use of virtual credit card numbers. These are a bit different than prepaid cards, because they are tied directly to your credit or banking account, and can be set up to be merchant-specific, capped below your full limit, and time-limited. I don’t use virtual CC numbers, but am obviously going to reconsider now. Bank of America, Citibank, and Discover all offer virtual credit card services. Then there’s Shop Shield, which is $100 a year or $10 a month and which you can use to manage a bunch of different numbers from different accounts. I guess another option would be a handful of refillable pre-paid cards that you set up for use with different merchants.

What’s scary about this whole thing, though, is that there are just so many lessons in one horrifying tale. In addition to:

1. Gmail two stage verification,

   and

2. Virtual credit card numbers

   there’s:

3. Backup backup backup. I mean, duh. If it’s not automatic, it’s not backup.

4. Don’t make your primary email address visible online. (Maybe it’s time a get a new Gmail address and move everything over via POP3. If only all the decent stuff wasn’t already taken…)

5. Don’t daisy chain email accounts together so they point back at each other as recovery addresses.

6. Set up a dedicated recovery email account solely for password resets. Use something with two-stage verification, like Gmail or Yahoo.

7. Multiple unique email accounts for internet commerce stuff, so that you don’t have one email address floating around. This is yucky because it feels all 1997, back when you’d have multiple email addresses because if you used the same email for personal communication and internet shopping you were literally going to be spammed into oblivion. Literally. But maybe this is worth doing again?

8. Make WHOIS information private if you own any domains and use the same address for billing purposes.

9. Burn down Amazon. Seriously. The Amazon hack is the only one of these problems that Mat couldn’t have done anything about other than by having some secret email account. Once they had his billing address and email address, which I mean, come on, they were able to add a bogus credit card to the account, then call back like 10 minutes later and use that same bogus credit card to add a new email address to the account, which they used to then view the last four digits of Mat’s credit cards.

10. Burn down Apple. Seriously. I think this whole mess is on Apple’s lap. They want to make everything so simple. You have one AppleID for everything, one password for everything, which let’s be honest is going to be shitty because you have to be able to type it out on your iPhone screen every time you want to update or buy an app. This is bad enough, but the fact that a billing address and last four of a credit card gets you carte blanche to wipe out someone’s kingdom. I mean, they don’t even require an email password reset (using the backup email)? They give you the keys over the phone? The last four digits of the credit card? You mean the shit that is printed ON EVERY GODDAMNED RECEIPT EVER? Unbelievable.