Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Tim Cook: Apple to Add Security Alerts for iCloud Users, Broaden Two-Factor Authentication
- Thread starter MacRumors
- Start date
- Sort by reaction score
This does not make any sense whatsoever.
I think what you mean is why aren't iCloud backups encrypted?
They are.
Not really. Other providers like Google require another password recovery option (sms code sent to your phone, voice call to your phone, alternate email, etc) for password recovery. Questions alone should not be enough to recover a password.
----------
They are encrypted with your password. What Apple is finally adding when they release iOS 8 is iCloud backups can no longer be accessed with accounts using 2-factor authentication with just the username/password.
You're kidding right? Print your backup key and put it somewhere in your home or just store it in some USB stick if you want.
But then what happens if there's a fire in your home and you lose the USB stick the same day?
----------
So does Apple, it's been discussed to death and is called 2 step verification. With that enabled there are no more security questions and hackers would need to steal your phone to change your password.
Btw like Apple, Google does not require this either. You can set it up or you can opt out.
This is why Google will remind you to verify your phone number (or you can add an alternative email). That way, when recovering your password, they verify you through sms or a voice call (or alternatively an email). It is pretty surprising to me that any company would let you recover your password without any verification beyond the questions.
Again, Apple has this as well. (The code, not the backup email) And neither Google nor Apple "force you" to use this 2-Step verification.
Not true. Google still requires verification beyond password recovery questions whether you enable 2-step authentication or not. So does Yahoo and almost every other major web provider. The fact that Apple doesn't is pretty lax when it comes to security. However, you can bet they will be revamping their password recovery system not that attention has been brought to it. It shouldn't require 2-step authentication to have a more secure password recovery system.
----------
Again, not true. Try resetting a Google account password. A verified phone number is used for password recovery. Using 2-factor authentication has nothing to do with it.
What verification? If I haven't entered any phone numbers and backup emails what other verification methods are left?
This is why they are setup when you create the account. When Google added phone verification, they constantly reminded all users until it was added and will still periodically ask you to enter it. This is not 2-factor authentication. This is what is done when you setup your account so that password recovery is possible.
In Google's case, they ask you a series of questions if you don't have any recovery options setup. But these questions are not questions you setup personally. And they are intentionally hard to guess. You have to get a certain number correct to get past it.
The whole system should be failsafe. Why were there gaping holes in the backup system. Isn't that the main reason for iCloud, to have a secure backup?
I just created a new gmail account without entering a phone number, so you can do it. It's certainly not forced.
About security questions, Apple's security questions can be setup personally as well, as in you write the question and the answer. You don't have to choose from a list.
Incomprehensibly shocking is more like it, and per the web page I linked to, they still haven't fixed it, so it's still possible. I thought the no-lockout vulnerability was bad, but at least it's been fixed. It's like they put all the Windows programmers responsible for buffer overrun bugs in charge of security. I just don't understand how such obvious mistakes can be so rampant.
It's shocking that Apple two factor authentication is still unavailable in a lot of countries, including quite a few eastern european ones:
(scroll to the bottom for a list)
http://support.apple.com/kb/ht5570
Yeah, thanks for "broadening" your TFA, Tim.
(scroll to the bottom for a list)
http://support.apple.com/kb/ht5570
Yeah, thanks for "broadening" your TFA, Tim.
Again, not correct. Google doesn't just use questions the user setup (whether custom or not). That is not how their verification questions work. Recovering a Google password can't be done by entering a hometown or birthdate. Their system is more complex than that (even their help page will not tell you where the questions come from or how many you have to get right).
As for the phone number... I never said it was forced. But over time, after setting up the account, you will constantly be reminded to enter it for backup purposes.
And now I "hacked" my own gmail account entering the following information:
When was the account created?
When did you last access the account?
I provided these answers correctly but it didn't require 100% correct answers.
So if someone knows which month/year I created my gmail account, and enters the current date for "when did you last access your account" (people access their emails every day), then they can hack my gmail account easily.
So if I'm being as stupid as I can be, hacking my gmail seems quite easy without any brute forcing or guessing passwords.
When was the account created?
When did you last access the account?
I provided these answers correctly but it didn't require 100% correct answers.
So if someone knows which month/year I created my gmail account, and enters the current date for "when did you last access your account" (people access their emails every day), then they can hack my gmail account easily.
So if I'm being as stupid as I can be, hacking my gmail seems quite easy without any brute forcing or guessing passwords.
Last edited:
This is incorrect. Two step verification - as currently implemented by Apple - would not have prevented this data breach.
The celebrities' passwords weren't changed - their existing passwords were brute forced. This was possible because (until this past weekend) Apple didn't restrict the number of password guesses being tried against an account. And once the hackers had the passwords, they were able to do a "restore from iCloud" to a faux new device, using that supposed law enforcement software from Elcomsoft - a step that does not currently require two step verification.
Two step verification is a good thing. Apple definitely should expand it. But it's not a panacea for every ill, and there will be situations where it's not practical. It's going to be hard to implement, for instance, when the user only owns an iphone and nothing else.
Trust me I can write down some security questions which will be impossible to find out unless you are actually me. Everyone can do that. And nobody should be using hometown or birthdate as a security question.
----------
No. The passwords were not brute forced, as been said many times before. The Find my iPhone brute force script was not used to hack these celebrities accounts. Their security questions were "guessed". That's the official word out at least. Unless you have some information we don't have, please share it.
Please stop parroting that. It is completely unknown at this point whether that egregious vulnerability had anything to do with it. It seems a lot more likely the accounts were compromised by social engineering the password reset procedure using security questions, which still hasn't been fixed. There could have been other ways in such as phishing. We still don't know.
https://www.youtube.com/watch?v=a6iW-8xPw3k
12345? That's the same as the combination on my luggage!
However, it's still true that even with Apple's 2-Step verification, it's still possible to "guess" the passwords or find them out through social engineering and access the accounts of other people.
With Google's 2-Step verification you cannot do that because you cannot access your account from an unauthorised computer unless you enter a code that's sent to your phone.
I think Apple should add that feature as an opt-in. So I should have my phone ready not just to change my password but to access my account as well, if I choose so.
This is not an issue if you have a strong password and don't share it with your friends, but it's a worst case scenario.
Here is an idea: don't take naked photos or store things that are highly private on your phone, regardless of the manufacturer.
Smart phones are relatively new and the "cloud" is newer. We might not want to be so trustworthy with our private information with new technology.
I am more surprised at the number of people taking naked photos of themselves than the news of people hacking the phones.
Here is a tip: Anything you don't want exposed, don't store on the internet.
Smart phones are relatively new and the "cloud" is newer. We might not want to be so trustworthy with our private information with new technology.
I am more surprised at the number of people taking naked photos of themselves than the news of people hacking the phones.
Here is a tip: Anything you don't want exposed, don't store on the internet.
Well, that's not really an option. Nudies aren't such a big deal. People keep their credit card information online to begin with. Yes those are much more secure than iCloud but still, not entering any sensitive information online would make our lives miserable.
Except for real hermits, there's always the possibility of requiring some other backup 2nd factor channel before allowing a restore, such as: work phone, work email, school email, next-of-kin's phone number, fedex package to home, or maybe walking into an Apple store and showing photo ID like one does for pickups. There was (maybe still is) a payment system that sent some magic amount to your bank account, you had to contact your bank to get this amount as your 2nd factor. Could Apple do something similar with their zillions of credit cards on file?