Apple says it does when you turn it on.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
- Thread starter MacRumors
- Start date
- Sort by reaction score
Apple says it does when you turn it on.
I'm old school enough to be comfortable going back to paying cash for purchases, staying off cloud based information services and backups, and sticking with local backups of my devices.
I am not saying that their privacy should be invaded...
But when you take (and keep) pornographic photos and videos of yourself, AND you are a high profile individual, do you not figure soemthing like this is bound to happen?
But when you take (and keep) pornographic photos and videos of yourself, AND you are a high profile individual, do you not figure soemthing like this is bound to happen?
From Apple's web site on 2 factor:
"Do I still need to remember any security questions?
With two-step verification, you don't need to create or remember any security questions. Your identity is verified exclusively using your password, verification codes sent to your trusted devices, and your Recovery Key"
it might be 'better' from a security point of view but one of the major reasons for iPhone backups is warranty replacements. which would not be trust devices. and in some cases the trusted device is totally non operational. thus mucking up the owner getting their stuff back efficiently. especially if they need a trusted iPhone to make the new iPhone trusted
----------
Actually they wouldn't have access to 'all of their info'. perhaps their apple id email but not necessarily everything else. its more likely the emails got out from a well meaning but stupid family member, a disgruntled assistant or boyfriend etc
----------
The headline implies that the hackers used special software created for law enforcement for the hack. But in fact there are ways of doing it that don't need that software and there is no proof it was a part of the scheme
----------
you aren't forced to. you can totally choose to never sign into iCloud
That is true, most of the time restores are to a new phone. BUT all iPhones boot up able to receive SMS messages if the user (or your Apple store staff) has inserted the sim card or has gone through the activation process with the carrier for CDMA phones. This would allow for the 2 factor code to be sent to the new phone as the trusted device because a SMS number is one of the required things you must provide as you set up two factor. All Apple would need to add is a field in restore that requires you to enter the code that they sent you by SMS on the new device or from the device that is your trusted device before you could do the restore. This would also break the software described in the OP as there would be no way to receive the code unless the software user has your trusted device or it's sim card.
Last edited:
Have the basement virgins over on Reddit started committing suicide yet over the fact it's ended?
But that means having access to a computer that is signed into the same iCloud account. Which means it is useless in this case.
I believe it was actress Selma Hayek who got her email hacked. Someone thought it clever to try variations of her name on all the free email systems (firstnamelastname@, lastnamefirstname@ and so on). They hit one that worked and asked for her birthdate, which you can get off IMDB, and the security question 'my first oscar nomination' also something very easy to get. Was the email provider hacked to get her emails. nope. she was the victim of idiocy either by herself or an assistant
No matter what Apple does they can't patch up stupid
THIS!!
I was going to post nearly the exact same thing but you summed it up perfectly!
All software companies have to find a balance between security and ease of use for the everyday person. People like us on sites like this understand the need for security more than casual software/hardware users.
Apple, like any other company, can make their system very robustly secure. But how many users will enjoy that?
Remember how many people didn't even use lock codes on their phones? Then blamed Apple that their devices were being stolen?
2 step verification has been around for how long?? And how many people actually use it?
Apple, like any other company, can make their system very robustly secure. But how many users will enjoy that?
Remember how many people didn't even use lock codes on their phones? Then blamed Apple that their devices were being stolen?
2 step verification has been around for how long?? And how many people actually use it?
You have to set it up, and you have options to disable it, individually or altogether. People, please educate yourself. No one force you to use iCloud backup. That being said, I found the backup features are very useful. Just remember to activate 2 steps verification if you are going to use. Be smarter for hackers are getting smarter too.
It certainly is a balance. However, when it comes to 2-factor authentication, Apple has really done the about the least possible to make it more secure. The problem is the data being stored in iCloud is becoming more and more important. With the rumored release of an Apple payment system, Apple is going to have a major trust problem on their hands. Even if the issue isn't all Apple's fault, public perception is going to really force Apple to do something fairly drastic I would imagine.
... or ... When trying to make a system foolproof, one should never underestimate the creativity of a fool. - Douglas Adams
encrypting backups would certainly be a good thing but it would not have any bearing on the particular vulnerability being discussed here. restoring from a backup would still be authenticated just by the password.
it's far from being that easy. 2-factor authentication as a default?
several reasons against it, the first being that there are quite a few people out there without cell-phones but with ipads or ipods. what do they do?
phone calls to reset passwords?! that's a terrible idea. it would not solve any security problems and just make things needlessly complicated for users.
Touch ID? that can't possibly work for people with older i-devices. also, what about people who want to reset their icloud passwords but do not own any i-devices?
"And so on." well that might work if you actually list something viable.
This is not such an easy problem to fix - else Apple (and other companies) would have fixed it already. All that said, Apple can certainly improve one thing and that is get rid of the standardized security questions. they use the same ones that everybody else uses (mother's maiden name, first pet, hometown and so on). These are easily researched even if not targeting celebrities. Plus every single damn site uses the same stock security questions. if just one of them gets hacked, all the other sites are immediately compromised even if you use unique passwords. The best would be to allow users to make their own questions. some sites do that but not many.
Last edited:
You mean weak answers to password reset verification questions?
Apple doesn't tell the user to obfuscate their answers to the questions. They just ask for honest answers. The problem is the use of standard verification questions is never a good idea.
what can we do if 2-factor is not available ?
I'd really love to implement the 2-factor but I leave in a french territory with a different phone code (+687) than the main french one (+33) so when want to register my mobile phone the number is wrong... I'm busted.
So for all of us left out from the system defalt 2-factor verification is impossible
I'd really love to implement the 2-factor but I leave in a french territory with a different phone code (+687) than the main french one (+33) so when want to register my mobile phone the number is wrong... I'm busted.
So for all of us left out from the system defalt 2-factor verification is impossible