Apple Online Store Security Flaw Exposed PINs of T-Mobile Customers

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Aug 24, 2018.

  1. JohnnyApple$eed macrumors member

    JohnnyApple$eed

    Joined:
    Feb 19, 2015
    #26
    Absolutely blown away by this, T-Mobile has 72M customers?!?!
     
  2. theheadguy macrumors 65816

    Joined:
    Apr 26, 2005
    Location:
    california
    #27
    no... don’t... head are exploading as a result of this...

    /true
     
  3. TheShadowKnows! macrumors 6502a

    TheShadowKnows!

    Joined:
    Sep 30, 2014
    Location:
    National Capital Region
    #28
    Six digits ::= birthdate ::= {MMDDYY or DDMMYY or YYMMDD} (more likely the not)

    And, she is correct when she said "... accept that people are going to write it down". Kudos to her!

    No offense dude, this reminds me of security jockeys that enforce users' passwords:
    1. with mandatory changes every two months,
    2. with a retention history of no less than two years (i.e. uniqueness amongst twelve old passwords), and
    3. with no less than N alphameric and special characters (with N a large number).
    More likely than not, the users are prone to keep clear text logs, even post-it notes, of their password history, defeating the security so proudly enforced.
     
  4. avanpelt macrumors 68030

    Joined:
    Jun 2, 2010
    #29
    T-Mo's had a hell of a day. This morning, it was disclosed that a breach impacted 2 million of their customers. Now there's this story about the account PINs of 72 million of their customers being exposed.
     
  5. SteveJUAE macrumors 68030

    SteveJUAE

    Joined:
    Aug 14, 2015
    Location:
    Land of Smiles
    #30
    Don't worry the other X100M:apple: customers are safe …………………………. ish
     
  6. coolfactor macrumors 601

    Joined:
    Jul 29, 2002
    Location:
    Vancouver, BC CANADA
    #31
    What an irresponsible article, both here and at BuzzFeed. It's difficult to trust when MacRumors reports "72 million" when the original BuzzFeed" article reports "77 million".

    And then to say that many where "exposed"? What, a hacker successfully obtained the PINs of that many T-Mobile customers, or had the *potential* of obtaining that many? Those are two VERY different things! Neither article details exactly how many accounts were actually compromised. I suspect it was far, far less than 70+ million!
     
  7. alphaod macrumors Core

    alphaod

    Joined:
    Feb 9, 2008
    Location:
    NYC
    #32
    But you would still need my password to access your account... no?
     
  8. pika2000 macrumors 603

    Joined:
    Jun 22, 2007
    #33
    So it’s about brute forcing a PIN where there’s no limit. Hate to say it but that’s not hacking.
     
  9. Westside guy macrumors 603

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #34
    For anyone. :p
     
  10. ipponrg macrumors 68000

    Joined:
    Oct 15, 2008
    #35
    Yeah, the article didn't mention they were hacking. It said they were brute force attacking. However, hacking in its most simple definition is just identifying a system's weakness and exploiting it. In this case, there was no limit on PIN input.
     
  11. allenvanhellen macrumors regular

    Joined:
    Dec 8, 2015
    #36
    Did this expose all of them or just make all of them POTENTIALLY vulnerable to being exposed?
     
  12. gooey macrumors newbie

    Joined:
    Sep 10, 2008
    #37
    Now I'm confused. I think this means some kind of T-mobile account PIN, which is not the same with my iPhone PIN that I can use to unlock the phone, right? There's no way that either Apple or T-mobile had access to the PIN I use - this would be equivalent to storing my raw fingerprint images on their server!

    I use ID and Password when logging in to T-Mobile web site, so I don't even know what PIN they mean here.
     
  13. Marshall73 macrumors 68000

    Marshall73

    Joined:
    Apr 20, 2015
    #38
    So, should this not read “potentially exposed the passcodes to be potentially hacked via brute force before the exploit was fixed” or is that not sensational enough? It’s a bit click baity.
     
  14. Piggie macrumors G3

    Piggie

    Joined:
    Feb 23, 2010
    #39
    I agree about just 4 digit pins not being secure at all really.
    Which is why I was so shocked that in the UK, and I assume many other countries, when we moved over to "CHIP AND PIN" Credit / Debit cards, the only form of security was a 4 number PIN of numeric digits. "0 - 9"

    That's terrible.

    At least if they has put a Alphanumeric keyboard at the terminal you could of had A-Z and 0-9 to pick 4 characters from.
    But no......
     
  15. Mascots, Aug 25, 2018
    Last edited: Aug 25, 2018

    Mascots macrumors 68000

    Mascots

    Joined:
    Sep 5, 2009
    #40
    Wait, where actual security pins leaked or were they just easily brute forced?
     
  16. LinusR macrumors 6502

    LinusR

    Joined:
    Jan 3, 2011
    #41
    Agree with this one; also, the bigger you get, the more complex your systems grow, which in turn renders maintaining high quality security more difficult.
     
  17. JackieInCo Suspended

    Joined:
    Jul 18, 2013
    Location:
    Colorado
    #42
    The article I read elsewhere says AT&T was involved as well.
     
  18. apolloa, Aug 25, 2018
    Last edited: Aug 25, 2018

    apolloa macrumors G4

    Joined:
    Oct 21, 2008
    Location:
    Time, because it rules EVERYTHING!
    #43
    Bit of a none story, nothing happened, just the usual security hole that Apple was most likely told about months ago and did nothing about it, until it went public.
    Like other companies. But all it states is they were exposed, in other words exposed to the world but no one noticed or cared.

    I do hope Apple didn’t keep the pins as plain text like the lazy companies do and hashed them? I think that’s the term anyway.
     
  19. Stiss macrumors 6502a

    Joined:
    Apr 18, 2009
    Location:
    England
  20. iapplelove macrumors 601

    iapplelove

    Joined:
    Nov 22, 2011
    Location:
    East Coast USA
    #45
    I can only speak for AT&T, which calls theirs a passcode. Didn’t know I had one either but I do.

    It’s there in case you forget all your credentials and need to verify yourself over the phone.

    Or you can add it to another layer of security when you call in and alwasy have to verify your pin along with everything else.

    It’s only 4 digits and with AT&T you can’t just change it like a password. You have to verify your last 4 of the social first.

    Then their auto system will alow a new passcode to be generated.

    I just changed mine, along with my password.
    --- Post Merged, Aug 25, 2018 ---
    It sure is. But big companies have a nack for making these kinds of headlines go away quickly in the news.

    But at the same time, after the equifax breach nothing really bothers me like it use to lol.
     
  21. tizeye, Aug 25, 2018
    Last edited: Aug 25, 2018

    tizeye macrumors 6502a

    tizeye

    Joined:
    Jul 17, 2013
    Location:
    Orlando, FL
    #46
    What PIN? As a T-Mobile customer for well over a decade I don't have a PIN and don't recall ever having to create one. Changing to a new phone has never been problematic, and even easier thanks to Apple and iCloud. Long gone are the days of wired content porting between the old and new phones. Yes, I have a T-Mobile online account, but it uses a regular password well beyond 4 digits on a PIN.

    Given that I spend about 3 weeks in Europe, T-Mobile is the only way to go with free email, text, and wifi to plan limit (unlimited in my case) in most countries. Calls do cost - but not Facetime/Skype. Rules out ATT and Verizon who charge hundreds for the same multi-week non-call international service.
     
  22. Neo-Tech macrumors regular

    Joined:
    Jun 19, 2009
    #47
    What a hilarious comment. This article has NOTHING to do with T-Mobile’s security in general. Almost completely ignoring that it’s 100% Apple’s fault. But let’s just skirt over that and look at T-Mobiles security instead.
     
  23. MacBH928 macrumors 68040

    MacBH928

    Joined:
    May 17, 2008
    #48
    personally I am tired of digital data breaches... I am tired of everything needs pin codes, passwords, two-factor authentication, secret question. The internet is convenient, but maybe we should take a step back and return to the "analogue" days or "disconnected" days instead of having to panic that our whole lives are digitally online somewhere.

    Things were much better when all we need to worry about online is our email and its password...and there was no data tracking collection.
     
  24. apolloa macrumors G4

    Joined:
    Oct 21, 2008
    Location:
    Time, because it rules EVERYTHING!
    #49
    Trouble is we have all these fancy online services now like finding your nearest whatever. So you need to be tracked, the majority of them are offered for free so are paired for by advertising, and so you need to be tracked so you have targeted advertising.

    If your happy to lose a lot if not all of these services then we can go back to analogue days.
    It’s funny we live in a world now where a paper and pen is more secure because it can’t be hacked.
     
  25. Jsameds macrumors 68040

    Joined:
    Apr 22, 2008
    #50
    Apple devices do have good security.
     

Share This Page