I'll need your social security number in the next example to better understand your point.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Support Allowed Hacker Access to Reporter's iCloud Account
- Thread starter MacRumors
- Start date
- Sort by reaction score
I'll need your social security number in the next example to better understand your point.
The children here posting think someone called said "I don't remember" and was given access. My guess the hacker was up to this for some time, learning all he can about the individual, like any stalker given time they can learn so much about the individual. Its a specific individual so from what we know about the story its also probably personal.
Hacking != gaining access
( "!=" means "does not equal")
From what I understand, many of the people that have been "hacked" on iTunes have actually had login/passwords compromised on *other* sites, with that password being used to then gain access to iTunes, buying items for which they get a kickback.
Here's a simple example:
Let's say someones use "123@gmail.com" as a login and "abc" as the password for a site.
Let's further say that that someone *also* uses "123@gmail.com" as a login to iTunes, and to keep things simple, they use the same password "abc" on iTunes.
Now, the first site gets hacked (or, it was a website designed to harvest logins/passwords). One of the very first things the hacker will do will be to try that login/password combination on a bunch of sites where they can get some financial gain.
iTunes is one of those sites.
While you're likely right about it taking a bit of effort it has been demonstrated that a device serial number is all that is needed to hijack an AppleID with one phone call. Doubt that happened this time since he didn't lose his iPhone like Pogue did.
Problem is that doesn't happen in all cases. Social engineering Apple support isn't that hard. You're overgeneralizing all cases of people losing control of their AppleIDs and basically calling everyone who is a victim a moron. Lets ignore how calling people a moron for not being able to successfully use the username/password security model is itself moronic (the system quickly becomes untenable when you're actually trying to make them all secure). You are ignoring a problem because you've determined it to have exactly one cause. Doesn't that seem a bit short sighted and dangerous?
Last edited:
you have to wonder
It really don't even have to be like that.
Say the question is "what is your mother's maiden name" your answer could be
two2elephantsonsteroid
What is important is that it never should be obvious. This guy also had a 7 digit password. Really?
Nothing less than 10 alpha numerical should be used. I have to wonder if his password was not "password." Oh wait that is 8.
It really don't even have to be like that.
Say the question is "what is your mother's maiden name" your answer could be
two2elephantsonsteroid
What is important is that it never should be obvious. This guy also had a 7 digit password. Really?
Nothing less than 10 alpha numerical should be used. I have to wonder if his password was not "password." Oh wait that is 8.
Who's Mat Honan?
He writes for Wired magazine, but somewhere in the story the word "Gizmodo" appeared. To an Apple fanboy that word is the same as shaking a red cape in front of a bull.
It really don't even have to be like that.
Say the question is "what is your mother's maiden name" your answer could be
two2elephantsonsteroid
What is important is that it never should be obvious. This guy also had a 7 digit password. Really?
Nothing less than 10 alpha numerical should be used. I have to wonder if his password was not "password." Oh wait that is 8.
True, it don't have to be like that, but random strings are more secure than a password that contains words that appear in a dictionary.
Problem is you'll likely have more than one account and you should have different authentication credentials for every account otherwise a server admin being stupid and storing your account info in a plain text document (which happens) could breach all your accounts.
So try to remember all of those random strings especially when you don't use them every day. Simply put, a truly secure password (or any other field) is the one that you yourself cannot remember. That kind of illustrates a problem with the username/password security model.
Agreed -- that's why I use 1password to remember all of those random strings. Easy to generate, easy to store, easy to sync, easy to use (there are alternatives, I just happen to use 1password). Doing this is way more secure than most other password schemes out there.
1password's weakness is that it uses Dropbox to sync, and Dropbox has had at least two security lapses. The file is encrypted, and if you use a very long random string (the only pw you have to memorize), it's fairly secure. But some day someone will break it and I just hope it's not mine.....
Agreed. I think the people at Agile are good people. The problem is we shouldn't need their service because it is a bit of a kludge. We're effectively using third party software with a third party service as a user ID. We need to look at how we're using things like 1Password and make a new system that does the same thing without relying on a mix of third party companies.
Wow - you blew right by my "many" qualifier in my post and immediately substituted "in every single case."
First of all, yeah, what happened to you sucks. Sorry about that.
Secondly, my post wasn't directed to you, it was a general cautionary note intended for those people who don't realize this risks involved in using the same login/pass across a variety of sites. Or, maybe you think that this very real issue (which, by the way, does scale) should not be talked about because of your issue. Sorry, that seems a bit short sighted and dangerous.
So, spare me your vitriol, and have a nice weekend. I'm off to enjoy the rest of the day.
Dropbox has full access to everything iin your account. The "encryption " is a fraud. Something that Dropbox hid from their customers.
Dropbox does not have the encryption key for my 1Password data file, which is encrypted before being uploaded to Dropbox.
One of the biggest mistakes a person can make is recycling the same password all over the internet.
Especially on sites where money is involved.
You came in and responded to a quote (wasn't mine). You didn't ask for more specifics about that person's case. You instead started describing secure passwords and lecturing people on how != means does not equal. I hope you can understand how the tone of your post immediate made you look hostile and accusatory. Have a good day, I'm going to go take a bike ride myself.
I can't even imagine the horror of sitting here and watching all my devices being remote wiped...
(Time Machine obviously, but still!)
(Time Machine obviously, but still!)
That's crazy! Well, they need to train they're customer care reps better. Haha don't do any more "favors."
----------
That would be horrifying.
----------
That would be horrifying.
I would have disconnected them from the internet once i saw my iPhone get wiped.
Hacking is not a well defined term. It seems pointless to spit hairs like this when no one agrees on the definition. Even using it to refer to subverting computer security at all is widely disputed.