Apple Responds to Hack Threats, Says There Were No iCloud or Apple ID Breaches

[apolloa]

I don't think Google's is true 2FA and neither is Apple's (more on that later). However, I believe Apple's is still more secure.

Google's is more 2 step because its code can be authenticated via app or 3rd party apps. It's not tied to the device, it's tied to the app.

Apple's "2FA" would be tied to the device and would be true 2FA if they got rid of the phone number authentication.

Google can be locked down tight, you set up two step auth against your google account and google email account, ergo ANY device that wants to access your emails has to have the code sent to your mobile phone.

Out of interest how does two step auth work with no mobile phone number, or second point of contact? Is that not the entire point of two step auth?

 

[OneMike]

Two factor verification is a must have in 2017.

Many breaches including the breaches at large corporations leading to the leak of customer data comes from some person using a weak password.

 

[steve333]

When I try to disengage from icloud I get a message saying that information on my computer will be deleted.
I don't understand this, shouldn't my info on icloud only be deleted? Why should my computer be affected
I'm sorry I turned it on at all

 

[Commentist]

Same here.

Always tells me it's been accessed from London (when I'm using 2FA) even though I'm in the middle of the UK.

It's probably using your IP address to do the lookup. ISPs often don't give exact locations (mine is consistently about 30 miles away from my real location and db-ip apparently places me in London as well). Find my Mac is surprisingly accurate though.

 

[6foot5foot]

It's the Russians! Ask anyone.

ANYONE you say? Okay, I'll ask the Russians - I am sure they'll admit it.
[doublepost=1490317569][/doublepost]

Two factor verification is a must have in 2017.

Many breaches including the breaches at large corporations leading to the leak of customer data comes from some person using a weak password.

I use 17 factor, and factor 10 when the sun is REALLY high.

 

[HouseOfMonkeys]

$150k for 627M accounts is cheap, I'm sure if they really had the login details for that many accounts some intelligence agency would gladly pay for the data.

1 bitcoin is worth around $1000 USD

 

[jaychow]

The breach was real. Someone from China used all my iTunes balance to purchase 2 games from App store on March 21, 2017. I did not find out until hours later from Apple’s email alert. I immediately cancelled my credit card on record and turned on 2-factor Authentication. Apple refunded the stolen amount.

 

[MrX8503]

Google can be locked down tight, you set up two step auth against your google account and google email account, ergo ANY device that wants to access your emails has to have the code sent to your mobile phone.

Out of interest how does two step auth work with no mobile phone number, or second point of contact? Is that not the entire point of two step auth?

2 factor is not the same as 2 step. 2 factor is more secure.

Google Authentication can be done via 3rd party app. I use my 1Password actually, which makes Google's method 2 step, not 2 factor.

Apple's "2 factor" works by pushing a system notification to your iPhone. A phone number isn't needed to do this. However, Apple uses a phone number as a fallback if the push doesn't work for whatever reason. This phone number part is what keeps Apple's method from being true 2FA.

Neither Google's or Apple's is true 2FA, but Apple's is more secure because you can't use other apps to authenticate.

 

[ke-iron]

It's odd that you go through the trouble of securing your ID, but don't have 2FA turned on.

It's no trouble at all. My password cannot be guessed correctly, which is why I don't need 2FA turned on.
[doublepost=1490327814][/doublepost]

It's trivial to guess IDs and passwords; that you don't use them anywhere else is irrelevant. You have a false sense of security here.

How do I have a false sense of security?

 

[citysnaps]

Typical Apple. Blame others first then admit to fault later, if ever.

Really? How's that?

 

[MrX8503]

It's no trouble at all. My password cannot be guessed correctly, which is why I don't need 2FA turned on.
[doublepost=1490327814][/doublepost]

How do I have a false sense of security?

Hackers don't guess your password.

 

[Keirasplace]

Totally agree (well more or less) the use of long random passwords using lots of alphanumeric characters along with various dashes, exclamations and other punctuation symbols are the best option. Keep them all unique and use 2 factor when it's available.

I don't use 1password or any others though, although I will say they look like a good option, with good security measures. But call me paranoid if you like, but the last thing I'm about to do is go to all of that trouble and then store all of my most guarded passwords in one centralised location via an internet service. I know they have an offline option as well but I'm just too sceptical these days with the continual stream of hacks on websites and services.

I know it's not an option to everyone but I use my own password manager which has security up the wazzo and no internet access whatsoever. When I need to sync between devices it's done locally, off-line, using an encrypted transfer.
Overkill? Probably, but I trust me more than I trust anyone else

You don't actually need to make them crappy, a pwd should be remembered.
I for example use something in the vein :

Da3ip2YulWàzDéBèst!Eva (no ones getting this kind of password EVER unless I gave it them)
Means : The trip to Montreal (Yul) was the best!

Ridiculously easy to remember and yet absurdly secure.

I often reorg those type of pwd to create other variants just as crazy like
DéBèst3ipEvaWàz2Yul?

The best trip ever was to Montreal ?
Can produce a whole suite of very very strong passwords.

Being well aware of phishing attempts is the best way to protect from compromise.

If your uncertain of an email or sms notification, go directly to the site them purport to be and never follow the link they offer EVER. Only follow those kinds of link if you yourself produced them (say by going to the real site and triggering them say my changing your password).
[doublepost=1490332791][/doublepost]

Hackers don't guess your password.

Right.... Hackers are "magicians"..... Where on earth do you think they get the password.
They get it from an encrypted db they downloaded (flat file or stored in an actual db) were you but a real bad password and they can crack it through a dictionary, or they do it through phishing and social engineering.

They could also catch your logging by putting themselves in between you and the real site and fake that site's login screen (that's the whole spiel of the man in the middle attack). But, that's a much harder one to actually do... Don't log with your most valuable passwords (banking, or MS, or Apple) on a public network.

Of course, your password is as safe as the crappiest place you log into with it. If that place has very poor programming, they could get this password in the clear somehow. But, that's not usually how this happens. Social engineering is were most of leaks happen.

The funny thing is that often the password is well protected but not the rest of the users data. So, they could get your credit card info much easier than they could your password if they get access to the backend db. That's what happened in big leaks like the Target one.

 

[CarlJ]

Long passwords does not necessarily make them stronger, as short random passwords can be secure, too, so long as they are random. The length of a password is part of its entropy. By randomizing lengths, you lower the chances that a password can be guessed. For example, if all of your passwords are 18 characters in length, then a hacking system could focus on that particular length, cycling through all possible combinations. But if your passwords vary in length, there's more combinations to check.

Other things being equal, a longer random password will take more effort to break than a short random password because there are fewer possible combinations to try in order to brute-force the shorter password. It is true that having passwords of different lengths increases the problem space, but using that as an argument in support of short passwords is weak. I never suggested long passwords should all be of a single advertised length. Actually, I don't think I have any passwords as short as 18 characters, except for a handful that I have to type frequently.

 

[Mercifull]

Don't resuse passwords. Enable 2-step wherever possible. Get on with your day.

 

[chrfr]

How do I have a false sense of security?

Let's say, for instance, that someone did actually steal credentials as claimed by this group. If they have your iCloud credentials in that list, and you do not have 2-factor enabled, the attacker can access your account. If you have 2-factor authentication enabled, they cannot. Most mass breaches of credentials have not been done by guessing.
However, even if someone did do a dictionary attack on your account, given enough time, it could be guessed and accessed. 2-factor prevents access to your account with this method as well.

 

[dugbug]

And when you are somewhere where you don't have your devices and you need to login to do something?

Like that's a common occurrence lol

 

[Paul Dawkins]

Like that's a common occurrence lol

Common or not it happens very often. More often than your think.

 

[ke-iron]

Let's say, for instance, that someone did actually steal credentials as claimed by this group. If they have your iCloud credentials in that list, and you do not have 2-factor enabled, the attacker can access your account. If you have 2-factor authentication enabled, they cannot. Most mass breaches of credentials have not been done by guessing.
However, even if someone did do a dictionary attack on your account, given enough time, it could be guessed and accessed. 2-factor prevents access to your account with this method as well.

I'm not sure how they can steal my credentials especially when my password isn't stored anywhere but in my head. I understand the importance or 2FA and how it prevents accounts from being stolen, I just don't see how it's possible for someone to obtain my password in any scenario.

The reason my password is 18 characters long is because it's a combination of 3 unrelated things. The first is an abbreviation I made for a word that doesn't have an abbreviation. The second is an actual word that is unrelated to the first abbreviation I made up. The third part to my password is 8 random letters and numbers. Oh and there is an uppercase character in there somewhere. I then combine all 3 into one long password, which makes it impossible for someone to guess.

Like I said I understand how 2FA works, I just don't see how someone can obtain my password to get into my account in any senario. I don't think my physical password is actually stored on an Apple server somewhere, though I could be wrong. But wouldn't that defeat the purpose of encryption?
[doublepost=1490361464][/doublepost]

Hackers don't guess your password.

To my understanding most accounts that are actually hacked, the attacker guessed the password or some how obtained the physical password and logged in.
[doublepost=1490362489][/doublepost]I get calls once in a while as well as emails once in a while from fake accounts claiming to be Apple and they are saying my account has been hacked and follow the instructions to fix the issue. It's so obvious to me some hackers or group happen to have my email or phone on a list and they're trying to get me to give up my credentials. I don't even think the calls and the emails are from the same group.

It's 2017 and a lot of people own Apple devices so they're probably just calling random numbers they obtained somewhere and hope that they get someone who will willingly give up their credentials or follow the link in the voicemail. As for the emails I've been getting, that group probably obtained my email from somewhere like yahoo hacked accounts. All my emails begin the same but end with the different domain. So they probably just figured to try @mac.com, @me.com or @icloud.com to the same email name and see what happens. So yea they got my email but like I explained before how I created my Apple ID password in 3 different parts and it's impossible for them to get it. I don't use my yahoo account anymore but even that account is still secure. All they have is my emails, and the other group my phone number.

 

[crashoverride77]

It's no trouble at all. My password cannot be guessed correctly, which is why I don't need 2FA turned on.
[doublepost=1490327814][/doublepost]

How do I have a false sense of security?

By making the comments you just made?

 

[chrfr]

To my understanding most accounts that are actually hacked, the attacker guessed the password or some how obtained the physical password and logged in.

That "somehow" is the problem; it doesn't have to be your actual password that the attacker gets. 2 factor eliminates this risk.

 

[MrX8503]

You don't actually need to make them crappy, a pwd should be remembered.
I for example use something in the vein :

Da3ip2YulWàzDéBèst!Eva (no ones getting this kind of password EVER unless I gave it them)
Means : The trip to Montreal (Yul) was the best!

Ridiculously easy to remember and yet absurdly secure.

I often reorg those type of pwd to create other variants just as crazy like
DéBèst3ipEvaWàz2Yul?

The best trip ever was to Montreal ?
Can produce a whole suite of very very strong passwords.

Being well aware of phishing attempts is the best way to protect from compromise.

If your uncertain of an email or sms notification, go directly to the site them purport to be and never follow the link they offer EVER. Only follow those kinds of link if you yourself produced them (say by going to the real site and triggering them say my changing your password).
[doublepost=1490332791][/doublepost]

Right.... Hackers are "magicians"..... Where on earth do you think they get the password.
They get it from an encrypted db they downloaded (flat file or stored in an actual db) were you but a real bad password and they can crack it through a dictionary, or they do it through phishing and social engineering.

They could also catch your logging by putting themselves in between you and the real site and fake that site's login screen (that's the whole spiel of the man in the middle attack). But, that's a much harder one to actually do... Don't log with your most valuable passwords (banking, or MS, or Apple) on a public network.

Of course, your password is as safe as the crappiest place you log into with it. If that place has very poor programming, they could get this password in the clear somehow. But, that's not usually how this happens. Social engineering is were most of leaks happen.

The funny thing is that often the password is well protected but not the rest of the users data. So, they could get your credit card info much easier than they could your password if they get access to the backend db. That's what happened in big leaks like the Target one.

They don't guess your password, they take it via phishing, key loggers, social enginnering.

A 20 character alphanumeric password does nothing against this.

Posters here refusing to turn on 2FA on because they think they're safe are delusional. 2FA makes it much tougher to hack and is much safer than using long passwords.

 

[I7guy]

And when you are somewhere where you don't have your devices and you need to login to do something?

I send an auth code to my wife's phone.

What happens if i drive somewhere and lose my car keys?

 

[Keirasplace]

Let's say, for instance, that someone did actually steal credentials as claimed by this group. If they have your iCloud credentials in that list, and you do not have 2-factor enabled, the attacker can access your account. If you have 2-factor authentication enabled, they cannot. Most mass breaches of credentials have not been done by guessing.
However, even if someone did do a dictionary attack on your account, given enough time, it could be guessed and accessed. 2-factor prevents access to your account with this method as well.

It can only be guessed if the password is short enough and actually using dictionary words.
Most people's passwords are too sort.

Most credentials are stolen through phishing.
Phishing claiming to be Apple happens all the time.
2 factor if enabled does stop those phishing attempts from being effective.
But so does not being dump and logging in from those unsollicited links.

 

[chrfr]

It can only be guessed if the password is short enough and actually using dictionary words.
Most people's passwords are too sort.

Most credentials are stolen through phishing.
Phishing claiming to be Apple happens all the time.
2 factor if enabled does stop those phishing attempts from being effective.
But so does not being dump and logging in from those unsollicited links.

The sites which have had big credential losses were not attacked via phishing and a brute force attack does not require passwords to be dictionary words.

 

[Keirasplace]

They don't guess your password, they take it via phishing, key loggers, social enginnering.

A 20 character alphanumeric password does nothing against this.

Posters here refusing to turn on 2FA on because they think they're safe are delusional. 2FA makes it much tougher to hack and is much safer than using long passwords.

They're safe if they'd not dumb as bricks and actually respond to these phishing things or use the same short passwords in 20 different sites. That's the main issue there.
If security is onerous, people don't use it. The same reason they don't use 2 factor is the same reason they reuse those shortish bad passwords

The simplest way for these people to protect themselves would be to use some biometric key linked to a list of registered device for this key. Each time you add a device you'd have to authenticate it (that's what happens right now for many of the big players even if you don't use 2 factors). On devices with no biometrics, you could force long password login (eventually those devices will be few).