Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Online Store Security Flaw Exposed PINs of T-Mobile Customers

mistasopz said:
But forum members told me that Apple had the best security. Well except for those times when they didn't. Like the root password gate where you didn't have to put a password in to gain root access.
Click to expand...
no... don’t... head are exploading as a result of this...

/true
 
Elwe said:
True. However, as someone who has had to put some policies in place around passwords and PINs, I would say two things: first, you describe is no real barrier for a very targeted attack. It is not practical for hundreds of thousands or millions of users. Every carrier that I know of already has a "VIP" policy for certain individuals, if you know what and how to ask for it, to address this. It usually involves having to go into a store and prove a couple of things before your are allowed to make certain changes. Definitely not scaleable.

Second, and perhaps more important . . . recently when I forced a key platform I oversee to change to longer and more complex secrets, I got so much push back you would not believe. Some from people who should know better. Three from the most senior people in the organization. I am not saying I did not push it through anyway, but there is a very real issue of security vs ease-of-use that anyone dealing with such will eventually have to deal with. Since only one person in the organization could overrule me, I had more power than most in this situation. And that person really does not see the need beyond theory, though happens to trust me that I know my area, and my people do not make such changes just "because".

Funny, though sad . . . we knew we would see something like this pushback, but on the PIN side, we made it six digits like Apple's minimum on the phone. We told people if they could get use to it on their phones, they should stop complaining. We really wanted eight digits or to have six with enforced alphanumberic combination. . . At the end of the day, though, one of the senior admins . . . who knows our people well, it seems . . . just told everyone she worked with to use their cell phone numbers. She publicly admitted to telling people to do this. She did not see it as an issue, and when one of my people spoke with her, she said that it was either do this or just have to accept that people are going to write it down. Six digits minimum (without allowing certain repeat patterns) was just too much to ask of people. I then decided to speak to her myself and I told her I would enforce rotation, and she just said "good luck with that". She is intelligent, so she knew there was some risk--she just did not think the risk was high enough to inconvenience people. And since there is no financial penalty that will directly accrue to most people, so most just cannot be bothered to care in the least.
[doublepost=1535160282][/doublepost]To end the above "old man rant" about security . . . I am becoming quite the fan of good facial recognition being on a lot more devices. I'll accept that, or that plus a short PIN for the vast majority of things.
Click to expand...

Six digits ::= birthdate ::= {MMDDYY or DDMMYY or YYMMDD} (more likely the not)

And, she is correct when she said "... accept that people are going to write it down". Kudos to her!

No offense dude, this reminds me of security jockeys that enforce users' passwords:
  1. with mandatory changes every two months,
  2. with a retention history of no less than two years (i.e. uniqueness amongst twelve old passwords), and
  3. with no less than N alphameric and special characters (with N a large number).
More likely than not, the users are prone to keep clear text logs, even post-it notes, of their password history, defeating the security so proudly enforced.
 
T-Mo's had a hell of a day. This morning, it was disclosed that a breach impacted 2 million of their customers. Now there's this story about the account PINs of 72 million of their customers being exposed.
 
What an irresponsible article, both here and at BuzzFeed. It's difficult to trust when MacRumors reports "72 million" when the original BuzzFeed" article reports "77 million".

And then to say that many where "exposed"? What, a hacker successfully obtained the PINs of that many T-Mobile customers, or had the *potential* of obtaining that many? Those are two VERY different things! Neither article details exactly how many accounts were actually compromised. I suspect it was far, far less than 70+ million!
 
  • Like
Reactions: FrancoisC and PlayUltimate
pika2000 said:
So it’s about brute forcing a PIN where there’s no limit. Hate to say it but that’s not hacking.
Click to expand...

Yeah, the article didn't mention they were hacking. It said they were brute force attacking. However, hacking in its most simple definition is just identifying a system's weakness and exploiting it. In this case, there was no limit on PIN input.
 
Now I'm confused. I think this means some kind of T-mobile account PIN, which is not the same with my iPhone PIN that I can use to unlock the phone, right? There's no way that either Apple or T-mobile had access to the PIN I use - this would be equivalent to storing my raw fingerprint images on their server!

I use ID and Password when logging in to T-Mobile web site, so I don't even know what PIN they mean here.
 
So, should this not read “potentially exposed the passcodes to be potentially hacked via brute force before the exploit was fixed” or is that not sensational enough? It’s a bit click baity.
 
  • Like
Reactions: artfossil
Doctor Q said:
Four digits isn't a very long PIN. Even if the software now locks access to the form for 60 minutes after five to 10 incorrect entries, it doesn't block the exploit, just slow it down.

It seems to me that a bot could try 10 guesses for one phone number, which would lock the form for that phone number, then immediately switch to another phone number. If the phone number is locked for the IP address, it could use another IP address too.

If so, let's try a little math here: Rather than a bot trying one phone number and 10,000 different PINs in rapid succession to break it, it could try five to ten PINs for every phone number it's working on in the first hour, then try another five to ten PINs for every phone number in the second hour, and so on. In as few as 42 days it could crack every phone number. If it was trying to crack 10,000 phone numbers, it would succeed on an average of 238 phone numbers per day. That's still pretty vulnerable.
Click to expand...

I agree about just 4 digit pins not being secure at all really.
Which is why I was so shocked that in the UK, and I assume many other countries, when we moved over to "CHIP AND PIN" Credit / Debit cards, the only form of security was a 4 number PIN of numeric digits. "0 - 9"

That's terrible.

At least if they has put a Alphanumeric keyboard at the terminal you could of had A-Z and 0-9 to pick 4 characters from.
But no......
 
dilbert99 said:
[doublepost=1535157037][/doublepost]
It did happen, its just the bigger you get, the more scrutiny you get. Not detecting it didn't mean the bugs/flaws were not there, just that not as many people were looking.
Click to expand...

Agree with this one; also, the bigger you get, the more complex your systems grow, which in turn renders maintaining high quality security more difficult.
 
Bit of a none story, nothing happened, just the usual security hole that Apple was most likely told about months ago and did nothing about it, until it went public.
Like other companies. But all it states is they were exposed, in other words exposed to the world but no one noticed or cared.

I do hope Apple didn’t keep the pins as plain text like the lazy companies do and hashed them? I think that’s the term anyway.
 
Last edited:
gooey said:
Now I'm confused. I think this means some kind of T-mobile account PIN, which is not the same with my iPhone PIN that I can use to unlock the phone, right? There's no way that either Apple or T-mobile had access to the PIN I use - this would be equivalent to storing my raw fingerprint images on their server!

I use ID and Password when logging in to T-Mobile web site, so I don't even know what PIN they mean here.
Click to expand...

I can only speak for AT&T, which calls theirs a passcode. Didn’t know I had one either but I do.

It’s there in case you forget all your credentials and need to verify yourself over the phone.

Or you can add it to another layer of security when you call in and alwasy have to verify your pin along with everything else.

It’s only 4 digits and with AT&T you can’t just change it like a password. You have to verify your last 4 of the social first.

Then their auto system will alow a new passcode to be generated.

I just changed mine, along with my password.
[doublepost=1535192925][/doublepost]
Stiss said:
This is kind of a big deal.
Click to expand...

It sure is. But big companies have a nack for making these kinds of headlines go away quickly in the news.

But at the same time, after the equifax breach nothing really bothers me like it use to lol.
 
What PIN? As a T-Mobile customer for well over a decade I don't have a PIN and don't recall ever having to create one. Changing to a new phone has never been problematic, and even easier thanks to Apple and iCloud. Long gone are the days of wired content porting between the old and new phones. Yes, I have a T-Mobile online account, but it uses a regular password well beyond 4 digits on a PIN.

Given that I spend about 3 weeks in Europe, T-Mobile is the only way to go with free email, text, and wifi to plan limit (unlimited in my case) in most countries. Calls do cost - but not Facetime/Skype. Rules out ATT and Verizon who charge hundreds for the same multi-week non-call international service.
 
Last edited:
zakarhino said:
Security issue after security issue for T-Mobile and many carriers in general. Remember when T-Mo Germany said they don't need to salt their passwords because their security is "that good"? Or when it was discovered that it's very easy to get access to a T-Mo account AND clone people's sims because T-Mo doesn't have very good security practices beyond asking for the last 4 of your SSN? I've heard stories of people phoning up carriers under the guise of being a store employee and they get access to all sorts of information without thorough identity verification!

I know Apple are the guys that purportedly screwed up here but when you look at T-Mobile's security in general, it doesn't have a very good track record, it should have never been possible for the Tmo verification API to allow unlimited requests without a time limit. These carriers need to seriously update their security practices. Just accepting the last 4 digits of your social security number is no longer a viable option.
Click to expand...
What a hilarious comment. This article has NOTHING to do with T-Mobile’s security in general. Almost completely ignoring that it’s 100% Apple’s fault. But let’s just skirt over that and look at T-Mobiles security instead.
 
  • Like
Reactions: apolloa
personally I am tired of digital data breaches... I am tired of everything needs pin codes, passwords, two-factor authentication, secret question. The internet is convenient, but maybe we should take a step back and return to the "analogue" days or "disconnected" days instead of having to panic that our whole lives are digitally online somewhere.

Things were much better when all we need to worry about online is our email and its password...and there was no data tracking collection.
 
  • Like
Reactions: Sill
MacBH928 said:
personally I am tired of digital data breaches... I am tired of everything needs pin codes, passwords, two-factor authentication, secret question. The internet is convenient, but maybe we should take a step back and return to the "analogue" days or "disconnected" days instead of having to panic that our whole lives are digitally online somewhere.

Things were much better when all we need to worry about online is our email and its password...and there was no data tracking collection.
Click to expand...

Trouble is we have all these fancy online services now like finding your nearest whatever. So you need to be tracked, the majority of them are offered for free so are paired for by advertising, and so you need to be tracked so you have targeted advertising.

If your happy to lose a lot if not all of these services then we can go back to analogue days.
It’s funny we live in a world now where a paper and pen is more secure because it can’t be hacked.
 
mistasopz said:
But forum members told me that Apple had the best security. Well except for those times when they didn't. Like the root password gate where you didn't have to put a password in to gain root access.
Click to expand...

Apple devices do have good security.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back