The differing credit card info is funny because I've noticed this first-hand. One of my banks asks for the last four of my social security number, while the other asks for the first five. I always avoid giving out the first five.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
How a Hacker Gained Access to a Reporter's iCloud Account
- Thread starter MacRumors
- Start date
- Sort by reaction score
But honestly, how many companies offer such things for consumer services. I know that Google does, but does Amazon? DropBox? Valve (Steam)? Ebay?
Not that likely unfortunately, they probably did it the same way as Wired, using a fake card number:
Yes, they are. Click the first link (full details on what happened):
“...Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.
Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery."
I don’t see why Google has to EVER share your (insufficiently redacted) alternate email address with any random stranger. Bad call on Google's part, and it’s how the hacker hit the jackpot: getting the AppleID email address.
It’s a lot of peoples’ fault, including Apple, Google, Amazon, the hackers, and the user himself.
But #1, first and foremost: Apple’s fault.
Amazon isn’t the only company to show the last digits of your CC# in the clear, and Apple should never have relied on that piece of data so heavily. That was true and obvious even before this incident.
Last edited:
Right, so I hope this poor guy can be a catalyst for some change. They do all need to be fixed. I'm moving my main cloud assets to google for now, though. Seems safest atm. Note, I've been hacked before, so all of this is a bit "too close to home".
***** the cloud as a whole. It is simply marketing speak for hosted services. I will never store my critical data or access to my devices on a hosted service or server. The very idea of having your critical data (sensitive or otherwise) on an external server that it out of your physical control should raise alarm bells.
Keep your data local, encrypted and backed up. Not online out of your control even if they say it is encrypted as they likely have a master key to unlock any encrypted volumes/files.
Keep your data local, encrypted and backed up. Not online out of your control even if they say it is encrypted as they likely have a master key to unlock any encrypted volumes/files.
Hunan Chicken is just another throwaway journalist. The world needs less throwaway journalists. I read the New Yorker cartoons, so I know what I'm talking about.
I don't think so. Looking at my Mac, I believe it has to be enabled from the Mac in question, and you need to provide an administrator password to change the configuration.
Also (as mentioned in the Wired article) they shouldn't allow the person performing the wipe to specify the one and only magic PIN to reverse the wipe. They should allow you to create a recovery password that is stored with the device and can not be configured remotely.
Apple's assumption that the person performing the wipe will always be the person performing the undo has been proven wrong. What's needed is a way to ensure that the legitimate owner can also undo the wipe, regardless of who initiates it.
But key-fobs aren't foolproof either. They can get lost, stolen, damaged and otherwise rendered useless. You don't want to refuse to service legitimate users because they lost their dongle.
They work well for corporate IT departments, because you can always provide to your employer who you are and get a new fob. Not so much when you're one of a zillion customers that nobody at the remote site has ever met in person.
More important than anything else - never trust a third party with any sensitive information whatsoever. If you don't personally encrypt it using your own software, then it isn't secure.
If a third party has your data, then a hacker can socially-engineer it out of that party. And when that happens, all of the technological security measures go out the window.
swingerofbirch
macrumors 68040
I checked to make sure Find My Mac is turned off in the iCloud preference, but when I go to icloud.com, it still sees it and can locate it. I don't get it. Will have to call Apple tomorrow I guess. It's pretty frustrating that I can't turn it off hen you see something like this.
In another thread recently I was mentioning how I won't be using Dictation in Mountain Lion because they store the recordings of your voice, and how I felt safer with Google because they've been more vetted by the public and have more experience in Internet services than Apple, and of course I was criticized for saying that.
But I had a very bad experience with Apple and MobileMe once where I had sent an e-mail from my MobileMe account to my Gmail account as a test to show that outgoing e-mail wasn't working. A MobileMe representative sent me an e-mail response and told me to go into my Gmail account and open up the header information for a recent e-mail I had received and send it to them. He specifically told me to open an email from Jdate (which at the time I was receiving e-mails from). I had never mentioned anything to Apple about any specific e-mails in my Gmail account except for the test ones I sent there myself.
I was furious and wrote back and said that they obviously were looking at my Gmail account (at the time my MobileMe password and Gmail account were the same). Apple denied all of it and said that they had sent me the wrong e-mail and that there was a different customer with a similar issue to mine and they had sent me that customer's response instead.
I still am very leery of them to this day. I worked in sales for Apple's online store through their contractor, Arise, and they don't tell the customers that when you're shopping and chat with a sales agent, the sales agent can see every web-page you go to on the Apple site. We were supposed to follow them and make sure they were headed in the right direction and stayed with them until the web-order showed up on screen and we would save that screen as a PDF as proof of our sales (the chat support agents are not really for support--they have sales metrics).
I thought it was a bit creepy. But it was the job.
I'm starting to transition over to Google services now. Sad to give up the mac.com address I've had now for almost twelve years! I signed up for it on the first day iTools was available.
I've said it before and been criticized and will say it again, historically Apple has not been good at Internet services. It's not "in their DNA" to borrow their phrase.
In another thread recently I was mentioning how I won't be using Dictation in Mountain Lion because they store the recordings of your voice, and how I felt safer with Google because they've been more vetted by the public and have more experience in Internet services than Apple, and of course I was criticized for saying that.
But I had a very bad experience with Apple and MobileMe once where I had sent an e-mail from my MobileMe account to my Gmail account as a test to show that outgoing e-mail wasn't working. A MobileMe representative sent me an e-mail response and told me to go into my Gmail account and open up the header information for a recent e-mail I had received and send it to them. He specifically told me to open an email from Jdate (which at the time I was receiving e-mails from). I had never mentioned anything to Apple about any specific e-mails in my Gmail account except for the test ones I sent there myself.
I was furious and wrote back and said that they obviously were looking at my Gmail account (at the time my MobileMe password and Gmail account were the same). Apple denied all of it and said that they had sent me the wrong e-mail and that there was a different customer with a similar issue to mine and they had sent me that customer's response instead.
I still am very leery of them to this day. I worked in sales for Apple's online store through their contractor, Arise, and they don't tell the customers that when you're shopping and chat with a sales agent, the sales agent can see every web-page you go to on the Apple site. We were supposed to follow them and make sure they were headed in the right direction and stayed with them until the web-order showed up on screen and we would save that screen as a PDF as proof of our sales (the chat support agents are not really for support--they have sales metrics).
I thought it was a bit creepy. But it was the job.
I'm starting to transition over to Google services now. Sad to give up the mac.com address I've had now for almost twelve years! I signed up for it on the first day iTools was available.
I've said it before and been criticized and will say it again, historically Apple has not been good at Internet services. It's not "in their DNA" to borrow their phrase.
Fair enough, but I thought the article said that Amazon had verified the number.Mike Oxard said:
In any case, good reason to not activate Find My Mac until further security is in place. I have always shied away from allowing remote access on my Mac for exactly this reason.
Last edited:
Hope Apple steps up the security a bit. Not worried at all. Not much to steal from my iCloud account.
Is it that hard to read the tagline?
Here let me show you the actual logo incase you can't find it:
Even if it was just rumors and you're getting mad that their reporting "facts;" you seriously need to chill the **** out.
Be careful. Google got hacked into and someone was able to get into my Gmail account and they didn't even need clever social engineering to help them. At least with Apple I have never been hacked into because of the technology itself. The article says the Apple employee didn't follow the protocol. Google doesn't have the human problem because you can't call them when your gmail isn't working. There is a downside to having tech support for your products.
It is collective failure on the three companies, but not the registrar. It is legally obliged to display a valid, real contact address for the owner of a domain. Some people use PO box numbers or some privacy services for pretty much this reason, but in any case this is not registrar's fault at all.
Yes, maybe Google could have redacted the address better, but he uses the exact same username for gmail as he does for @me.com . It was not an exactly difficult guess to make even without gmail redaction hint. Among the three, Amazon was the easiest to get into, followed by Apple.
No ***** way. Once they get your phone number, they can tie that in with your google profile and know WAY more about you.
But here's a better suggestion: Don't use gmail for anything involving a financial transaction.
perfect Apple user prank!
Last 4 digits and billing address? Is that all you need?
wow! that is the easiest prank for any Apple user.
METHOD 1
If you know any person with an Apple product you already know where he/she lives. Next is just having a dinner together, going to the supermarket... or anything where that person pays with a card and say...
"Hey, can I see how much was that?"
METHOD 2:
Most card payments hide the full number for security reasons, but they still leave the last 4 digits for the user to identify which card was used.
So every time I toss away a receipt, I am tossing away my iCloud password. Specially if I toss away the receipt in the garbage next to my house.
RESULT:
Log in into the account and buy all the apps/movies/songs you want!
Last 4 digits and billing address? Is that all you need?
wow! that is the easiest prank for any Apple user.
METHOD 1
If you know any person with an Apple product you already know where he/she lives. Next is just having a dinner together, going to the supermarket... or anything where that person pays with a card and say...
"Hey, can I see how much was that?"
METHOD 2:
Most card payments hide the full number for security reasons, but they still leave the last 4 digits for the user to identify which card was used.
So every time I toss away a receipt, I am tossing away my iCloud password. Specially if I toss away the receipt in the garbage next to my house.
RESULT:
Log in into the account and buy all the apps/movies/songs you want!
Wouldn't you need the full address for this to work?
I assume that most people only have a general idea of where you live, not necessarily down to the street, building and apartment #
I guess this is a risk in countries where usage frequency of credit cards is high, AND if you let random people see your credit card #.
Seriously, you shouldn't toss away any document with your CC# on it in the first place.
