Apple ID Security Hole Allows Password Reset With Email Address and Date of Birth

[Badagri]

Quote:

Originally Posted by CJK

Anatomy isn't your strong point, I see.

I see I didn't say it was. You see.

[gnasher729]

Quote:

Originally Posted by k1121j

does this mean now all you need to do is steal a device to change the password? how is that secure

No, it doesn't mean that. Read Apple's support page. There is the password that you use all the time. There is a super-secret code that Apple tells you once which you stash away in a safe for emergencies. And there is the phone or Mac that the user registers to receive secret codes. You need two out of these three things. For example, steal my password, and steal the phone that I registered.

If you steal my phone, then I just go to Apple's website and unregister the device using my old password and either another registered device (another phone, iPad or Mac) or my super secret password.

[OnceYouGoMac]

How do you change to the two-step system? And does it work for Macs or just iOS devices?

[emulator]

There would be no issue if you could just remove your damn credit card but Apple does not allow that.

Quote:

Originally Posted by user418

What's Facebook?

It's a website where they let you create accounts with fake data and corporations are willing to throw money and free products at you just for sharing their ads with other fakes.

[rdlink]

Quote:

Originally Posted by samcraig

That sucks. Not to throw a competitor as a comparison - but that's why a bunch of my friends and colleagues switches from yahoo to gmail.

I've been with gmail since about when it started and never had an issue. Maybe you're just really popular

Umm, you might be surprised. I've looked at a bunch of my friends' Gmail accounts and found similar issues. Try this little experiment (assuming you're not already using two-factor): Log into Gmail, then scroll to the bottom of the page. On the lower-right, where it says last account activity, click the details button. Look long and hard at the places from where your account has been accessed. I can guarantee that almost anyone using Gmail without two factor authentication will likely be signing up after looking at that.

[samcraig]

Quote:

Originally Posted by rdlink

Umm, you might be surprised. I've looked at a bunch of my friends' Gmail accounts and found similar issues. Try this little experiment (assuming you're not already using two-factor): Log into Gmail, then scroll to the bottom of the page. On the lower-right, where it says last account activity, click the details button. Look long and hard at the places from where your account has been accessed. I can guarantee that almost anyone using Gmail without two factor authentication will likely be signing up after looking at that.

Have always monitored that on both my gmail accounts.

I'm also pretty diligent about logging out all sessions except the one I'm using.

That feature though isn't the end-all/be-all. I have found that it can give me wonky info based on if I'm logging in via cell vs ATT hotspot vs work vs home, etc. My work has a few IP addresses and also depends on if I'm going through vpn or not.

But as a practice - it's good that Google can show you what sessions are active. I'm not sure yahoo or other mail services have that

[quickmac]

Quote:

Originally Posted by needfx

too many security issues accumulating lately

Everyone knew these things would happen one day. Apple is pretty unprepared for the increasing security threats to their systems. They rode the "obscurity" protection too long and didn't do enough to prepare for what everyone else saw coming as Apple got popular. Expect more like this.

[rdlink]

Quote:

Originally Posted by samcraig

Have always monitored that on both my gmail accounts.

I'm also pretty diligent about logging out all sessions except the one I'm using.

That feature though isn't the end-all/be-all. I have found that it can give me wonky info based on if I'm logging in via cell vs ATT hotspot vs work vs home, etc. My work has a few IP addresses and also depends on if I'm going through vpn or not.

But as a practice - it's good that Google can show you what sessions are active. I'm not sure yahoo or other mail services have that

I understand, and I'm glad you're watching it. But I'm not talking about IP addresses not immediately recognizable because I might have been using a hotspot, or been on my work network. I'm talking about obvious access from computers in other countries on other continents, using OSs that I haven't used in years. Seen it on others', as well. Just a really good idea to watch it, and since Google offers the two-factor for free I would definitely recommend using it. It's really given me peace of mind.

[iGrip]

Quote:

Originally Posted by rdlink

Umm, you might be surprised. I've looked at a bunch of my friends' Gmail accounts and found similar issues. Try this little experiment (assuming you're not already using two-factor): Log into Gmail, then scroll to the bottom of the page. On the lower-right, where it says last account activity, click the details button. Look long and hard at the places from where your account has been accessed. I can guarantee that almost anyone using Gmail without two factor authentication will likely be signing up after looking at that.

Nope. I checked the log, and i can identify each location as a place where I checked my email.

How does anybody know your password? How do they get into your account without knowing it?

----------

Quote:

Originally Posted by rdlink

i understand, and i'm glad you're watching it. But i'm not talking about ip addresses not immediately recognizable because i might have been using a hotspot, or been on my work network. I'm talking about obvious access from computers in other countries on other continents, using oss that i haven't used in years. Seen it on others', as well. Just a really good idea to watch it, and since google offers the two-factor for free i would definitely recommend using it. It's really given me peace of mind.

1.

----------

Quote:

Originally Posted by rdlink

i understand, and i'm glad you're watching it. But i'm not talking about ip addresses not immediately recognizable because i might have been using a hotspot, or been on my work network. I'm talking about obvious access from computers in other countries on other continents, using oss that i haven't used in years. Seen it on others', as well. Just a really good idea to watch it, and since google offers the two-factor for free i would definitely recommend using it. It's really given me peace of mind.

1. Use a strong password.

2. Don't use a service like Google for anything that is sensitive. if you want to trade secrets via email, use a real email program with POP3 access. If all your mail (or anything else) is sitting on some third party server, it is not secure. "The Cloud' is NOT secure or private. Keep your stuff locally.

[phillipduran]

Ugh.

Lets see, lets use a user ID we freely give out to friends and all manner of online websites. It's probably on our business cards. Next will authenticate with data that is available through public records for all citizens.

Bravo.

----------

Quote:

Originally Posted by quickmac

Everyone knew these things would happen one day. Apple is pretty unprepared for the increasing security threats to their systems. They rode the "obscurity" protection too long and didn't do enough to prepare for what everyone else saw coming as Apple got popular. Expect more like this.

I don't think they EVER rode the obscurity protection. That was Window users explanation as to why they were a steaming pile of malware poo and Mac was mostly untouched. It must be because no one has a Mac that they are so safe right?? Well now that they are no longer some nich OS and there are tons and tons of OSX computers out there, they are still no where near as vulnerable as other OS's.

We should have seen a HUGE increase in the amount of Mac malware due to the growth and acceptance of OSX but we are not seeing that.

They did prepare, they built the OS with security in mind. That is why we haven't seen the amount of malware and viruses that you see in the Windows world.

Most of what you see right now is malware that is installed by users by clicking OK to install requests. It's not easy to secure a system against user installed apps.

[cjmillsnun]

Quote:

Originally Posted by iGrip

Nope. I checked the log, and i can identify each location as a place where I checked my email.

How does anybody know your password? How do they get into your account without knowing it?

----------



1.

----------



1. Use a strong password.

2. Don't use a service like Google for anything that is sensitive. if you want to trade secrets via email, use a real email program with POP3 access. If all your mail (or anything else) is sitting on some third party server, it is not secure. "The Cloud' is NOT secure or private. Keep your stuff locally.

Bad bad advice. You need an encrypted email service for anything private. Email sends and receives in the clear. If you must use unencrypted email for sensitive data, put it in a document then compress and encrypt that. Send the key to decrypt the message by another means (text message or calling the person).

Even locally held is not secure or private as there is a risk of intercept during sending and/or receiving.

[iGrip]

Quote:

Originally Posted by cjmillsnun

Bad bad advice. You need an encrypted email service for anything private. Email sends and receives in the clear. If you must use unencrypted email for sensitive data, put it in a document then compress and encrypt that. Send the key to decrypt the message by another means (text message or calling the person).

Even locally held is not secure or private as there is a risk of intercept during sending and/or receiving.

By secret, I did not mean real, bona fide secrets. for that, your advice is (mostly) sound.

I was talking about stuff like personal details of your life. Low level secrets.

For real secrets, you use asymmetrical encryption, with a public and private key. Sending a key to your recipient, as you suggest, is inherently unsafe, and if you can do it with reliable security, you may as well just transmit the original message that way.

Google public key cryptography for more info.

[rdlink]

Quote:

Originally Posted by iGrip

Nope. I checked the log, and i can identify each location as a place where I checked my email.

How does anybody know your password? How do they get into your account without knowing it?

----------



1.

----------



1. Use a strong password.

2. Don't use a service like Google for anything that is sensitive. if you want to trade secrets via email, use a real email program with POP3 access. If all your mail (or anything else) is sitting on some third party server, it is not secure. "The Cloud' is NOT secure or private. Keep your stuff locally.

Sorry, but those are not good assumptions or suggestions. First of all, my passwords were strong. No single-factor password is hack proof. Period.

Second, POP email is just as insecure as IMAP. The mails still go through carrier's servers. And in many cases downloaded POP mails stays on servers even after being downloaded to the local machine.

I'm glad your gmail account hasn't been hacked. Yet. But anyone using the internet at all who is serious about protecting their data in this day and age needs to be taking advantage of two-factor authentication whenever possible.

As far as "trading secrets" is concerned, almost every email I send or receive has the potential of "trading secrets." I don't want my personal conversations in anyone else's hands, and I definitely don't want communications between my financial institutions and myself to be viewed by anyone else, no matter how innocuous those communications may seem.

Also keep in mind that someone doesn't have to be looking for you specifically to find you. Your name, email address or other personal information could be in the records of another entity that could have been hacked.

Also, while on my soapbox I will make this recommendation to anyone who has a strong internet presence, and takes their security and privacy seriously. Purchase a good identity theft monitoring package. I personally use a package from one of the three big credit reporting agencies, and it only costs me $18 a month. Comes with unlimited credit reports from all three bureaus, and a credit score check whenever I want. Also notifies me of any activity on my files, and is completely customizable. $18 a month is a bargain for that peace of mind.

[Bantz]

Quote:

Originally Posted by keysofanxiety

Oh no, a bug in Apple's software. That's far worse than Google doing things like … oh, let's say … tracking you for marketing purposes. Glad you've got your priorities.

I would consider this a hell of a lot worse than seeing some adverts.

[iGrip]

Quote:

Originally Posted by rdlink

Sorry, but those are not good assumptions or suggestions.

I've thought about it, and I concede that you and the other poster (who said largely the same things) are each correct.

I think I was talking more about my discomfort with leaving sensitive email on Google's servers than I was thinking about the inherent insecurity of POP email. Yes - POP is equally insecure. But at least they're not authorized to scan it for keywords, unlike Gmail, where your correspondence generates directed advertising. Gmail kind of horrifies me.

So what do you do to keep your email confidential? Do you use Tor for browsing?

[quickmac]

Quote:

Originally Posted by phillipduran

Ugh.

Lets see, lets use a user ID we freely give out to friends and all manner of online websites. It's probably on our business cards. Next will authenticate with data that is available through public records for all citizens.

Bravo.

----------



I don't think they EVER rode the obscurity protection. That was Window users explanation as to why they were a steaming pile of malware poo and Mac was mostly untouched. It must be because no one has a Mac that they are so safe right?? Well now that they are no longer some nich OS and there are tons and tons of OSX computers out there, they are still no where near as vulnerable as other OS's.

We should have seen a HUGE increase in the amount of Mac malware due to the growth and acceptance of OSX but we are not seeing that.

They did prepare, they built the OS with security in mind. That is why we haven't seen the amount of malware and viruses that you see in the Windows world.

Most of what you see right now is malware that is installed by users by clicking OK to install requests. It's not easy to secure a system against user installed apps.

They most surely rode the "obscurity protection" wave. Just look at the "I'm a Mac vs PC" commercials. And they're still obscure when it comes to computers which explains why there still isn't much malware out there on Macs.