Guess i'm safe... "what city did you grow up in?"
"Xgs4k-l39&h-l3d*3-Je(3l"
We must have been neighbors.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Tim Cook: Apple to Add Security Alerts for iCloud Users, Broaden Two-Factor Authentication
- Thread starter MacRumors
- Start date
- Sort by reaction score
We must have been neighbors.
It's a fallacy. In hindsight, you could have always done more. If I had picked stocks better, I have figured out how i could have made $1.6B on a $10K investment. I should have done that, I guess...
Yes, I didn't have to confirm with an email link, but that was an option. The other option was just to answer security questions. It asked for my username then 3 security questions then gave me the password reset page.
Possibly even worse, it told me that the password I tried had been used within the last year. If there's no guess limit, someone can use that to get the password without resetting it, which would be stealthier.
----------
Guess i'm safe... "what city did you grow up in?"
"Xgs4k-l39&h-l3d*3-Je(3l"
Exactly, we're now forced to remember at least two passwords because we have to put fake security question answers.
Er... yep. As a user I have two ipads, a iphone 5, a Samsung tab, a nexus 7 and a galaxy s4 and use both Apple and Google services on a daily basis.
As as business owner we provide a cloud service with two factor authentication, notifications to beat the band , aes 256 encryption on all data entered, SHA2 on passwords with random salts , IP blocking, account lockouts, traffic pattern matching etc etc etc.
That and over 30 years in the business gives me a good perspective on what good and bad security is.
Of course in the end it all just my opinion
By "do you know what you're talking about" I was referring to this response to "who has better security":
Security is not an afterthought at Apple. They already have two-step verification and overall good security. They just continue to push it further.
So, yes, they have the mindset, and no, Google's security is not better. I'd be willing to bet that Google accounts have been hacked many more times than Apple's services have - this one was just public because photostream saves pictures automatically.
There is zero proof that Apples servers or security messages were the issue. So perhaps the "poor management" was from the user side. Letting an assistant set up your account and use a crap weak password, using it also on every other system out there like email, Facebook etc. Perhaps even using the same password the assistant uses on his/her account. Would it be Apple's fault say if I was Jennifer's assistant and I set up her account with the same password I use and I got phished on Facebook so my account was exposed. Someone gets into my iCloud and finds her email and enough details to figure out I'm her assistant (like I have an iCloud calendar called "Jennifer's schedule") and tries my password on her email and it works. No that is not Apple's fault. Nor is it Jennifers since I doubt she told or expected me to be an idiot.
There's also zero proof that these measures, if they had already existed would have prevented this issue. Particularly since Jennifer and perhaps 2 other people are the only ones that confirmed it was an iCloud account. The rest could have been google drive, dropbox etc. The Dropbox app can automatically upload your camera roll just the same as iCloud so you could totally take a nude selfie to send a boyfriend, text it to him, delete the photo from the phone and be clueless that Dropbox uploaded it the moment you snapped it cause you forgot you turned that feature on.
----------
question. how is that going to work for the folks that only have an iPhone, no iPad or computer to be a 'trusted device' when that iPhone goes into the pool and doesn't work. How are you supposed to sign into the backup and then get a message to authorize the backup when you can't yet receive emails etc on that device because it's not fully activated.
One answer would be using icloud.com from a random computer but then how do you validate that the right person is using the website. They know your username and password so they could just as easily go to the website. If it has to be a previously trusted computer that does you who has no computer any good cause you couldn't set it up.
I suppose you could just set up the phone as new so you can get emails or texts or whatever and then sign into the iCloud and 'trust' the device. But that is really only saying it's trusted for the account not the backup contents since you aren't in the back up mode. And so on. It's a tits up situation no matter how you want to sort it out.
That said, perhaps these measures were already being looked at and we're merely hearing about them early because some hacker name dropped Apple for added press. Tim is smart enough to know that no one would believe that it was already in the works so he doesn't bother making that claim.
^ well for one, they could allow true multifactor in all scenarios for people with multiple trusted devices and/or phone numbers and still make other accommodations for your above scenario, perhaps keep the status quo for people in your scenario
or they could use the printed backup code created when setting up 2factor
or they could use the printed backup code created when setting up 2factor
Some people are never satisfied, even when a solution IS released. Are you one of them? It looks like it.
Wrong if you do, wrong if you don't. Thankfully the world doesn't have to answer to you, and your judgements.
I read on TMZ that the FBI suspects at least some people willingly gave their logins from getting phishing emails that look like they came from Apple.
----------
Every time I change something on my iTunes account or log in on another computer I get an email from Apple letting me know.
They don't need to change your password when they already know it. And that is very possibly the case in many of these situations. Either you use something stupid easy or you fell for a phish on another system and use the same password for everything.
it's unlikely that the big boys will ever get together to recreate some kind of unified list so that you can't use the same password on Apple, Facebook etc cause the systems will reject it so they have to rely on folks not being dumbasses about their information and identities. But as this online world is still young, stupid is out there in droves.
----------
Recycled passwords happen a lot. Probably as much if not more than resetting them.
Remember the whole find my iPhone random attack that was big in Australia and New Zealand a few months back. Those folks had no clue that anyone else had access to their accounts. They got no "Your apple id password has been changed" messages etc. and if someone had changed the password, that would have disconnected their devices from the account until the new one was entered into the device so the stunt wouldn't work. Someone had the existing password. And one of the many hacks or phishs on systems like yahoo, Facebook etc is likely the source.
a site where anyone can say anything without proving it to be true. Including claims of hacking iCloud (with the implication they hacked the servers itself) to gain huge press via the Apple name dropping and thus look like a BOFH
And how, under the current system, is that supposed to work for folks that only have an iPad, which can't receive SMS without being fully activated and signed into an apple id that also exists on the iPhone they don't have while both run iOS 8 etc. Or they have an iPhone which isn't functioning cause it went into the pool and won't turn on and they are trying to restore their data to a new iPhone. An iPhone that isn't trust and can't be trusted because they would need access to a previously trusted device to trust the new device even just to sign into iCloud after setting up as new, otherwise the whole system of only being able to backup to a trusted device falls apart.
----------
I don't think that is correct. Fortunately we won't have long to wait to test it since iOS 8 will be out shortly.
That's why you also have the master key. You need two of the three pieces to access your account.
yes it would, if the person had the password. two step right now only kicks in for password resets.
----------
if you really believe you will never forget your password then use an impossible email and nonsense security questions. who will ever guess that your first car was a jfa;oisdj;ajdgtleioha;kine; ;ao8hgnk;jana;g odium;adjdfn,jagnajkd
----------
And how are you going to do that when the only trusted device you had was your iPhone which took a total dump and isn't even powering on. No way is Apple going to risk the crap pile of saying you have to have your iCloud recovery key or screw getting your information back. Why? Because for many folks that could be their only computer. Sending to email is crap cause stupid users recycle passwords and the hacker could have access to the email also. making folks call Apple Care to get the info is crap cause how is apple going to validate the person. using security questions? with two step there often are no security questions. and so on. Not to mention putting folks though that process will be an equal crap pile.
There is really no winning solution, especially when stupidity is a major factor in the game
----------
That will go over well.
"So sorry that you dropped your iPhone in the pool and now it doesn't turn on at all. So sorry that you use it for business and you really need your contacts and you never set up iCloud on your computer because you thought your PC couldn't be linked to your iCloud. So now you have no trusted device other than your dead iPhone so you can't trust your computer to sign into your account. There will be a 12 hour delay before you can restore your iCloud backup or access your account to retrieve your contacts etc"
"I'm going to lose thousands of dollars if I can't call my clients. I know my password, why can't I just download it now. "
"We value the security of your account so we have to take these measures to insure that only you have access to your information. You can request an override code that will allow you to restore your backup after only a 2 hour delay. You'll receive a text message to your trusted device with your access code without the next 12 hours."
"A text message to my trusted device? so you mean my iPhone."
"yes"
"my iPhone that isn't working."
"you can also request that an email be sent to the address you use for logging in which will take you to a website that can ask you several validation questions to issue the code."
"Is there a way to do it without getting the email?"
"No, you must first receive the email."
"But i use an iCloud.com email so I can't log into the email until I have the code."
"I'm sorry sir there is no other way. As I said, we here at Apple have taken these steps to insure the security of your account."
"Frak this, I'm buying an Android."
----------
Chances are that they couldn't anyway since
1. Apple Employees aren't likely that stupid
2. No way would Apple allow that kind of information to be on any online system. The only passing of information would be via their apple.com emails which can only be accessed on site or with previously trusted devices that are probably issued by the company and thus have all kinds of profiles, VPN, UDID registered in the system etc.
First off, try using 2-step authentication in countries outside of the few Apple supports it in (it just isn't possible).
Also, it may not be an afterthought... But the fact that you can reset your password without any true verification is not true security. Google, Yahoo, and most companies don't allow you to reset a password by just answering common questions. Most companies use a 2nd verification source (for Google is is your phone number via sms or phone call or an alternate email). So no matter how well Apple secures their data, it really isn't secure if almost anyone can have their password reset by answering a few questions and not needing access to the users phone or email.
----------
Apple just announced that starting with iOS 8, iCloud backups for accounts with 2-step authentication enabled will require 2-step verification. So it is happening.
I'm sorry but what Apple screw up was that. There is zero evidence that anything Apple did or didn't was the issue. Even this whole 'unlimited tries' thing hasn't been proven to be the issue. If anything that is just a free bumper to folks that don't understand that the real issue is that their cell service blows.
Apple's servers weren't hacked. Apple's reps didn't hand out the password to someone over the phone without verifying the callers id etc.
The real fault could have been recycled passwords, using security questions that could be found with a quick google, not setting up two step to stop password resets etc.
I guess I didn't realize that 2-step authentication was different outside the US.
I thought 2-step was for password reset too... Although I suppose I've never had to use it, so that was just an assumption.
Well, that wouldn't be the case with all the improvements that are being made, including 2FA applying to being able to get the backup (unless the user doesn't use it, in which case it's a user-end/end-user issue really).
Last edited by a moderator:
Google's security if you don't enable 2-Step verification isn't any stronger than Apple's. They both offer you tools to increase security and both of them allow you to opt out of them. So I won't expect some radical changes about this. If you are smart about your security, nobody can hack your iCloud or Gmail account, even without the 2-Step verification.
Last edited by a moderator:
Because you claimed you had millions of dollars of confidential business info on your phone, and thus requested this delay (here's where you or your IT staff checked the box on such-and-such a date) to prevent your foreign competitors from stealing data by shoulder surfing your password. Isn't this your company policy? Now go away and come back tomorrow.
We know their servers weren't hacked directly but we also know that they made the guessing of passwords (good or bad) much easier by not placing a limit on guess attempts. That's the fault of Apple I'm talking about and they have already "admitted" to it by fixing it quickly.
They have fixed the issue, but it doesn't appear that it was really involved with all of this.
I'm not getting into a debate because none of us really know enough. But if we know that Apple wasn't hacked, then the user accounts must've been breached through simpler methods. That sounds like guessing passwords to me either manually or using a script. It's only possible to guess passwords when you have an unlimited amount of guesses or have enough time to wait for guess attempts to reset. Therefore, most of these photos (the ones from iCloud) could have only been stolen before Apple removed the ability to make unlimited guesses. Do we really know anymore than that at this point?
Except that it is. Without 2-step enabled on a Google account, password recovery will first use your mobile number for which you have to reply with a verification number (or voice call) or it will use an alternate email. Apple does not offer either of those so how is Google not stronger than Apple?