Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
How a Hacker Gained Access to a Reporter's iCloud Account
- Thread starter MacRumors
- Start date
- Sort by reaction score
Nothing is certain except Death and Taxes....and Online accounts hacked. Some people will argue that zombies should be included in that list.
If you can't remember the last few apps you purchased (including the free ones), that's sad I'm sorry.
Last 4 of CC and billing address is insufficient no matter how you slice it. At least full CC # would be quite a bit more secure as you need to have the card, though that's something your kids could also have access to.
The only other option is to increase the information they have on you, which makes it another spot where you're leaving personally identifiable information. Transactions and services used with them is personal enough and shouldn't be public enough for strangers to find out about it (unless you feed your app purchases straight to facebook or something...).
It most likely happens with a ton of iCloud accounts also but when that person doesn't have a voice and isn't in the media it doesn't matter.. This was a case of a person in tech. with a platform to speak from, that's why it matters. The same goes for Microsoft and it would get attention if that XBox live account was for a similar high(er) profile individual, it was that person's primary Passport account and was a primary means for resetting authentication.
I think the chances of someone that can't remember there password naming 3 of the last 10 songs they purchased is pretty slim.
I couldn't even tell you the last thing I bought with my iTunes account.
pWell, carrying from the other thread I made comments in which as they did not paint Apple in a good picture, were branded as lies, I don't know what I'm talking about etc:
Apparently, Apple Support only requires an iCloud user's billing address and last-four digits of the credit card on file in order to issue a temporary password.
-------
In the UK would land your company with an official investigation from Ofcom. Just so you know, and it could lead to a large fine of several million, this HAS happened in the UK, two big house hold named company's were proesecuted and fined for not following DPA procedures.
In the UK I could look through your bin and find BOTH your address and the last 4 digits off your credit card with ease.
But carry on protecting Apple as I am sure you will. I just wouldn't trust iCloud with a million mile barge pole.
Apparently, Apple Support only requires an iCloud user's billing address and last-four digits of the credit card on file in order to issue a temporary password.
-------
In the UK would land your company with an official investigation from Ofcom. Just so you know, and it could lead to a large fine of several million, this HAS happened in the UK, two big house hold named company's were proesecuted and fined for not following DPA procedures.
In the UK I could look through your bin and find BOTH your address and the last 4 digits off your credit card with ease.
But carry on protecting Apple as I am sure you will. I just wouldn't trust iCloud with a million mile barge pole.
Last edited:
Given how infrequently I purchase stuff it's just not something I think about. I know that the last 3 albums of stuff I purchased were from Amazon but I can't remember the last song I bought from iTunes was since it was maybe 6 months ago. I also don't buy a heck of a lot of apps - and they are few and far between these days. I would have to check my device and I maybe could come up with two - those I got based on recommendations from a podcast I listen to. Anything else was done a while ago.
While Apple cannot be held blameless for this incident, they have a standard procedure that people know, it is really troubling that someone was able to figure out which credit card was used with his iCloud account and get hold of it without any problem at all.
Surely, if you call Apple for a password reset and the credit cards do not match, and then you call again with a different credit card, someone will become suspicious. If you consider this guy probably has multiple cards, someone would need to know his Amazon account and card, his Apple account and card, and know them well enough to get it right on a first attempt. IF you enter a card in Amazon that is not valid, it knows. So, either the hackers knew yet another of this guys cards, or Amazon has the hackers card on file, or Amazon has some other fools card on file (checking pockets now).
It is all very suspicious because the whole thing started out as a this guy bashing iCloud when it was in fact due to weaknesses in other systems.
Surely, if you call Apple for a password reset and the credit cards do not match, and then you call again with a different credit card, someone will become suspicious. If you consider this guy probably has multiple cards, someone would need to know his Amazon account and card, his Apple account and card, and know them well enough to get it right on a first attempt. IF you enter a card in Amazon that is not valid, it knows. So, either the hackers knew yet another of this guys cards, or Amazon has the hackers card on file, or Amazon has some other fools card on file (checking pockets now).
It is all very suspicious because the whole thing started out as a this guy bashing iCloud when it was in fact due to weaknesses in other systems.
People. Six pages of replies.
Does ANYONE else see this as an attack on Apple when the real problem is AMAZON? If not for Amazon's security issues, the hacker wouldn't have been able to get his credit card information.
When they went back to try again, they already had the credit card information.
That isn't a security risk. That's typical procedure. If you have the username, and the last four of the credit card on the account ANY secure account company will give you that info. For example, I can call AT&T and gain access to my personal account info with the SAME information!
I can also do the same with my debit card number and name at many banks.
Security assumes that you will not give up information like the last four of your card. Most places **** it out. Amazon didn't. That is where the problem exists in this issue.
Does ANYONE else see this as an attack on Apple when the real problem is AMAZON? If not for Amazon's security issues, the hacker wouldn't have been able to get his credit card information.
When they went back to try again, they already had the credit card information.
That isn't a security risk. That's typical procedure. If you have the username, and the last four of the credit card on the account ANY secure account company will give you that info. For example, I can call AT&T and gain access to my personal account info with the SAME information!
I can also do the same with my debit card number and name at many banks.
Security assumes that you will not give up information like the last four of your card. Most places **** it out. Amazon didn't. That is where the problem exists in this issue.
Mat mentions this in the article and I think it bears repeating.
Use two-factor authentication for as many of your vital/important accounts as you can.
I got an embarrassing virus earlier this year that wall-spammed every one of my Facebook friends. Since then I've been using Facebook's two-step verification when I log in. I type my password and then I get a text message on my phone with an additional code I have to type in before getting access. As the author mentions, you can do this for your Google account as well.
Yes it's an extra step and it's annoying, but it's a small step to ensure significantly more security for your accounts.
Use two-factor authentication for as many of your vital/important accounts as you can.
I got an embarrassing virus earlier this year that wall-spammed every one of my Facebook friends. Since then I've been using Facebook's two-step verification when I log in. I type my password and then I get a text message on my phone with an additional code I have to type in before getting access. As the author mentions, you can do this for your Google account as well.
Yes it's an extra step and it's annoying, but it's a small step to ensure significantly more security for your accounts.
The Microsoft thing is more severe in my opinion because it's a vector for theft. Further, Microsoft drags their feet in response. It took me like 4 months to recover my money when my account was compromised. And there actually was a blogger affected too, but he probably wasn't in a prominent enough position for it to catch on.
It was frustrating because I and many other people did everything right from a security perspective, but none of that matters when call center employees are easily fooled.
The problem is double-edged. With Amazon, you shouldn't be able to make any changes to the account without some sort of verification of your identity (something other than spouting off an email and postal address). With Apple, you should not, under any circumstance, use a CC number as part of the verification process.
Amazon is wrong. Apple is wrong.
All online accounts should come with a set of security questions and a person calling in should have to give correct answers to more than one in order to discuss and make changes to their account with a rep.
not only amazon but this guy had a personal website which is a huge security hole these days. that's how they got his billing address in the first place. if you use facebook to share photos you're a lot more secure than being super tech cool like some of these california people
Most places don't **** it out. The rest of your credit card #, yes. The last 4 digits, no. It's available on almost every receipt if I use my credit card to pay.
There's a lot of blame to go around here. Amazon and Apple both need to step it up. The reporter should have had back-ups and should have been more conscious of his personal security. If any part of the equation had been improved, the results likely would have been much different. You can't blame one party for lax security without blaming the others, too.
The question for Apple is how to increase security without inconveniencing customers too much. People freak out if they get asked too many security questions. People forget the answers to their security questions and then completely lose access to their account. It's not as easy as implementing x, y and z. They have to take into account what the results will be for the average user who just forgot their password and isn't trying to hack someone else's account.
Yes, we as wise consumers can take away important lessons from this.
I'm just reminded of how a few years ago there was a news story about a women using an iPhone to beat her boyfriend to death. That turned out to be a 100% fake story paid for by Panasonic. There was no takeaway message from that one except perhaps don't date crazy chicks
.
P.S. I hope the hackers spend some serious jail time after wiping out the guy’s family photos
why? Honan's the one that never backed his stuff up
The billing address being used for any kind of security is daft in the first place. There is no security hole in having a website, it's the same information that's made available now as it was 10 years ago or even 20 years ago when you registered a domain.
It always was a whois away.
Amazon had the hugest hole here. Modifying an account based only on the billing, name and e-mail addresses. Now that is a glaring mistake. Apple had weak security identification information (billing + last 4 of CC).
----------
Not backing up your stuff shouldn't mean the person who violate laws on cyber criminality, committed theft of identity and cyber vandalism should go scott free.
You're essentially saying charges shouldn't be pressed against your home's robber because you didn't have insurance. No matter how protected or not Honan was, a crime was committed.
Once they have your phone number, they have your phone calling records. Whether it's legal to steal or buy such records or not, big companies are eager to be recipients of such data, especially when another company does the actual stealing.
----------
This is assuming it's not all a hoax. Are we really supposed to believe he didn't back everything up, and that he was a "true believer" in the cloud paradigm? How naive would he have to be? (Disclaimer: I have met people like that.)
Well then you'll be happy to know that due to your outrage Apple is removing all password reset options from their services. You forget your password, too damn bad.
Now are you happy?
only reason amazon modified it was because they got a billing address and an email from the hacker which he got from the whois information. using a blogging service would have made this a lot harder. i checked his site and it's just a blog that could sit on wordpress or blogger or some other service
This
I was shocked that Amazon would allow a change of CC via phone. Especially since they are web-based I think they should require any change like this to be made via their website.
But Apple using the last 4 digits of a CC is also bad. That information is floating around all over the place. And most of the time it's displayed on your account, and I mean any account that stores your CC. That's the reason I don't store my CC info anyplace except - Amazon and Apple, oops.
And using the full CC number is even worse because you don't want any company's customer service staff to have access to that info.
I understand that a company needs to have procedures to aid folks who forget their passwords. But any company that stores CC info should go to further lengths to verify identify for password resets. In my mind, an email account doesn't rise to the same level as an account that actually involves money (or in this case data). I don't care if it is a bit of an inconvience, people should remember/store their passwords.
I've been using an ewallet since 2004 and have never had a problem with passwords. There does come a point where people need to accept responsibility for their data/information. If they need help, a few hoops is a small price to pay for the security the rest of us need. Putting the rest of us at risk is unacceptable.