Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
How a Hacker Gained Access to a Reporter's iCloud Account
- Thread starter MacRumors
- Start date
- Sort by reaction score
until we get a sob story about how someone is locked out of their email and apple wouldn't help them and how it cost them a gazillion $$$ and they lost priceless data and now they are going to sue because apple and amazon should have a magic way of knowing who is a real person and who is a hacker
Now I have to bite my tongue not to blast you with insults as this is a pure koolaide response! Plain and simple Apple iFan to the T! You think that their is NOTHING wrong with Apple only requiring your address and the last 4 digits of your card number, which by the way NO ONE in the UK uses as a security measure because we DO KNOW BETTER, is fully acceptable and you do not blame Apple at all, just because it's in America?
Nah, it's actually really funny how blinkered you actually are, you must wake up and visualise a giant half eaten Apple every morning to be as much of a fan as you obviously are.
You see, their are simple reasons that requiring full security DPA checks are required before you willingly give someone complete and total access to someones identity.
It's just a pity your too much of a fanboy to see it. Oh well.
The answer is not requiring more info, it is to not give temporary passwords on the phone. Send them to the pre-defined recovery email address or phone number. Most companies seem to have learned this years ago.
This is why, again, in the UK most of the banks have adopted a type of fob or device that looks like a calculator you insert your card into, you then use your online banking system and you enter codes given to you into the devices, then the code the device returns is then entered onto the website. This is after you have used random numbers from your pin code and random characters and numbers from your password to get into the account in the first place.
The bank I am with gives you two or three chances to get it right then it locks and you have to call them to unlock it.
I don't think this is true. Asking for a recovery email or even an email and phone number is standard for creating an account on lots of services. Why would this be a big problem for iCloud when it is not a big problem on other services?
Have you linked me the part where the DPA defines what are essential authentication criteria yet ? Oh wait no you haven't. You just toss DPA DPA! out there without even knowing what the damn thing says.
Amazon is the biggest culprit here, there's no denying that. Account changes, to identification information on top of it, without properly identifying the account holder is plainly wrong.
Apple has a proper but very weak authentication mechanism (billing + 4 last of CC is just weak). They just need to use stronger, more personal information for identification and it'll be fine. It's sad that this needed to happen for them to talk about changing it though, this should have been implemented since day 1.
Anyway, now feel free to criticize whoever, since NOW we know how it went down. In the last thread, you were blasting Apple "Apple are bad! They are always wrong!" before even knowing what had transpired. You're as bad as the people you denounce.
Objectivity folks. It's neither white or black. Get the information needed, then offer criticism and opinions based on the facts, don't speculate either way. Both positions (Apple is wrong! and Apple is right!) were wrong in the last discussion thread as no one had enough info to reach such a verdict.
----------
And your reply was still bogus in light that destroying a guy's photos by hacking into his account is cyber vandalism and the person responsible should be punished to the full extent of the law for such an act, no matter if the victim has or doesn't have backups.
Again, having or not having backups does not diminish the crime.
18 U.S.C. § 1030 – Fraud and related activity in connection with computers.
So it's a fine or less than 5 years of prison. Backups are not mentionned, they do not impact this. They are not a reason to not punish the individual. "Standing by your comment" as you put it is going against the laws in place in the United States of America. Are you against the law ?
Last edited:
It's been established that 50% of news reports are fake huh? Based on that one report on a Fox News story of all things?
Don't think think it might be closer to 37%? Or perhaps 64%?
In this case I thought it might have been a fake story, but more to give Mat Honan something to write about rather than something planted by another company. That's far more likely, even though when it's all said and done it's probably legit.
All Apple ID's down for 24hrs.
Just tried logging in to iCloud and was prompted to change my password.
Successfully changed and now I'm unable to login to iCloud via web browser or iPhone.
Receiving incorrect password errors.
Called apple care and was told all Apple ID's will be inactive / down for 24 hrs.
Wonder if this story has any relation-?
Just tried logging in to iCloud and was prompted to change my password.
Successfully changed and now I'm unable to login to iCloud via web browser or iPhone.
Receiving incorrect password errors.
Called apple care and was told all Apple ID's will be inactive / down for 24 hrs.
Wonder if this story has any relation-?
Have you linked me the part where the DPA defines what are essential authentication criteria yet ? Oh wait no you haven't. You just toss DPA DPA! out there without even knowing what the damn thing says.
Amazon is the biggest culprit here, there's no denying that. Account changes, to identification information on top of it, without properly identifying the account holder is plainly wrong.
Apple has a proper but very weak authentication mechanism (billing + 4 last of CC is just weak). They just need to use stronger, more personal information for identification and it'll be fine. It's sad that this needed to happen for them to talk about changing it though, this should have been implemented since day 1.
Anyway, now feel free to criticize whoever, since NOW we know how it went down. In the last thread, you were blasting Apple "Apple are bad! They are always wrong!" before even knowing what had transpired. You're as bad as the people you denounce.
Objectivity folks. It's neither white or black. Get the information needed, then offer criticism and opinions based on the facts, don't speculate either way. Both positions (Apple is wrong! and Apple is right!) were wrong in the last discussion thread as no one had enough info to reach such a verdict.
Why should I bother telling you about the UK's DPA requirements? You most likely state I am lying or full of s*** or something?
But if you want to read through it:
http://www.legislation.gov.uk/ukpga/1998/29/contents
You obviously know so much better then I do, I couldn't possibly correct you in anyway.
I knew what transpired, well if it was in the UK I would. But I guess in America and Canada identity theft doesn't exist as a crime?
Apple are still wrong, no idea why you think I have changed my tune? Like I said if you were in the UK I could go through your bin that is out out for the rubbish men, just need to find one card receipt and find your address out which isn't exactly difficult, and then access your accounts with a quick call to Apple. You can try as hard as you like to not blame Apple, many on here are trying not to, but facts are facts, Apple failed in it's security standards. Even if it is acceptable in America I would be seeking legal advice by now over it!
You can't do that. I gave you that link last thread. I did read through it. You're saying it says how an account should be protected and how an account holder should be authenticated. I'm asking you for a citation, as I have not found a single section of the DPA that states it.
You make a claim, you back it up. Otherwise, you're full of it.
Yes, tell me the section and requirements as defined by the DPA.
You knew what transpired before Mat gave us the full run down ? In the UK they have time travel or something ? In Canada and the US Identity theft is a crime, we didn't however know of Apple's level of fault to criticize as you were criticizing then.
No one was saying no crime had took place, we were only saying to wait until we knew what happened to criticize Apple, something you were quick to do with no evidence or even statements made by the victim about Apple's involvement beyond "Clever social engineering".
I'm not saying you changed your tune, I'm saying you jumped the gun earlier and decided your tune based on pure conjecture and fantasy. Now we have details, you can really evaluate the situation and form an opinion. Yesterday you couldn't, even though you had done so prematurely. That is why I argued with you yesterday.
(is your memory that bad ?).
If you want a site that actually cares about this don't come to MacRumors. But why am I still here? All these rumours are very entertaining. Many good laughs to be had.
Mat Honan is relatively well known in internet tech circles and he's relatively not very well liked. I think Jesus Diaz just closed his Amazon account.
Facebook, Yahoo, PayPal/eBay, and Blizzard all offer 2-step authentication. Facebook and Yahoo use SMS to send you a code. Blizzard uses a mobile app or a keyfob to generate a code. PayPal/eBay uses SMS or a credit-card sized code generator.
As for Dropbox... After its latest security issue, it has decided to finally add 2-step authentication (coming in a few weeks).
Yep, this happened to my Xbox account back in January. Thankfully MS returned control of my account back to me within a few days. The strongest passwords in the world will not protect you from dumb/poorly trained CSRs who refuse to follow company guidelines.
Although, 2-step authentication would be a step in the right direction, something I wish Apple would add for Apple IDs and that MS would add for Microsoft/Xbox accounts.
I use my iPod touch with Skype for phone and have a MiFi device for 3G wireless access. I don't have an iPhone or use Twitter much. Hard for me to understand this whole idea, that someone would go through all that trouble to get someone's Twitter account name. It really seems dumb to me. I guess I'm out of touch with what is important to some people.
Genius: it's NOT a FACT because there was NO HACK. This was a case of identity theft that could've happened in any era.
Amazon revealed the last four digits of the credit card and that was needed to convince Apple, the criminal was the "journalist."
Just the fact it's been spun as a "hack" calls into question the relationship this Gawker-connected "journalist" has with the "hacker."
I don't like the recovery email address system. This is part of how this guy got into trouble. Once one email account is broken, the others that use this email address for recovery becomes vulnerable. The weakest link in the chain becomes the weakest link for every account. It does not sound like a very good idea, although it is cheap to implement.
Requiring a cell phone is a little better, as it requires stealing a physical object from the actual account holder, but still you don't want your digital life to become hackable as soon as you get your phone or wallet stolen. Details of your life known to few people, along with something physical is a much better combination. Then, you can only be hacked by people physically AND personally close to you, which reduces the number of potential hackers and make it easier to catch the bad guys after the fact, discouraging people with nefarious intent.
----------
Not even any free apps? Does that mean you don't have an iCloud account, making this discussion a bit moot for you?
Telling them that you have not bought anything in the last 90 days might be a good first step. They could read back 5 possible purchases you may have made and you can pick the one that you did. This is similar to how credit report companies work to screen out hackers.
I wonder if this fingerprint ID company Apple bought (AuthenTec?) could be used to help out with this problem. Start building fingerprint detection hardware into all Mac and iOS devices (with Apple's economies of scale, I'm sure the cost could quickly be brought down), user could run an app which verifies the fingerprint to Apple in real time. This wouldn't work for everyone, right away, but it could take care of this problem for people with the newer hardware, which will be more people over time.
Not to mention which, it'd be really useful for business or government entities who need to quickly verify your identity (any business using kiosk-style iPads, restaurants where the waiters are using iPhones/iPod Touches, the DMV, gun and ammunition dealers, voting, etc.)
Not to mention which, it'd be really useful for business or government entities who need to quickly verify your identity (any business using kiosk-style iPads, restaurants where the waiters are using iPhones/iPod Touches, the DMV, gun and ammunition dealers, voting, etc.)
Fear based articles like this hacking your brain. "problem reaction solution". Now u need this super secure microchip in ur brain. Get it now for 7 million dollars
He pissed off a well known geek hacker forum pretending to be know big time "tech news journalist". So a Hacker got even with him and then called him afterwards to brag about it.
Yes, that is honestly good news.
I don't know any of my passwords. They are all random crap anyways.
I have a use case which is real for me, but fails your proposal in two ways (or at least one, depending on what exactly you're proposing).
I take scuba vacations to exotic locales, and often will be off the net for weeks at a time. "Authenticating with the cloud" is a non-starter if it applies to local device access.
The other issue is that I already use Windows laptops with fingerprint readers to login - they're really quite common. And, they're a great time-saver. Especially if the corporate Network Nazis require a 10-minute screensaver with re-login - just one finger stroke and you're back in.
However, after spending 4 to 6 hours a day in the water diving, my fingers have wrinkled and I can't login to my laptops with the usual finger swipe - I have to use the password.
____________
Two points here....
1. Cloud-based authentication works for cloud services, but not local device access.
2. Look for edge conditions where 2nd factor authentication (such as biometrics) fails.