Dropbox wouldn't agree with you on that.
They actively market their products to business users.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Support Allowed Hacker Access to Reporter's iCloud Account
- Thread starter MacRumors
- Start date
- Sort by reaction score
Dropbox wouldn't agree with you on that.
They actively market their products to business users.
No, on the other hand it's unavailable during a sync, so maybe that's where the mix up comes from?
Reason being... why... I hardly use any offerings of virtual cloud storage for my own personal files/docs.
iCloud was/is always susceptible to this, and so is every other virtual server giving you their service/space like this too. Virtual Servers are just that 'virtual'... and most have no idea what lies infront & behind of their security system.
I'm an Apple fanboy for sure, I just don't & will never use any of their iCloud, MobileMe(R.I.P), or anything related to my personal info/files having a source like a virtual "anything"...
This always will & could happen to anyone using iCloud...
iCloud was/is always susceptible to this, and so is every other virtual server giving you their service/space like this too. Virtual Servers are just that 'virtual'... and most have no idea what lies infront & behind of their security system.
I'm an Apple fanboy for sure, I just don't & will never use any of their iCloud, MobileMe(R.I.P), or anything related to my personal info/files having a source like a virtual "anything"...
This always will & could happen to anyone using iCloud...
I'm not sure even you understand what you're saying right now, my friend. It's very unclear if you're replying to what I wrote or if you quoted me by accident...
----------
Nope, it's only greyed out during a sync. Wait for the sync to stop (or cancel it) and it won't be greyed out anymore
You still don't understand do you? The Apple agent completely failed to follow DPA processes and was fooled into giving the sensitive information away. You don't need to post your password on your blog.
Your name? Address? All easy to find out, if the agent does not ask for your password or your mothers maiden name or your bank account number, Apple account number, then it's easy to fool.
Systems are not easy to fool if correct procedures are followed. As I said, do NOT blame the so called hacker.
Restoring lost content isn't a big deal with Dropbox. I had a situation about half a year ago where DB suddenly decided to delete all my files. Don't know what caused it. All I know is I opened the folder, and none of my stuff was there to be found. All I had to do to fix it was hop onto the website and tell it to restore to earlier versions of my folders. It went from issue to non issue in the span of 5 minutes.
Securitywise? Yeah. DB isn't much better than iCloud. If you need a place to store sensitive documents you absolutely don't want getting out to the world at large, you only have one option: Spideroak.
Why do you assume there are no methods of authentication ? You've never talked over the phone to your bank or cable provider or cellphone carrier ? Going on my experience here, if you want a password reset on an account, the security questions are only 1 form of possible authentication. I'm sure Apple has the same policies as everyone else in place : if the guy doesn't remember his security question answers, ask him other details only he can know about the account (mailing/billing address, DoB, mother's maiden name, last few transactions, etc.. etc..).
Heck, I've worked (very long ago mind you) in technical support. We had authentication methods beyond just security questions because frankly, no one ever remembers the darn answers to them.
Again, all of this from personal experience. Social engineering can be used against all of these methods, and so it's really futile to blame Apple for anything.
I can't believe how many of the commenters here don't understand what has gone on and what the actual issues worthy of discussion are (with reference to what has actually taken place). I see a lot of misunderstanding here and feel compelled to leave a remark about it - whether it be poor reading comprehension or some other element concerning the readership, Arn, I feel your pain.
How do you know the Apple agent didn't follow his internal procedures ? The article and twitter posts don't even claim so. They only claim the security questions were bypassed, not that no authentication took place.
I know what you're really saying, but your sentence is just broken.
You friends/family don't know:
Where you live?
When your birthday is?
What your mother's maiden name was?
What you might have bought lately?
These are just as bad as the security questions Apple introduced recently. They're all things that are easy to find out.
----------
You're not saying a lot yourself...
Sure they are. But again, what other option is there ? At some point, someone can pretend to be you. Someone can have enough information to get in.
VISA ids me with this stuff all the time. My carrier, my cable provider, etc..
The only other available option is simple : "Sorry sir, don't remember your password, your stuff is lost forever".
For more important accounts, I've had to send notarized letters, etc. iCloud isn't important enough to drop the coin for a notary to authenticate me, so I accept a certain risk in the tech support people getting fooled by people with enough info about me (actually, I don't, I don't have an iCloud account).
This is what annoys me. The extra security in Mac OS made for idiots who open stuff from suspicious DMGs and ZIPs is really tiresome.
Because I've worked in the technical services industry for the last 6 years for a multi billion dollar corporation and know just how seriously DPA is taken and the processes and procedures you have to follow to avoid breaches like this. And no I do not work for Apple.
And the article clearly states:
Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.
I can tell you comfortably if the password was not asked for or an account number etc. DPA was breached if this follows the same rules as the UK does. DPA breaches are a lot more rare then you think, bar idiot law firms or governments loosing CD's packed with data, and the reason they are rare is because of the strict processes that are followed and enforced.
A company can actually have it's license to deal with credit card and bank details revoked if it flounders DPA, it can be fined a percentage of it's gross operating profit. It is a serious subject.
You can perform certain tasks without fully verifying accounts, but if you are asked to provide sensitive information then you are required to fully DPA an account first and yes in some cases if that can't be done, the customer will not get the information until they do.
Last edited:
Congratulations, so did I. And again, on top of the account password, the security questions, we had other methods to authenticate users because half of them don't remember the passwords and security questions to begin with.
That again only claims security questions were bypassed, not that no authentication took place. That is exactly what I'm saying the article states and that is exactly the premise I'm going from.
We're missing a lot of information to know what actually went down and how the "hacker" convinced the "tech support guy" to allow him access to the iCloud account.
No you can't, not based on the information we have. All we know is the "hacker" called in for a password reset and managed to get one without the security questions. We don't know what authentication method he managed to pass or what was used to convince the support agent. We don't know that procedures weren't followed, and we certainly don't know what "clever social engineering" means in this context.
So attacking Apple here is quite premature.
Well you will have to excuse me as I shall ignore your post because in Canada the law is clearly very different, or the company you worked for was lax with security.
Because as I said, if a customer wants certain information, and certainly if they required any passwords to be reset, they have to fully verify security procedures and if they cannot then they do not get the information. They then have to follow other strict processes to verify identity before the information is provided which are certainly not performed over the phone.
I actually think I'm glad I live in the UK now! And YES I CAN state if this was in the UK DPA would be breached.
Sometimes my bank calls me and asks me to prove I'm me. They are basically training people to hand over the exact information needed to impersonate you over the phone to any random person who calls.
Uh ? What are you not getting :
- Password
- Security questions
- other authentication methods (basically, depending on the level of service, questions about things in the account only the holder would know or callback/mailback verification. The government of Canada uses mail back because frankly, that's highly sensitive. Residential services like iCloud, cable providers, cellphone providers use the account information to create questions on the fly).
You're again thinking in binary. You're going with the premise that no authentication took place beyond the security questions/password. That is not how services work. There are other fallbacks. Social engineering can get through all of them.
Until we know the exact method the Apple agent used to authenticate the "hacker" and how the "hacker" managed to get the needed information/access to pass that method, we cannot blame Apple.
What is so hard to understand here ? There is not enough information provided by the "journalist" to even start forming an opinion.
----------
When my bank calls and starts trying to authenticate me, they get the verbal finger. Social engineering 101 : "If I didn't call one of your official numbers myself, how I can be sure I'm really talking to my bank's agents and not some fraudster ?".
But yes they do that, and the call display on my phone does authenticate the number they are calling from as legitimate. I still don't give them the satisfaction, it is a very poor practice and like you say, only promotes poor security training of less "in-the-know" individuals.
As I said, the law in Canada is very different. The comments you make here would get you fired very quickly and possibly investigated at my company.
And as for your last comment for instance, doesn't fly I'm afraid, that comment would not get you anywhere in my company at all apart from the call released and a comment added to the main account stating DPA was refused. So yet again I CAN state in the UK it is breach of DPA.
I am getting it just fine sir, you on the other hand are clearly not because:
They got in via Apple tech support and some clever social engineering that let them bypass security questions.
---- Would not pass in the UK. It is clear password or other sensitive information was not requested, and if the 'hacker' did bypass by shouting then if that was the UK, Apple would find themselves on the end of an ombudsmen complaint and possible police investigation.
My bank would also never call me unless it was for some survey.
Last edited:
Nothing is really secured. Try not to be a target. I work on this kind of things. I have seen things a lot. Man in the middle attack is such a way to hack these kinds of thing without convincing Apple tech support.
Yeah, I think some of the people here would believe this if it was about a Google security breach. It's not surprising at all that an iCloud account got hacked.
Call display doesn't authenticate anything, it's technically easy to spoof Caller ID. It's not even a hack, the phone system allows it (though it is illegal to impersonate a company/number without permission).
So if someone calls in, doesn't know his password and doesn't remember his security questions, you end the call with "Sorry sir, your data is lost forever and we'll keep on billing you without providing you service" ?
Because that's what you're telling me. That beyond a few pre-selected security questions and a password, you have no other authentication methods and frankly, in Canada, that doesn't fly in light of consumer protection laws.
Again, you're probably quite misunderstanding the situation : The journalist never claimed no authentication took place.
BTW, can you tell me which section of UK DPA defines valid authentication methods ? Here's a link to your legislation. I'd give it a good read if I were you.
http://www.legislation.gov.uk/ukpga/1998/29/contents
How is it not clear to you yet ? Are you just bashing Apple to bash Apple ? Even update 3 does not tell us what exactly took place, beyond "clever social engineering". You must be darn clever if you know what that even means because frankly, to me it's still a complete mystery how that support call went.
"Ok, Sir, hang up now and I'll call you back on the phone number registered on your account."
I like how the article title makes it sound as though Apple support knowingly let a hacker access an account.