It's trivial to guess IDs and passwords; that you don't use them anywhere else is irrelevant. You have a false sense of security here.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Hack Threats, Says There Were No iCloud or Apple ID Breaches
- Thread starter MacRumors
- Start date
- Sort by reaction score
Not that it is too consequential, but simply having another intermediary like Authenticator creates an additional attack vector.
While syncing my phone last night, I received a request from Minnesota ( two form auth ), I live in CA.
Hmmmmm.
I don't think Google's is true 2FA and neither is Apple's (more on that later). However, I believe Apple's is still more secure.
Google's is more 2 step because its code can be authenticated via app or 3rd party apps. It's not tied to the device, it's tied to the app.
Apple's "2FA" would be tied to the device and would be true 2FA if they got rid of the phone number authentication.
I could of swore it was my google account that said someone in Nevada had my password.
Nothing to do with Apple.
To me it just seemed like Google was trying to harvest more of my info.
Nothing to do with Apple.
To me it just seemed like Google was trying to harvest more of my info.
That's completely unrelated. To acquire account information for that many accounts, someone wasn't going through each account one by one and trying logins. They would have acquired them in bulk through another source.
Long passwords does not necessarily make them stronger, as short random passwords can be secure, too, so long as they are random. The length of a password is part of its entropy. By randomizing lengths, you lower the chances that a password can be guessed. For example, if all of your passwords are 18 characters in length, then a hacking system could focus on that particular length, cycling through all possible combinations. But if your passwords vary in length, there's more combinations to check.
[doublepost=1490282370][/doublepost]
Be aware that even these "phishing notification" emails may be phishing attempts themselves. They are looking more legitimate all the time. Always check the real URLs behind links in the emails to make sure that they are legitimate. In Apple's case, all emails should have a root domain of "apple.com". Anything else is fake.
Good: appleid.apple.com/something/else/here
Bad: appleid.apple.com.fakedomain.ru/something/else/here
At first glance, you may not notice the "fakedomain.ru" part, but that's really what matters.
In this case, it isn't Apple's fault. They can't control if people use the same username/password on other systems (like Yahoo) and then ignore their urgings to use 2-factor sign-ins.
They may still be checking samples of the bulk. But you're right: probably unrelated.
[doublepost=1490283065][/doublepost]
What can we say: free speech is a two-edged sword. Generally better to have it than to not.
Would explain this phishing attempt... But I'm not trying to deal with this, I turned on two-factor earlier today.
This is a phishing email.
Nevermind... didn't see your comment.
Now _that_ means that anyone can do anything as soon as they lay their hands on your iPhone. Having no passcode at all is like leaving the door to your home wide open. I thought that only happened in soap operas where for plot reasons people have to leave their unlocked phone somewhere so that an evil enemy can check their messages or send fake messages.
[doublepost=1490284975][/doublepost]
Not sure about the other countries, but China won't shoot you just because of a bit of hacking against a US company.
[doublepost=1490285316][/doublepost]
The most obvious sign is when personal information is missing. My wife got an email that she had parked her car illegally and should pay £100 with details in an attachment (which turned out was a zip file containing what looked like a windows screen saver - that's probably a way to hide malware). I looked at it and there was the strange thing that they had her email address but not the license plate of the car that was supposed to have parked in the wrong place or her name...
At a risk of stooping to your level Nolamacguy Apple has a well-known history of blaming everything and everyone else first for their hardware & software shortcomings and then themselves when they can't pull the wool over everyone's eyes, or does the phrase "You're holding it wrong" not ring any bells with you?
Nope, no fire, evil has and will always exist. We need companies that recognize the problem and stop it with technology. To date, most technology companies don't give a rats ass about security. If they considered security then they would not have enough time to hit the launch window and that is not in the strategy. Even if there is a breach it is not the immediate problem for the tech company. They just laugh it off like Apple is doing now.
What better security, then users need to stand up and be counted! But look at all of the Android buyers, they don't give a rats ass about security either, or they would not buy those phones.
Apple could do better though - I have an iPhone connected to my Wi-Fi, and it of course has a GPS. I have all the "feedback" stuff turned on. Apple could therefore theoretically maintain a list of which IP address belongs where.
Obviously some people have dynamic addresses, but that's no excuse for getting static ones in the wrong place.
You realize "AntennaGate" was MASSIVELY overblown by the Apple Hater crowd? It was never reported you could make a Droid X (released about the same time) with dual antennas drop a call if you held your 2 fingers in a narrow peace sign o the back. This is exactly how hold a phone and it would drop calls almost immediately when I held it that way. I was holding the Droid X wrong. This behavior was highly repeatable on any unit. Never really reported. In other words, almost all handsets at the time had issues with being "held wrong".
On the plus side, it did force manufactures to test for these type of conditions and fix them.
You lost me at Droid. On a side note, if you were holding the phone wrong, then why did the manufacturers have to fix them? And why did Apple gave out free bumper cases to fix antennagate? Your argument here is invalid and cancels itself out.
Be careful (though it sounds like most people here are careful or even paranoid), there are better phishing attempts out there than the one Aleco posted. I won't put it up here, as it did address me properly and I'm too lazy to photoshop the grab and delete my AppleID from it. It was a near identical match to the genuine e-mail I received after logging in last night to check my account was secure, after reading the original hack article. The only difference was that the return address and the web addresses on each of the hyperlinks didn't have an Apple domain. In the context of a recently announced hack I was much more likely to have clicked through to follow "Apple's" instructions and check things out, but have a healthy dose of paranoia myself!
Authenticator only offers an attack vector that someone can only use if you have your phone and have it unlocked.
Apple offers to send your authentication code via SMS which 1) can be intercepted and 2) depending on your settings, may be readable from the screen of a locked device. The other way Apple sends codes is through a push notification, which only can be read when the device is unlocked and which I believe is more secure than SMS.
So far, Authenticator wins, but it involves setup ahead of time, which is probably why Apple doesn't use it.
[doublepost=1490306878][/doublepost]
That's pretty insane -- if your phone is at all recent it has a fingerprint reader that allows you (and only you) to unlock your phone in well under a second. Don't come crying to anyone if you get your data jacked!
Oh, for sure, I just meant in the context of this case. These folks don't have access (we hope!) to 600k+ lost devices, lol. No solution will ever be perfect when humans are involved. But 2 factor and keeping your devices physically secure is a good bet
Just had a rather genuine looking scam come my way. Email and Website link look very genuine and even has an secure SSL certificate, but you'll notice the site links all link to precisely nothing. Beware if you recieve this one. And notice they appear to be time travellers frm the year 2560.
