Apple Support Allowed Hacker Access to Reporter's iCloud Account

[ganymedes13]

Risks? Sure, and so does the cloud.

As a back of an envelope, though, what's the chance that your residence will be burglarized or burn down? One in a 100,000? So the chance that both your house and the location of your secondary backup will burn down is one in 10 billion. That's a pretty good improvement for just the $100 it costs for a second external drive.

Anyway, yes, the backup situation is only the secondary plot here. From what I've read in this thread, this Gizmodo guy had *no* backup. For that, there is no excuse.

I could go through the reasons for the examples you mentioned but I'm sure you know them. The main difference between keeping it a location that isn't in a security box is that you don't have to pay the monthly fee.

Even then external hard drives are fickle especially when they are external in my experience unless you're willing to pay the premium.

I'm not saying that what you're arguing is incorrect but there are always scenarios where your data can be compromised.

You're also asking that each individual pay a large amount of money to keep multiple hard drives around while the warranty for these devices only last so long and they can't give you back the data you had which is more valuable than the hard drive itself. This is why iCloud or keeping a physical copy is still the best option for the masses.

 

[charlituna]

I imagine that the hacker had less information on the author than a friend or acquaintance could gather on you. If it were this easy to social engineer a reset on your iCloud/AppleID account and gain access to whatever is tied to it (devices, other email, paypal, etc.), how isn't that Apple's fault?

For an average person, that might be true. But a blogger is someone paid to talk, and a stupid blogger (like one that writes about tech and keeps no backups) who knows what he said. Just writing about the new laptop he ordered could be dangerous if he crowed about the specs and one of the security questions asked was 'what's the last purchase you made'. It would be child's play for someone to answer 'well I get a lot of games and stuff, don't remember the names. Oh and I bought a new MacBook Pro. The retina one, maxed out the ram and the storage. . . That was about a week ago, or maybe it was two.'

 

[MasterMac]

1 copy on device one, 1 copy on device two, 1 copy on device three. That's what he did. What the hell do you mean with 'media type b' by the way?

And I wouldn't suggest anyone backing-up to a cloud service if you care even a little about your privacy. Especially not if it's a free service: they make money by selling your info in that case.

A "device" in the case of an iPad, iPhone, and Mac are not all reliable as each can be controlled remotely. Having at least one "offsite" backup as that person said means that even if the "hacker" got every single password, he still wouldn't have been able to wipe the offsite backup.

Also, he was using examples of different "media type" devices, A and B, such as "Exhibit A" and "Exhibit B", as stated in his parenthesis.

 

[charlituna]

It's entirely Apple's fault.

Apple has (in virtually every major country) a legal obligation to protect the data of their customers.

When they fail to do that, they're breaking the law.

Spoken like a Gizmodo blogger.

Those laws are that companies must make all reasonable effort to protect user data using current security protocols etc.

If someone gives up information online that allows someone to bypass those protocols that isn't the companies fault. It isn't like the hacker just said 'I'm Mat Honen' and Apple said okay

 

[arn]

For an average person, that might be true. But a blogger is someone paid to talk, and a stupid blogger (like one that writes about tech and keeps no backups) who knows what he said. Just writing about the new laptop he ordered could be dangerous if he crowed about the specs and one of the security questions asked was 'what's the last purchase you made'. It would be child's play for someone to answer 'well I get a lot of games and stuff, don't remember the names. Oh and I bought a new MacBook Pro. The retina one, maxed out the ram and the storage. . . That was about a week ago, or maybe it was two.'

In the days of Facebook and tumbler and twitter, you don't have to be a blogger to post personally revealing info. Anyone's Facebook account probably reveals most of it.

arn

 

[JerseyDoug]

At a neighbours' house, in your parents' house, in your kids' house, at work, in the car, in the boat... In short, somewhere where you spend time regularly and the picking up/dropping off doesn't become a chore.

And, what you are doing is swapping the offsite backup device. Not getting it, backing up and return the same physical device offsite.

 

[D.T.]

Whoopsie Apple! But seriously, no human-being can be completely immune to manipulation by another person. I'm sure Apple will be more strict on security policies following this unfortunate incident, but people are people, and are prone to having lapses in good judgement. As someone who's been in customer service for big companies for a while, it is very hard sometimes to say no to someone you believe is a legitimate customer. I know I've let it slide before.

Apparently you don't know how social engineering works. A good social engineer will make someone think they are someone else - giving them no reason not to believe otherwise. Clearly Apple is going to "help" this imposter out - because they think it is the victim.

Exactly.

I don't know how many times I've gotten assistance from someone and looked back and thought, wow, good thing I wasn't up to something malevolent. Hotel pass cards, account passwords, years ago I even boarded a flight without all the normally required documents, and mostly those were situations where someone was trying to help and it's not that hard to help the person help you so to speak.

Plus given this:

The guy is a big mouth writer. It's probably very simple to pretend to be him over the phone. He has likely put all sorts of personal details about his life online.

... it's gotten even easier to provide personal details to support faking an identity.

 

[ganymedes13]

Of course they all come with risks and problems. The point is having several backups in several locations minimises the risk of losing data forever. If I have two backups and lose one, I've really only lost a disk and no data.

Do you really expect that most people in this world are going to pay the price for several hard drives and find several locations to store them while backing them up? If you backup weekly it will add another 14 hours a week of work with gas expenses while not getting paid.

Meanwhile, many of our parents just took physical copies of their data and most houses never burned down to the ground. Even if it was, the first thing they would go for inside the house are the family photos and film.

Some forum posters look at Mat Honan and think that this could happen to them. Unless you have a hacker that despises you, you will not see this happen to you. Chances are that you will get compromised by having the same password on your email account as well as on a site that someone hacked.

 

[kwfl]

At least we now know remote wipe works.

 

[ThatsMeRight]

In the days of Facebook and tumbler and twitter, you don't have to be a blogger to post personally revealing info. Anyone's Facebook account probably reveals most of it.

arn

I agree - perhaps even more than when you are just a blogger. A blogger usually writes only about things he is interested in, while Facebook users usually post everything they experience.

 

[charlituna]

In the days of Facebook and tumbler and twitter, you don't have to be a blogger to post personally revealing info. Anyone's Facebook account probably reveals most of it.

arn

Someone's who is thinking. You are correct. Very correct. Which is why I advised my own family not to use the email they used on Facebook etc for anything tied to their money. or even any personal correspondence.

They all have their real email addresses, their apple id (freebie from Apple) and a social site address from yahoo, gmail or whatever. Some alosmhave another email for talking to non close folks like potential jobs. Different passwords and security questions on each and all things they don't talk about. Another trick they do is the question is in one language and the answer is in another.

And I'm a film industry worker, not a self proclaimed tech expert blogger and I thought of things like this. Compared to Honan who doesn't even back his stuff up

 

[Jonze]

To allow you to wipe you should need a pin number as added security?

 

[Daveoc64]

Apparently you don't know how social engineering works. A good social engineer will make someone think they are someone else - giving them no reason not to believe otherwise. Clearly Apple is going to "help" this imposter out - because they think it is the victim.

I know exactly what Social Engineering is, my point was that other companies (like Microsoft) are doing things to combat it, such as training their staff to recognise it and to more rigidly stick to the rules about what they disclose.

Effective call logging can also help mitigate the problem.

 

[hafr]

And, what you are doing is swapping the offsite backup device. Not getting it, backing up and return the same physical device offsite.

You are absolutely right, it should be pointed out in case someone didn't think about it

 

[hobo.hopkins]

If true this is is an awful reminder of some of the pitfalls associated with an increasingly integrated ecosystem.

 

[lannisters4life]

It's entirely Apple's fault.

Apple has (in virtually every major country) a legal obligation to protect the data of their customers.

When they fail to do that, they're breaking the law.

This "data" is things like home address and credit card details, account information, not anything actually backed up to iCloud. Too, not meeting legal obligations is not the same thing as "breaking the law"...

 

[miles01110]

I know exactly what Social Engineering is, my point was that other companies (like Microsoft) are doing things to combat it, such as training their staff to recognise it.

Err... you still don't seem to get it. Over the phone and absent a means of secondary authentication like a one-time code in an SMS (which probably wouldn't have even worked in this case, because the attacker compromised the blogger's Google Voice number), a good social engineer cannot be stopped. What is Microsoft "training" their staff to do? Be skeptical when someone answers all of the standard security questions flawlessly? Please.

 

[AidenShaw]

Where do you keep this offsite backup? At a bank? If so that means that anytime you have what you deem a significant backup your Mac or iOS device you'll have to travel to the bank, bring it home to backup that drive and then bring it back to the bank.

My offsite is kept in my desk at the office. (It's encrypted with TrueCrypt, so no danger if it's stolen.)

My 4TB backup drive is buzzing with glee

Usually they buzz right before they fail.

The Hitachi 4 TB drives are having a higher than normal failure rate, I hope your drive is a RAID-0 stripe of two 2 TB drives.

 

[kemo]

In the days of Facebook and tumbler and twitter, you don't have to be a blogger to post personally revealing info. Anyone's Facebook account probably reveals most of it.

arn

And that's exactly what most of the people don't realise that they are sharing stuff that can one day be used against them. (Passwords could be guessed, answers to secret questions etc.)

 

[Daveoc64]

This "data" is things like home address and credit card details, account information, not anything actually backed up to iCloud. Too, not meeting legal obligations is not the same thing as "breaking the law"...

The issue here is not that Apple potentially allows access to stuff stored in iCloud. It's that they have (allegedly) revealed personal information (details about their account) to a complete stranger by being tricked into doing so as part of a support process.

 

[shartypants]

scary

 

[H2SO4]

In a sense, I'm happy this has happened and gained this kind of media attention, being all over my Flipboard yesterday. I think Apple will now be hard pressed to add two-step authentication, much like the one in effect for Google accounts. As well as issuing new support guidelines. These kinds of accounts are so important, and focus so much on connecting personal data and private details, that anything less should not be acceptable.

Perhaps Apple can sneak such a feature into iOS 6?

I'm more thinking of all those fools that post their business all over the internet. Doesn't matter what the company is. I could call up my bank and get my details changed over the phone with the right info. This isn't just Apple. YOU FOOLS WHO POST ALL OVER FACEBOOK, YOU ARE NEXT! (I don't mean every facebook user of course).

 

[odditie]

I think people are losing sight of the bigger problem. Regardless of the shortcomings of Apple or the lack of backups we are talking about someone who has such disregard for someone else's property that they would do such a disrespectful thing. That is the story, the rest of it comes second.

 

[liavman]

Would not that be something if the story is being written by the hacker and not the real Mat Honan?

For those who are advocating the on-site, off-site, cloud backups, may be .0001% of the people will consider doing it, so it is not a solution.

Having said all that, it looks like remote wipe is not same as delete, so Mat will be OK.

 

[hipnetic]

What's this nonsense about?

I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.

Put up or shut up. If he knows how it was hacked, he needs to explain it in more detail. Simply saying "clever social engineering" leaves it unclear as to where the security issue was.