Security

Google Exec Urges Two-Factor Authentication in Wake of Tech Reporter Hack Job

Google Exec Urges Two-Factor Authentication in Wake of Tech Reporter Hack Job
In the wake of a multi-faceted hack of a technology reporter that ended with his smartphone, tablet and notebook wiped of all data, Google's spam chief yesterday urged users to set two-factor authentication on their log-ins.

"I ... advise everyone to turn on Google's two-factor authentication to make your Gmail account safer and less likely to get hacked," said Matt Cutts, the head of Google's Web spam team, in a post to his personal blog Tuesday.

Cutts was reacting to the well-publicized hack of Wired reporter Mat Honan last week. The hackers found an alternate email address by scouting Gmail, used that address -- an Apple-issued one that ended in me.com -- and along with a valid billing address and the last four digits of a credit card, both easily acquired elsewhere, convinced Apple's technical support to give them access to the me.com account.

Once in control of the account, the hackers accessed Honan's Find My Mac, Find My iPhone and Find My iPad services to remotely wipe all three devices.

Honan has detailed the demolition of his digital life here.

He admitted he had not done all he could have to secure his accounts.

"Because I didn't have Google's two-factor authentication turned on, when [the hacker] entered my Gmail address, he could view the alternate e-mail I had set up for account recovery," wrote Honan. "If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here."

Two-factor authentication -- also called "two-step verification" -- sends a second password for an account to a pre-defined phone number. Most people who use it have the second password sent to their mobile phone.

Gmail offers two-factor authentication, as does one of its rivals, Yahoo Mail. However, Microsoft's Hotmail, and the recent revamp, Outlook.com, does not. Microsoft's email services only provide a one-time code, sent to a pre-defined phone, that can be used to log into the service in lieu of a password, not as an additional level of security. The Redmond, Wash. developer bills it as a way to shield a password when logging on to Hotmail or Outlook.com at a public PC.

Instructions on setting up Gmail's two-factor authentication can be found on Google's website.

Cutts also referenced an April blog by Jeff Atwood, co-founder of the Q&A site Stack Exchange, that provided additional tips on securing email accounts.

Gmail's two-factor authentication sends a second numeric code to a pre-defined phone number via text as an extra security feature.
Gmail's two-factor authentication sends a second numeric code to a pre-defined phone number via text as an extra security feature.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.

Subscribe to the Security Watch Newsletter

Comments