I'll bet the telecoms are loving this new bandwidth eating default setting. There will be LOTS of overage fees before users realize what is happening.
----------
There was, but it is now patched.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
- Thread starter MacRumors
- Start date
- Sort by reaction score
I'll bet the telecoms are loving this new bandwidth eating default setting. There will be LOTS of overage fees before users realize what is happening.
----------
There was, but it is now patched.
People are going a little overboard here.
If you have 2-step verification it stops the hackers at step 4.
Instead of getting simple security questions, they will get the only option of putting in your recovery key. Which they cant get.
To reset your recovery key you would need one of the verified devices. And if they have your device they can probably just plug the phone to iPhoto unless you lock it with FindMyiPhone.
So to be protected ENABLE 2-STEP VERIFICATION!!
If you have 2-step verification it stops the hackers at step 4.
Instead of getting simple security questions, they will get the only option of putting in your recovery key. Which they cant get.
To reset your recovery key you would need one of the verified devices. And if they have your device they can probably just plug the phone to iPhoto unless you lock it with FindMyiPhone.
So to be protected ENABLE 2-STEP VERIFICATION!!
So in conclusion, we need to
1) enable 2-step verification - I guess not many people know how to do that because it involves going to the Apple ID management website
2) turn off iCloud backup and backup manually through iTunes.
You don't have to sync your Contacts to iCloud if you don't want to. In System Preferences on a Mac and iDevice, under iCloud, you can choose what to sync.
Yes, but enabling 2-factor authentication prevents them from getting past 'step 4'. When they enter your email and press 'Forgot Password' on apple's site, it then asks you for a recovery key that you received when you enabled 2-factor.
They then have no access to your password, and therefore no access to your photos, backups, or any other personal information.
The lesson here: everyone should enable 2-factor authentication for your Apple ID, and Apple should step up and have this it be on by default.
Apple also probably forgot about encrypting authentication tokens on the user's computer.
The Forensic Edition of EPPB allows downloading of iCloud data without the password of the Apple ID, because the Forensic Edition will obtain the authentication tokens used by the computer for iCloud syncing.
Apple should encrypt the authentication tokens itself with AES-256.
The Forensic Edition of EPPB allows downloading of iCloud data without the password of the Apple ID, because the Forensic Edition will obtain the authentication tokens used by the computer for iCloud syncing.
Apple should encrypt the authentication tokens itself with AES-256.
But they would not be able to get your password if you have 2-step verification in place. So if you have it enabled, they should not be able to get your password. So they should not be able to get your backup.
So your answer is to go overboard and require the recovery key every time you log in a new iDevice, or are trying to do anything with you Apple account? No.
Just don't use an obvious Password, and enable 2-step verification to make sure they cant get it.
2-step verficaiton is required already if you are enabling iCloud keychain on an iDevice, trying to change your password, or managing your account on Apples website. That seems good to me. I dont want it to pop up after every time im buying an APP!!!
QUESTION: If you enable two-factor authentication, does that apply when purchasing music/apps on the store? It would make sense that it does, but I am just wondering.
No, it only asks for your "recovery key/verify on devices", if you are enabling iCloud keychain on an iDevice, trying to change your password, or managing your account on Apples website.
2-factor authentication doesn't apply to music/app purchases. It protects editing your Apple ID account info, and also protects everything on iCloud.com except for find my phone (which if you lost your phone how are you going to confirm the 2-factor authentication code on your phone to get in?)
No it doesn't. It only applies to logging into applied.apple.com and for setting up certain iCloud features. But it doesn't work for iTunes, Mac App Store and App Store purchases.
Is 2 step authentication working on iCloud.com again? It worked when they posted on here it was on, and they stopped working.
Dang, just checked and it is not on as of right now (at least for me, and I definitely do have 2-factor authentication on...)
According to this, Two factor will not help:
http://techcrunch.com/2014/09/02/ap...esnt-protect-icloud-backups-or-photo-streams/
http://techcrunch.com/2014/09/02/ap...esnt-protect-icloud-backups-or-photo-streams/
Apple needs two-factor authentication as soon as possible. No two ways about it.
If I attempt to log in from a new computer/browser or device, Apple needs to send me a code via SMS/iMessage or push notification to a known-secure device of my choosing, just like Dropbox, Google, Microsoft and others do.
If I attempt to log in from a new computer/browser or device, Apple needs to send me a code via SMS/iMessage or push notification to a known-secure device of my choosing, just like Dropbox, Google, Microsoft and others do.
well.. good news is that icloud will be fully supporting 2 factor very soon
hard to paint this in a positive light though
hard to paint this in a positive light though
People...
The internet is more unsafe than anything else. The problem is that not meany people know how to hack things in comparison with real people hacking your real life possessions.
This is the equivalent of a kid opening your back pack and getting your naked pictures book.
People need to wake up and stay away from the internet, not to leave anything important in it, no pictures, video, information, nothing! Internet is a data base, no a way of living nor a parallel world.
The internet is more unsafe than anything else. The problem is that not meany people know how to hack things in comparison with real people hacking your real life possessions.
This is the equivalent of a kid opening your back pack and getting your naked pictures book.
People need to wake up and stay away from the internet, not to leave anything important in it, no pictures, video, information, nothing! Internet is a data base, no a way of living nor a parallel world.