Apple Support Allowed Hacker Access to Reporter's iCloud Account

[Daveoc64]

Err... you still don't seem to get it. Over the phone and absent a means of secondary authentication like a one-time code in an SMS (which probably wouldn't have even worked in this case, because the attacker compromised the blogger's Google Voice number), a good social engineer cannot be stopped. What is Microsoft "training" their staff to do? Be skeptical when someone answers all of the standard security questions flawlessly? Please.

The whole idea of Social Engineering is that you get staff to bend the rules and provide you with details that they shouldn't otherwise give you.

If you train the staff not to bend those rules, you make social engineering harder.

You can also make it harder by recording when attempts to access an account are made. If someone calls up three times and gets a different hint for the secret answer each time, something's clearly wrong there.

"Social engineering" doesn't generally cover the case where someone actually has all of the details needed to recover the account and then uses them to gain access.

 

[lord patton]

Do you really expect that most people in this world are going to pay the price for several hard drives and find several locations to store them while backing them up? If you backup weekly it will add another 14 hours a week of work with gas expenses while not getting paid.

Meanwhile, many of our parents just took physical copies of their data and most houses never burned down to the ground. Even if it was, the first thing they would go for inside the house are the family photos and film.

Some forum posters look at Mat Honan and think that this could happen to them. Unless you have a hacker that despises you, you will not see this happen to you. Chances are that you will get compromised by having the same password on your email account as well as on a site that someone hacked.

I'm not sure which is funniest: that you find the cost of two external drives to be prohibitively expensive, that you think making a backup takes 14 hours of "work", or that running into a burning building to retrieve pictures is a reasonable security measure.

Well, you probably didn't mean it exactly like that. All I'm saying is backups are necessary, multiple backups are advisable, and iCloud isn't backup.

 

[String]

Like all these things, someone wasn't doing their job right.

 

[faroZ06]

My AOL account was somehow hacked one day. I doubt anyone would target me specifically and brute force it, and it was my semi-junk account anyway. Later, when I went to AOL.com to log in, it said that my account had suspicious activity on it and let me reset the password right there with no kind of verification

Why would someone risk criminal charges just so they can wipe some guy's iOS devices?

 

[Tech198]

Apple really needs 2-step authentication (Google offers it, and it works really great).

yep... i use 2-setp authentication on my Gmail account, and it works without a hitch.

Intrestingly, it only took 1 minutes to wipe the iPhone, & 5 to wipe the Ipad.

Cleve hack, but still...

Apple's just doing as expected by verifying the user who they say they are.

It could happen to any account... but I agree, Apple should "up-the-anti" on security, by say mobile number, as something you Must verifity

If Apple doesn't start restricting to allow "one answer", vs if you don't have x, you can verify by "other means", then the outcome is always gonna bad, whichever way you look at it. With choice, theres gonna be trouble. I guess maybe a "middle ground" ? *shrugs*

 

[iosx]

So, correct me if I am wrong...even if i use the most secure password or maximum length of characters in my password, and have a local backup, till a hacker could trick the Apple Support and hack into my iCloud account and get all my personal data!
(I am ot worried about the hackers deleting my data, more worried about them having my data)
So how are we suppose to protect our iCoud account? Backup of data wont help, isnt it?

 

[satcomer]

Dude had no backups? Are you kidding me? IMO that is the scariest part of this story; to think that somebody doesn't have enough common sense to back-up data. Makes me shiver!

Especially a so called Tech Writer. Makes me wonder about the state of the Web 2.0 writers.

 

[rmwebs]

Apple really needs 2-step authentication (Google offers it, and it works really great).

Ditto! This is one thing Google has really gone all out on - security. A two-phase system is so much more secure.

Two things spring to mind:

1) Apple are crap with security in this case.

2) The password used was by his own admission also crap. A 7 character alphanumeric password is NOT a good password. If you really give a damn about your stuff, you'll be using no less than 20 characters with uppercase and lowercase letters along with numbers and symbols. Then on top of this, security questions with false answers (mainly because Apple limit you to selecting some ridiculously obvious and insecure security questions) that you can memorise.

IMO its better to have to write your complicated passwords on a postit note on your desk than settel for a short, crap password.

 

[SeattleMoose]

Just One More Reason....

Not to keep YOUR stuff on SOMEONE ELSE's hard drive....

iCloud?...no thanks.

 

[hafr]

Do you really expect that most people in this world are going to pay the price for several hard drives and find several locations to store them while backing them up? If you backup weekly it will add another 14 hours a week of work with gas expenses while not getting paid.

Did you miss the post where I pointed out that the other site should be somewhere you spend time regularly? It takes me no more than ten seconds to remove my backup disk from my router and put it in my bag, less than that to switch the two drives in a drawer in my office, then another ten seconds to connect the "new" disk when I get home. Backups are being made automatically.

It might take you fourteen hours a week, it takes me about two minutes per month.

Meanwhile, many of our parents just took physical copies of their data and most houses never burned down to the ground. Even if it was, the first thing they would go for inside the house are the family photos and film.

Well, I used to store my negatives in a box at my parents' house and their negatives in my house...

Some forum posters look at Mat Honan and think that this could happen to them. Unless you have a hacker that despises you, you will not see this happen to you. Chances are that you will get compromised by having the same password on your email account as well as on a site that someone hacked.

Yes, unless you have a hacker that despises you, you're safe from any kind of attack, theft, accident and any other of the reasons why you could lose your data. Solid argument.

 

[Surreal]

This sucks for everyone involved except the hacker, it seems.

Apple help tried to be helpful. They were not but, really, I cannot fault phone support staff for being fooled. They only have so much to work with.

He trusted his information to Apple too much. That is what they want. Trust. He had no reason to think that so many devices would go at the same time. it was not a malfunction on Apple's part. It was a third party.

The internet is full of jerks. This is not quite the time for blaming anyone. depending on what information the hacker had, there might not have been much room for Apple to doubt.

 

[Swift]

Well, if you have everything on your iPad and on your iPhone and on your Macbook Air than making separate back-ups seems not necessary. You've three devices, three times the same files.

Yeah, but this guy's a professional. He knew how crazy he was being.

 

[androiphone]

I really like how gmail and hotmail (now outlook) will send you a text message whenever something is changed on your account and then ask you to verify it with a code in the text, it just seems logical to confirm it is you with something only you have access to.

 

[Tech198]

...

Not to keep YOUR stuff on SOMEONE ELSE's hard drive....

iCloud?...no thanks.

True that.. Its the same reaon i use toavoud cloud services with personal data.. period....

However, convience comes at a cost.

 

[hafr]

How do you change your address?

arn

It's public record, so on demand they will update your information. It's not automatic, but you can't change it to anything but your official address.

 

[charlituna]

Because it was being posted on 4chan as it went down. I was watching the thread on it yesterday in /g/. A 4channer did it, He was angry because for being a computer writer he seemed to have no idea how computers or any other technology work.

That would be a heck of a thread to read. I hope he gives details

 

[J.acks]

Well.. I don't think the issue is whether Apple has to offer 2-step verification. If I lost my iPhone and tell Apple to reset my password and they will send a verification to my iPhone but if I don't have access to that then it will be pointless, no?

What Apple really need to improve on the user authentication. Indeed security is an issue that need to be addressed on Digital age but this can be overcome with proper measurements.

So what Apple really need to do is to improve all of their customer service officers!!! Not just their products.

 

[androiphone]

Apple help tried to be helpful. They were not but, really, I cannot fault phone support staff for being fooled. They only have so much to work with.

I can, apple support staff shouldn't be able to reset passwords at all to 'someone on the phone' unless they can categorically be verified as the 'real' owner otherwise it's just a system that can be abused.

at best Apple knows your mobile number they could say I can send a reset message to your phone or a verified email address on the account (or even your your postal address!), but it shouldn't be able to be reset over the phone.

 

[atMac]

That would be a heck of a thread to read. I hope he gives details

I just tried looking for it, its looks like it was already gone. Not sure if you are familiar with 4chan but they only keep 10 pages of threads at a time, so if comments stop for a few hours the thread can potentially already be erased in just a short time due to inactivity.

 

[shadowhywind]

suggests that Apple "needs to tighten up security and come clean about what went wrong here."

Its called, don't set your security questions/answers to the actual answers.. Maybe my own security level is set higher then others, or i don't trust some members of my family/extended family. But most sites ask the same questions, 'When did you graduate', 'What city were you born in', 'Mothers maiden name', etc. A facebook page, and a little goggling would certainly bring up those answers.. But how many family members know those answers ?

Apple's security is fine. It is the users who shouldn't use the obvious answers.. Use Keepass or other password databases, to keep track of the questions/answers..

 

[androiphone]

Well.. I don't think the issue is whether Apple has to offer 2-step verification. If I lost my iPhone and tell Apple to reset my password and they will send a verification to my iPhone but if I don't have access to that then it will be pointless, no?

What Apple really need to improve on the user authentication. Indeed security is an issue that need to be addressed on Digital age but this can be overcome with proper measurements.

So what Apple really need to do is to improve all of their customer service officers!!! Not just their products.

that's why when you set up 2 step verification with gmail you are given 10 one time use codes that you write down, then if you were to have your phone stolen (or lost) you can still access your email to either turn off 2 step verification or to set up a different phone. you can even set up a backup phone to send codes to.

 

[gkpm]

Apple really needs 2-step authentication (Google offers it, and it works really great).

Yet Google offers 2-step authentication, but this guy never set it up and hackers got access to his Google account.

Why do you think he would have enabled Apple's?

 

[Tech198]

...

ok.... but 2 step verification would work..

Apple sends you SMS code, then they ask you if to read it back to them... then in addition they go through the security stuff. (email, name .etc etc)

How about this ?

If you don't have you phone or you lost it....Tough... you can be provided, in advance of course (by Apple) backup codes... just like 2-step in Gamil.

Since the guy never set it up on Gmail... thats his problem

Secoondly, Apple only sends confirmation that the password was reset..... This shouldn't be "just a comfirmation" but should be a verification, you need to click a unique link in email to verify before preoceeding.

 

[gmanist1000]

Crazy. I never thought about how dangerous it could be if someone had taken your password... especially if you had find my Mac and find my iPhone enabled.

There needs to be an additional step to ensure YOU are the real person who owns the account, before you're allowed to remote wipe any device.

 

[drudus]

Also Apple should allow us set a PIN on turning off an iPhone. Find my Phone is useless if all it takes is turning the whole device off. It would be a 10000 times better if who ever steals the phone can't turn it off immediately.

Even if Apple add this feature any thief with 1/2 a brain would just wrap it in tinfoil & put in a tin for a few days. Many geeks make a variation with a wallet for shielding their RFID credit cards etc.

Faraday cages can prevent the radios transmitting/ receiving.