Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Tim Cook: Apple to Add Security Alerts for iCloud Users, Broaden Two-Factor Authentication
- Thread starter MacRumors
- Start date
- Sort by reaction score
Everyone seems to forget that 2-step verification wouldn't have helped to fix the stealing of pictures, at all: http://techcrunch.com/2014/09/02/ap...esnt-protect-icloud-backups-or-photo-streams/
That is the real shame for Apple here. Telling everyone they should have used 2-Step verification... but that it wouldn't have helped anything.
@iBug2: is that your personal or work GMail or did you just create it for testing purposes? If you really use GMail - that indeed are some weak questions, but if you just made the e-mail address to test, I can understand that that are the most difficult questions they could make, because you haven't emailed anyone yet.
Apple should really step up their 2-step verification game and add some features like "10 offline code's", an app for creating tokens (hopefully using the open standard for this) and just really open it up for the world, and not for just some countries (they only introduced this in the Netherlands last year). And last but not least, you should have to use it for EVERYTHING.
That is the real shame for Apple here. Telling everyone they should have used 2-Step verification... but that it wouldn't have helped anything.
@iBug2: is that your personal or work GMail or did you just create it for testing purposes? If you really use GMail - that indeed are some weak questions, but if you just made the e-mail address to test, I can understand that that are the most difficult questions they could make, because you haven't emailed anyone yet.
Apple should really step up their 2-step verification game and add some features like "10 offline code's", an app for creating tokens (hopefully using the open standard for this) and just really open it up for the world, and not for just some countries (they only introduced this in the Netherlands last year). And last but not least, you should have to use it for EVERYTHING.
Of course it would have helped. What the hackers first did was to reset the celebrities passwords through guessing their security questions. With the 2-Step they wouldn't be able to do that in the first place so they wouldn't be able to download their backups. Apple does not require 2-Step to download your backups, but that's not the point. You first need the password in any case, or you need to reset the password, which is impossible with 2-Step.
An account created just for testing purposes. What type of questions do they ask you if you try to reset your actual gmail you use every day? Things like "who did you email yesterday"? Those are good questions and hard to guess. But so are security questions if you pay some attention when setting them up.
Yeah, it would have, because the hackers couldn't have rest the password by social engineering security questions. They would have had to have obtained the password by exploiting the lockout vulnerability or through other means like phishing. While lockout has been fixed, the password reset procedure is still in place, and it's a worse oversight IMO because even if people are smart enough to create good passwords, they have to be smart enough to lie when answering the security questions, they have to falsify their birthdate, and they have to be able to keep all their lies straight. If they don't do all these things, they're giving the keys to the kingdom to everyone who knows them well enough or can find out things about them. The only sensible thing is to treat all these items as additional passwords, and ordinary people aren't going to realize this. They're just going to answer the straightforward questions accurately. This is called "setting the user up to fail."
They don't need to do any of that. There are security questions which are almost impossible to find out, such as the name of your favourite teacher. Nobody knows the answer to that question, not even my close friends. One would somehow have to find out all the names of my previous teachers in elementary school, high school, college etc, which is probably impossible to begin with unless you spend several years and money on this, and then you have to guess it correctly in 3 tries.
Ah, you can't reset your password without 2-step? I did not know!
Then that techcrunch article is kind of lame.People underestimating the importance of social engineering should read about Kevin Mitnick, one of the most famous hackers in the world, who wasn't such a great coder but got what he got mostly by simply calling phone companies, law enforcement offices, and talking information out of people, information which isn't supposed to leave the office.
----------
That's the whole point of 2-Step. Once you enable that, to reset your password you need to enter a code that's sent to your phone. No more security questions to "guess".
----------
Ah, you can't reset your password without 2-step? I did not know!
That's the whole point of 2-Step. Once you enable that, to reset your password you need to enter a code that's sent to your phone. No more security questions to "guess".
That's not the ONLY thing you need then, is it? You still need to answer something or use a backup code, or something? Because this would not by 2-step verification... that would be 1-step verification (just the code).
Because it would mean that if someone could catch the SMS....
Well that's the only thing you need yes, but it's probably called 2-Step not because it requires 2 separate steps but a 2nd device to do all this.
Gmail's 2-Step works the same way, sends a code to your phone.
In Gmail's case, it's an SMS. Apple sends the code through the OS, not as SMS. Both could be intercepted probably. But this is now very high level hacking category.
Actually, 2-step does mean that you verify in 2 stages:
[qoute]Two-step verification , abbreviated to TSV (not equal to Two-factor authentication, abbreviated to TFA) is a process involving two subsequent but dependent stages to check the identity of an entity trying to access services in a computer or ...[/quote]
The 2-Step in GMail does require 2 things, you never need just 1.
The idea is that if one thing is compromised (your mobile, or your password), you cannot get into an account. In the case of a password reset at iCloud, you apparently just need the phone? I do hope you need to confirm it through your e-mail address at least.
Nope. It just requires a pin code it sends to your phone to access your account. That's 1 thing. I use it myself.
I think you're way exaggerating the obscurity of these things. According to the KeePass note field for my Apple ID, my 3 questions are, "Pet", "Book", and "Street". I didn't write the whole things down, and as they usually appear in comboboxes, they aren't copyable, but one word is enough to identify them when challenged, so that's what I recorded. While the random strings that are my answers offer no clues to the full questions, I would guess they were something like, "What was the name of your first pet?", "What's your favorite book?", and "What street did you live on as a child?" Someone who is targeting a celebrity who has given broad-ranging interviews and whatnot could probably find out things like this pretty easily, and birth date is a given. People who know me could answer questions like these. So yeah, you absolutely do need to do all the things I said. The best approach is to treat them all as secondary passwords, generated randomly.
If you choose "pet" "book" "street", then yes you need to lie. Those are too easy to find out for celebrities, hell, even for regular people. But there are many security questions in the template, not all of them are that easy to find. Favourite teacher is one I chose on AppleID. That's impossible to find and I don't have to lie.
Moreover you can create your own security questions if all the ones in the template are "easy to guess" by others.
You just said that you didn't know but blamed it on Apple. Logically/rationally speaking, you not knowing places the blame on you. Ignorance isn't an excuse and certainly isn't something to shift the blame somewhere else.
Are you talking about resetting your password or logging in? Because for logging in you first need to login with username and password and for password reset you need to confirm it through an e-mail.
Talking about resetting. Are you sure? If you haven't entered a backup email and you have no access to your gmail because you forgot the password, how can you confirm it through an email? I haven't tested this myself though.
Most of the information out there about this actually says that their passwords were not guessed or brute forced but were either reset through the use of security questions and answers or obtained through other means like phishing or social engineering.
Good point. I have backup emails in place, so yeah, i have no idea what he will ask if I didn't provide any
I would hope they would at least ask some security questions or something like that.I always pick the first three because the questions don't matter - I give random strings generated by Keepass as answers.
I think most people will pick the first three that are easy for them to answer and answer them accurately because they don't know any better. If they did know better, they'd do as I do, and there would be no issue.
Good point. I have backup emails in place, so yeah, i have no idea what he will ask if I didn't provide any
Ok I just tested this. It doesn't even go to 2-Step verification. I removed my recovery email address, I removed the security questions, and then tried to reset my password. It just asked me the same questions: When did you last access the account, when was the account created. I entered todays date for last access and I entered random for account created because I honestly don't remember when I opened this gmail account. Then it asked me further questions, I said "skip all these questions", and then it asked me to provide the last backup email I remember, I entered the correct one, and it sent me a link to reset my password.
No passcode sent to my phone to reset my password, even though 2-Step is enabled. But it did send me an SMS saying that my password is changed.
We need to be encouraging people to use stronger recovery questions too.
You're password can be 100 characters long with numbers, letters, capitals, symbols in a random order with no two of a similar type next to each other but it's useless if your recovery questions are: Mothers maiden name, First school etc which are all easily found on regular peoples social media pages let alone celebrities whose lives are very much in the public eye.
In an idea world the questions and answers would be gobbledegook but we have to be reasonable as without a password manager like LastPass the average user is going to want something that they can answer and use to recover the account if they have genuinely lost/forgot their password.
I used to use things that would require physical access to my house (I don't anymore) or other property such as 'Last few digits of the number on the back of my driving licence' or 'Colour of bathroom tile closest to the light switch'. Yes if a friend wanted to be malicious they might be able to get this data and use but its unlikely. Certainly more difficult than favourite food or pets name etc.
There's not really a perfect solution but certainly those forced recovery questions where you have to choose from only five options are a no no. We need free reign to put in whatever question we like but be encouraged to use more complicated ones.
You're password can be 100 characters long with numbers, letters, capitals, symbols in a random order with no two of a similar type next to each other but it's useless if your recovery questions are: Mothers maiden name, First school etc which are all easily found on regular peoples social media pages let alone celebrities whose lives are very much in the public eye.
In an idea world the questions and answers would be gobbledegook but we have to be reasonable as without a password manager like LastPass the average user is going to want something that they can answer and use to recover the account if they have genuinely lost/forgot their password.
I used to use things that would require physical access to my house (I don't anymore) or other property such as 'Last few digits of the number on the back of my driving licence' or 'Colour of bathroom tile closest to the light switch'. Yes if a friend wanted to be malicious they might be able to get this data and use but its unlikely. Certainly more difficult than favourite food or pets name etc.
There's not really a perfect solution but certainly those forced recovery questions where you have to choose from only five options are a no no. We need free reign to put in whatever question we like but be encouraged to use more complicated ones.
Passwords and Security Questions are so last century. What they need to do is extend Touch ID to all Apple devices (including Macs) and use it together with the backup PIN as the only method of verification. No more passwords. No fingerprint verification no access to change anything. Simple.
You can have Apple send the code through SMS also. When you set up 2-step with Apple, they even recommend added a cell number.