Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Support Allowed Hacker Access to Reporter's iCloud Account
- Thread starter MacRumors
- Start date
- Sort by reaction score
What is scary is that Apple support people have the power to do this to your account. That is beyond terrifying if you're in a business that has trade secrets of you're a government employee. I guess the iCloud is a big joke after all. Not that I really expected it wouldn't be.
It has been said billions of times, it's USLESS!!
All they have to do is take out your sim card and until they do that ( which shouldn't take more then 30 seconds to let's say 5 minutes ) stay on the move. And usually that's the first thing thieves do, take the sim card out. Apple should come up with something lot smarter and effective then a password required for a power off.
Just saying: On a MacBook with encryption, remote wipe takes no time at all. Somewhere on your hard drive is the key for the encryption (obviously encrypted), and all that needs doing is overwriting this key. The drive is not readable by any means.
There would be a relatively simple solution: Instead of overwriting the encryption key, Apple could remotely encrypt it once more with a key known to Apple only, so if the wiping was done by some hacker and you actually have the MacBook, the owner could then go to an Apple Store with his identification, the extra encryption is removed, and the drive is back.
You are misunderstanding security. Your trade secrets will not be revealed. They are wiped out. There is no security risk involved. Mighty inconvenient, especially if you have no backup, but no security risk. And if a government employee forgets their MacBook in a taxi, remote wipe is great.
I doubt any Government employee would be using iCloud or any other public cloud service to store sensitive information! Nor would any serious business store sensitive information/data in a service they have no control over.
The cloud is a disaster waiting to happen, according to Steve Wozniak.
I have no intention of putting anything beyond a few dropbox items in the cloud.
http://ca.news.yahoo.com/apple-co-founder-wozniak-sees-trouble-cloud-115222245.html
I have no intention of putting anything beyond a few dropbox items in the cloud.
full article at:
http://ca.news.yahoo.com/apple-co-founder-wozniak-sees-trouble-cloud-115222245.html
Yeah, he should definitely backup his data using devices and services designed to save the day
Processes at Apple appear to have failed, and the full extent of that failure has been exposed. Now, you can believe that the writer is trying to further a vendetta of his former employer, but being a tech writer at a popular magazine like Wired and pulling a stunt like that would kill his career. Additionally, a company as litigious as Apple might also be interested in taking action if anything he had written was a patent falsehood. Would he also have dropped so much cash on Apple products just to prove a point?
So rather than some fanboys (Although judging by some posters on this and some Android forums, I'd argue that Techno-bigot would be more apt) berating Honan for not keeping offsite backups, how do you suggest that Apple not reset passwords without appropriate authentication?
On the face this seems bogus.
Mainly because Apple has a method for users to reset their passwords. Even if Apple support got a call I can't imagine them doing more than sending an E-Mail with a new password reset link.
Given that it is very easy to convince people to do things your way. So this claimed error on Apples part isn't impossible. There is way to much questionable points here though that does decrease the victims credibility.
Mainly because Apple has a method for users to reset their passwords. Even if Apple support got a call I can't imagine them doing more than sending an E-Mail with a new password reset link.
Given that it is very easy to convince people to do things your way. So this claimed error on Apples part isn't impossible. There is way to much questionable points here though that does decrease the victims credibility.
How can it be prevented? An offline token, similar to those used by banks? A second step where a user needs to go to an Apple store to verify their ID? Increase the number of personal questions required to reset the password? Or how about lock the machine down for a period prior to wiping?
The core issue is that your iPhone, iPad and MacBook, even if physically in your possession, can be remotely wiped. If you offer a remote wipe feature on your product, you need to make sure that the registered owner, and only the registered owner, has the ability to wipe the machine.
iOS and OSX encourage tight integration into the iTunes/iCloud ecosystem. Security processes need to be up to scratch. Having the same vulnerabilities as other services isn't good enough when you try to differentiate yourselves from competitors, and price accordingly
This was a case of social engineering. It had nothing to do with "hacking". The blogger's accounts were compromised using a technique that has been around since humans began communicating with each other.
So I sit in a restaurant with my wife, using my MacBook to check my bank account. A thief whacks me over the head and runs away with the MacBook. I'm unconscious, the thief is going to empty my bank account. My wife calls Apple. She doesn't have my password, or the answer to my security questions. What is Apple supposed to do?
And as I said, for encrypted hard drives it would be quite possible to do a remote lock instead of remote wipe (which could be undone if you go to a store in person and prove your identity).
You mean reset the password ? That's scary ? Support people all over in all kinds of businesses that deal with computer accounts have had the power to reset a user's password for as long as there has been computer accounts.
iCloud is a consumer service. It's not meant to protect NSA type classified information. It's for your pictures and music and calendar appointments. Reasonable expectations here people... of course after authenticating who they are talking to, they are going to help you and reset your password if you've forgotten it.
----------
Really ? The author still hasn't exposed what has transpired. We still only have "Clever social engineering". Isn't it a little early to proclaim that processes at Apple have failed when we don't even know how this took place ?
What makes you think appropriate authentication didn't take place ? "Clever social engineering to bypass security question" doesn't say anything meaningful!
----------
Nothing unless you have given her access to your account by informing Apple she has a right to modify the password and some authentication information in there to properly identify her. No seriously. Apple talks to the account holder and that's it.
If that happens, tough luck. Your wife should be calling the police anyhow, not Apple.
In this particular, somewhat absurd supposition, banks in Europe now tend to require a physical token combined with a code to initiate any transaction not between your own accounts. This situation simply wouldn't apply to me. Secondly, a remote lock feature would be far more suited than remote wiping. At least in this instance no data would be lost.
Ahh, social engineering. The core element of hacking.
There's a really good book about it called "The Art of Deception".
----------
What if I'm unconscious and I don't have a wife?
There's a really good book about it called "The Art of Deception".
----------
What if I'm unconscious and I don't have a wife?
And that call would take more than 30 minutes, you get upset because you're waiting so much time and in the end who even give a bad survey to the AppleCare advisor.
Applecare shouldn't be calling anybody, only if call drops.
Leaving aside the fact that I am not sure what sort of restaurant you would be in where it would be considered appropriate to be checking bank details on your MacBook, I do not know of any bank that allows any transactions to take place without a confirmation of some security information, even once you're in. For bank transfers to a new account, my bank (in the UK) phones me to confirm the new account details. If I want them to phone a different number from the one registered with them, I have to wait a week (I know this because I was recently in the US for an extended period and needed to add my newly acquired mobile number to the account: it was 8 days before they let me use it). And for banks in the UK, my bank (LloydsTSB) is considered fairly lax in security: it has not yet adopted the hardware dongle approach most others have. As far as I'm concerned, your scenario simply couldn't happen. In any case, if it did, so long as you can demonstrate that the police were informed as soon as possible, and the bank shortly after, you're not liable for any losses incurred by the bank.
Apple shouldn't be giving out your information to non-account holders, and frankly, I'm very doubtful that they did. I'm afraid I don't think we have the full and frank version of what happened yet.
But the "hacker" knew answers to the not so secret questions enabling AppleCare to then proceed with a password reset.
DPA covers data access and storage, if a person knows certain bit of information about you then they can convince the agent on the other side of the phone of your ID, the agent has followed DPA rules to the letter.
Might be a good approach to send password/username (email) resets via snail mail like banks do here, separate letters too etc.
Just from a backup standpoint, I always try to adhere to the 3-2-1 method...
3 copies of everything
2 different formats (hard drive/disk/cloud)
1 offsite
3 copies of everything
2 different formats (hard drive/disk/cloud)
1 offsite
Good to see others here get it, rather than quote DPA without ever citing any passage that don't actually exist in it.
The question is do you have the same expectation of security and thus do you want the same burden of recovery that you do with your financial info from an iCloud account ?
I sure as heck don't want the hassle and don't expect anything stored or controlled through iCloud to be as secure as my bank account. Over the phone reset following authentication is enough for such a consumer type service.
----------
Call back verification has its flaws. A lot of these types of calls are from other members of the family trying to make changes to the account. They don't always know all the information like security questions or the personal information of the holder, but they have access to the primary phone number used in the account and thus can pass call back verification easily.
It's not superior security, it's added security that at least you're talking to someone that lives in the same house as the account holder. Though security questions and personally identifiable information remains superior, if the individual is careful not to reveal these identification details to others.