Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Support Allowed Hacker Access to Reporter's iCloud Account

arn said:
So the hacker didn't give answers to the security questions, managed to get by without answering them

http://twitter.com/mat/status/232173805857042433
Click to expand...

If true, Apple has terrible security on iCould. Why would an Apple support person have any capability to access your iCloud account without authentication. It shouldn't matter how convincing or otherwise tricky a caller is: no authentication, no access. <-- Period.

I have some doubts about this whole thing though, since Gizmodo is involved. Sorry, but they have a history/culture of link baiting, especially via Apple bashing. E.g. Mat says he has conformation from Apple re the hacker bypassing the security quesitons... so why not share that?
 
arn said:
So the hacker didn't give answers to the security questions, managed to get by without answering them

http://twitter.com/mat/status/232173805857042433
Click to expand...

But he's basing this whole thing on what the hacker told him! That is, to put it politely, nuts.

I'm not saying it's impossible. If the hacker ever had physical access to his devices, maybe he noted the serial number. Maybe Mat was dumb enough to use real answers to security questions, and maybe he was dumb enough to reveal helpful info in his twitter posts, etc.

But it fails Occam's Razor test: other, far simpler solutions are more likely. Anyone clueless enough not to have backups likely used the same login on every site and one of those was hacked.
 
iSee said:
If true, Apple has terrible security on iCould. Why would an Apple support person have any capability to access your iCloud account without authentication. It shouldn't matter how convincing or otherwise tricky a caller is: no authentication, no access. <-- Period.

I have some doubts about this whole thing though, since Gizmodo is involved. Sorry, but they have a history/culture of link baiting, especially via Apple bashing. E.g. Mat says he has conformation from Apple re the hacker bypassing the security quesitons... so why not share that?
Click to expand...

Take your thorazine and your doubts - along with the troublesome voices - will go away.
 
iSee said:
If true, Apple has terrible security on iCould. Why would an Apple support person have any capability to access your iCloud account without authentication. It shouldn't matter how convincing or otherwise tricky a caller is: no authentication, no access. <-- Period.
Click to expand...

What authentication?

If you've forgotten the password, the representative is going to be making a judgement call based on the information you've provided. In order for that to work, they need to see all of the information that the company has linked to the account.
 
Huh?

ThatsMeRight said:
Well, if you have everything on your iPad and on your iPhone and on your Macbook Air than making separate back-ups seems not necessary. You've three devices, three times the same files.
Click to expand...

Those aren't backups, your data is just on multiple devices.

When we say backups, most people mean dedicated hard drives not accessible online or secure cloud solutions.
 
Yep!

Tech198 said:
Isn't that exactly the issue? You should never rely on anything.
Click to expand...

Last I checked, iCloud didn't back up more than a few Apple programs, my contacts, email and iTunes purchases, right?

Coupled with a local backup, that seems a fine setup.

Kills me to see so many allegedly tech-savvy individuals follow so little of their advice.
 
Why are people solely blaming the so called hacker? I don't think you get it? If it is found that Apple covered this up, or did not detect the fraud and they did not follow the strict DPA procedures they can be prosecuted.
I bet I could take some small information from anyone on here that as a blog or a website and do the exact same thing, because I could fool Apple into giving me your details just as easily.

You can guarantee this went straight to board level because of the seriousness, the agent investigated and stricter procedures put in place or departments retrained, or the DPA procedures re-iterated in briefings.

If this was someone who just hacked into the system then it is different, but they simply fooled an agent into willingly handing sensitive information over about a customer because they failed to follow DPA procedure.

So if this story is true, do not under any circumstances paint Apple in a bright innocent light, because they failed at procedures required by and clearly set out by strict government legislation.
 
DVD9 said:
Yes I would be absolutely shocked.

Perhaps because I'm not a psychotic Apple fanboy.
Click to expand...

You're right, nobody would ever make up sensational stories about Apple for their own personal gain. How silly of me to suggest it. :rolleyes:

Name calling is against the forum rules, so you might want to cool your jets a bit.
 
Kurwenal said:
Agreed -- that's why I use 1password to remember all of those random strings. Easy to generate, easy to store, easy to sync, easy to use (there are alternatives, I just happen to use 1password). Doing this is way more secure than most other password schemes out there.

1password's weakness is that it uses Dropbox to sync, and Dropbox has had at least two security lapses. The file is encrypted, and if you use a very long random string (the only pw you have to memorize), it's fairly secure. But some day someone will break it and I just hope it's not mine.....
Click to expand...

Love 1Password. But as long as your Master Password is pretty strong, even if Dropbox is hacked (and it has been), your individual password blob is safe. Also, the blog is usually pretty small (less than 10MB) so you can backup and store it pretty easily to an emergency thumb drive or elsewhere once per week.
 
iSee said:
If true, Apple has terrible security on iCould. Why would an Apple support person have any capability to access your iCloud account without authentication. It shouldn't matter how convincing or otherwise tricky a caller is: no authentication, no access. <-- Period.

I have some doubts about this whole thing though, since Gizmodo is involved. Sorry, but they have a history/culture of link baiting, especially via Apple bashing. E.g. Mat says he has conformation from Apple re the hacker bypassing the security quesitons... so why not share that?
Click to expand...


To me that screams DO NOT USE iCloud and start locking down any of my accounts iTunes related. I yanked my CC from iTunes a long time ago and this just re-enforces the fact that I did it and even makes it less likely for me to it back on it.
 
apolloa said:
I bet I could take some small information from anyone on here that as a blog or a website and do the exact same thing, because I could fool Apple into giving me your details just as easily.

.
Click to expand...

And if you were dumb enough to give out sensitive or potentially sensitive information on a public blog then no protocols will help because you gave the keys to the thieves

----------
Daveoc64 said:
Simply because most people here can't accept Apple would ever do something wrong.
Click to expand...

There are just as many folks willing to assume this is all Apple's fault
 
iSee said:
If true, Apple has terrible security on iCould. Why would an Apple support person have any capability to access your iCloud account without authentication. It shouldn't matter how convincing or otherwise tricky a caller is: no authentication, no access. <-- Period.
Click to expand...

The post didn't say "no authentication", it said the attacker bypassed the security questions. Heck, my bank allows me to do it too because frankly, I can never remember the darn answers to the security questions. They authenticate me through other means, some of which could be done by a fraudulent person if they knew me well enough.

At some point, Social engineering is just that, pretending to be someone that's authorized and getting someone else to unlock the proverbial door.

You can had as many authentication layers as you want, social engineering can bypass them all, unless you remove the option of tech support people from resetting forgotten account passwords completely and just answering back with : "Well sorry, your data is lost forever, create a new account".
 
But this story says they gave the password over the phone. ? Even if someone did make that mistake, why didn't they send the password reset link to the known recovery email?
 
Stephen123 said:
But this story says they gave the password over the phone. ? Even if someone did make that mistake, why didn't they send the password reset link to the known recovery email?
Click to expand...

It doesn't specifically state that. One would assume that they emailed a recovery link to an address specified over the phone.

That's a very common scenario I'd imagine.

i.e. you set up the account with one email address, but you no longer have access to that address.

When you forget the password, the reset link is sent to that old address, so you can't use it.
 
Last edited:
KnightWRX said:
The post didn't say "no authentication", it said the attacker bypassed the security questions.
Click to expand...
The post mentions no other form of authentication either. I feel OK commenting on the story as presented, under the assumption relevant details have been included. You're welcome to assume otherwise, of course, but we have nothing to debate if we're working under different assumptions.

...
You can had as many authentication layers as you want, social engineering can bypass them all, unless you remove the option of tech support people from resetting forgotten account passwords completely and just answering back with : "Well sorry, your data is lost forever, create a new account".
Click to expand...

Seems like this must have gone beyond a password reset, since the hacker would have had to have some kind of access to Mat's email account to make use of it.
 
jeremiah256 said:
Love 1Password. But as long as your Master Password is pretty strong, even if Dropbox is hacked (and it has been), your individual password blob is safe. Also, the blog is usually pretty small (less than 10MB) so you can backup and store it pretty easily to an emergency thumb drive or elsewhere once per week.
Click to expand...

Yah, the first time Dropbox was hacked I changed to a much longer and more complex master password. But Dropbox still gives me pause. For now, the convenience outweighs the risk, and I sleep just fine with all of my long, random strings stored safely inside 1PW. That said, it's a whole new world and I think maybe Woz's prediction will turn out to be right, unfortunately. Who is more secure -- Apple, Dropbox, Google, Microsoft, Evernote, etc.? I don't think we really know, although Apple certainly has a large, embarrassing black eye today. Among other changes, I would like to see Apple move to two-step authentication and I certainly hope someday we know the truth of what happened to the ex-Gizmodo guy.
 
Last edited:
I love the replies in this thread. It's like anyone else has a security flub, and it's taken at face value. These things happen because they're stupid, and blah blah blah. But make a report showing Apple in anything less than a perfect spotlight? I DEMAND TO SEE YOUR CREDENTIALS AND SOURCES, SIR! FOR I AM SKEPTICAL AND DISCERNING!
 
The level of "social engineering" needed to access a service needs to be commensurate with how secure that service is intended to be. DropBox isn't an appropriate place to keep sensitive materials - so the barriers to smooth talk one's way past the gatekeepers shouldn't be expected to be super serious.

The alternative is, as an earlier poster said, to be willing to say "sorry, your data is gone forever". That's an appropriate response for certain service levels - but not for a consumer-targeted service like DropBox.

iCloud I put in the same category as DropBox - not appropriate for (eg) storing company IP or etc.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back