Apple Support Allowed Hacker Access to Reporter's iCloud Account

[donnaw]

Well, we're not sure that they accept this alone. As others have pointed out, we still don't know the precise details of this social engineering.

And the reason that Apple accepts uses just the 4 digits could be because the support rep can only see four digits. Would you be comfortable if the Apple rep could read all your card details on screen? Apple doesn't trust them any more than you should.

From the two attacks we've read about, it seems that a known weak point is domain registration. This is where the fella picked up the victim's full address. Once he had this and the four-digits from the credit card, then he was pretty much home free.

My thinking is all domain registrations should be kept private. I can't see why the registrant's home address has to be exposed for the world to see. That might be a good first step.

Mat Honan and Apple are still being very vague as to the precise nature of this 'social engineering'. Apple says that procedures weren't followed. Fair enough, but if Wired did managed to engineer the same scam twice, then that would mean that Apple's procedures weren't followed...twice. And then the concern becomes how often are the tech supports not following Apple's procedures and why.
Too many questions still.

The big unknown is this 'social engineering' term, because it covers such a multitude of ways in: plausibility, threats, bribery.

Home address for anyone is easily obtainable via a Google search. And the last 4 digits of a CC is not treated as secure info by just about anyone. I see it displayed on conformation email for online purchases all the time. Using either or both of these items to verify identity if foolish at least and dangerous at best.

I know folks may not like it but any sysyem that has money or data (which is just as valuable) involved must take their password reset process to the next level. Making it easy for people to get a reset is nice but puts everyone at risk an unacceptable risk.

 

[Ryan John]

Dude had no backups? Are you kidding me? IMO that is the scariest part of this story; to think that somebody doesn't have enough common sense to back-up data. Makes me shiver!

Scariest part, man had no backups or Apple support gives access to his account.

Really???? Do me a favour it's clearly a little more scary that Apple support could give a stranger access to your account.

 

[Benbikeman]

Scariest part, man had no backups or Apple support gives access to his account.

Really???? Do me a favour it's clearly a little more scary that Apple support could give a stranger access to your account.

Well, that part he had no control over, but having no TM backup was so dumb as to be utterly incomprehensible, and he had total control over that decision.

Remember that with OSX you actively have to refuse a backup! As soon as you connect an external drive (and I can't believe a technology journalist has never done that) it asks you whether you want to create a TM backup. You'd actually have to choose to say no to not have one ...

 

[AidenShaw]

Well, that part he had no control over, but having no TM backup was so dumb as to be utterly incomprehensible, and he had total control over that decision.

It's still completely stupid to only have a Trade-Marked backup.

If the criminal can get into your system to remote wipe it, it's also quite possible that she could wipe your ™backup as well.

Keep offline backups, and offsite backups.

And since ™backups can be on the system itself, the remote wipe would have deleted those at the same time, right?

ps: All of my home systems are backed up twice daily to a RAID-5 set on a separate WHS system, which is monthly copied to an encrypted offsite copy.

 

[26139]

Huh?

It's still completely stupid to only have a Trade-Marked backup.

If the criminal can get into your system to remote wipe it, it's also quite possible that she could wipe your ™backup as well.

Keep offline backups, and offsite backups.

And since ™backups can be on the system itself, the remote wipe would have deleted those at the same time, right?

You mean Time Machine?

And there we no actual computer access, remote or otherwise. Wipe was done via a cloud-based server command.

 

[anthony11]

At a neighbours' house, in your parents' house, in your kids' house, at work, in the car, in the boat... In short, somewhere where you spend time regularly and the picking up/dropping off doesn't become a chore.

And one does that with iCloud-synced calendar/contact data how exactly?

 

[hafr]

And one does that with iCloud-synced calendar/contact data how exactly?

To be honest, I was under the impression that all iCloud data was also stored locally on your computer. I know files are. Sort of like Dropbox, but as obvious.

 

[Winter Charm]

They can still be stolen though. If a thief breaks into your house and takes everything, you still lose your backups. If you're really serious about backups (for instance if you run a home business) you should have a local backup and an off site backup.

That goes without saying. In fact, make a backup once a month, and then put it in your bank safe deposit box as an "offsite" backup. Do this with 2 different banks

And on top of that, of course, local backups.

Just use multiple Iosafe drives - you know, in case the bank collapses on your precious data

 

[AidenShaw]

Unless these things have a 30% or so failure rate, a raid 0 will not be a more reliable alternative.

I was going to quote some of the horror stories in the reviews on Newegg - but Newegg has pulled this drive from their site.

One of them is back, quote:

Cons: I have ordered 10 of these drives and 4 have failed within 1 day of use. I am worried to find out what will happen a few days down the road. I would not recommended any of the HGST 4GB [sic] drives.

http://www.newegg.com/Product/Product.aspx?Item=N82E16822145560 (look for reviews)

So that's 40%....

There are several SKUs for these drives, and each SKU has its own set of reviews. Newegg hides the pages for some out-of-stock drives, so I still can't find the hidden horror stories.

 

[icarus2006]

If a Mac was wiped, you will need to enter the passcode

Does this mean that you can't install the OS on the drive if the hackers don't give you the passcode? Is the drive now encrypted as it would be by FileVault?

"...If a Mac was wiped, you will need to enter the passcode that was set when the remote wipe was sent in order to re-install OS X Lion from the Recovery partition. Once Lion is installed, you can restore from a Time Machine backup if possible."

 

[Tech198]

...

You know what..

The biggest mistake of all this was enabling 'Find my Mac' and 'Find my iphone' in the first place.

Convenience + Security = Trade off

Backups are safer.

 

[Fed]

It's clear that the last four digits of a credit card can be obtained with very low-levels of cunningness and relative ease. Apple allowing people to reset accounts with this information is therefore very suspect and certainly needs changing. Same goes with Amazon - but I believe they've already addressed this.

My only issue, specifically with 'Find My Mac', is that I'm not sure who uses it (other than Mat Honan, obviously)? Who actually loses their computer? It's not like it's as portable as a phone that you may leave in your car, at a friend's house or slips out of your pocket - the thing needs to be hauled around. Obviously having the ability to erase all data on it, should it be lost, is useful. However, and I haven't researched this fully, it's not really erasing the data? So is it even worth it? And, if it is, should the name not be changed to something else given you aren't finding your mac?

Obviously I've read the various American news articles that are posted on here from time to time about people miraculously getting their laptop back but... never mind. What a waste of a post. I basically stated the obvious, described my dismay at using a feature and basically admitted to not researching a topic fully but summarised it anyway. Brilliant. At least the morning coffee and news/forums is done. Time for work.

 

[ranger2012]

I'm late to this an i apologize . But I'm curious one of the suggestions I've seen in regards to this is seperate email addresses for each service. One for Itunes one for amazon ect My question is would alias addresses work or should each account be with a completely different provider. any advice appreciated

 

[Benbikeman]

My only issue, specifically with 'Find My Mac', is that I'm not sure who uses it (other than Mat Honan, obviously)? Who actually loses their computer?

Why would losing a MBP or MBA be any different to losing an iPad? You put your bag down next to you in a coffee-shop, are distracted for a few seconds and someone steals it.

And it locates your Mac just as it locates your iPad or iPhone (albeit with slightly less precision given the lack of GPS - it has to rely on wifi networks), so why wouldn't it have the same name?