Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > Apple responds to Honan iCloud hacking incident

Apple responds to Honan iCloud hacking incident
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Aug 7, 2012, 07:08 AM
 
Apple has issued an official response to reports about Wired writer Mat Honan having his iCloud account broken into via AppleCare. "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password," the company tells Wired. "In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected."

Wired adds, though, that on Monday it successfully tried the same scheme on a different iCloud account. "This means, ultimately, all you need in addition to someone's e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file," the magazine explains. The person who cracked Honan's account did so by simply calling AppleCare and convincing a staffer to bypass security questions and ultimately reset Honan's iCloud login. Honan notes that the hacker destroyed a tremendous amount of his digital existence, although he takes some of the blame. "First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook. "In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it's possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc." He also notes that because he hadn't been regularly backing up his MacBook, he lost a year of photos -- including all the photos of his daughter -- as well as documents and emails that weren't saved anywhere else. Honan points out that Amazon is also partly at fault, since it was that site that let the hacker see a partial credit card number of Honan's that was then used to trick Apple. Other people have stepped forward as well, claiming to have been victimized in a similar way.
     
hayesk
Guest
Status:
Reply With Quote
Aug 7, 2012, 07:25 AM
 
Honan says it's partially his fault, but really, no, it isn't.

You can get the last four digits from someone's credit card anywhere. As pointed out, Amazon, or a store, restautant. Just think, anyone who works in IT for an online store can mine the orders for name, billing address, last four digits of credit card, and an email that ends in mac, me, or icloud.com. They can then call Apple and have the password reset.

Apple should have stuck to their guns and required answers to the security questions, but it's clear that at least some of their employees do not. Let's hope this point is hammered into their staff's heads over the next few days.
     
Grendelmon
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status: Offline
Reply With Quote
Aug 7, 2012, 08:28 AM
 
Originally Posted by hayesk View Post
Honan says it's partially his fault, but really, no, it isn't.
You can get the last four digits from someone's credit card anywhere. As pointed out, Amazon, or a store, restautant. Just think, anyone who works in IT for an online store can mine the orders for name, billing address, last four digits of credit card, and an email that ends in mac, me, or icloud.com. They can then call Apple and have the password reset.
Apple should have stuck to their guns and required answers to the security questions, but it's clear that at least some of their employees do not. Let's hope this point is hammered into their staff's heads over the next few days.
More than anything, Apple needs to CEASE using the last four digits of your credit card as a form of verification. Ridiculous, honestly.
     
testudo
Forum Regular
Join Date: Aug 2001
Status: Offline
Reply With Quote
Aug 7, 2012, 11:07 AM
 
This also shows the stupidity of the normal 'safety' questions, most of which are pre-selected and of stupid nature that can be figured out via facebook or the like. "Best friend in school". "Street you lived on" "First pet's name" or "First car". Heck, most of those allow anyone you know to hack you. Just let me come up with my own, like "What did you have for dinner on the night of April 30th, 1986?" Easy for me, hard for others!
     
ebeyer
Fresh-Faced Recruit
Join Date: Jun 2004
Status: Offline
Reply With Quote
Aug 7, 2012, 11:25 AM
 
I have a technical question for this group.

Find my iPhone is used to nuke a laptop remotely. Is this data erased securely, with lots of 1s and 0s written over the hard drive? Is it possible that some of this precious data might still be recovered?

If so, yay for this guy, but I question if a remote wipe ought not then be made more secure so that it can't be recovered by thieves, spies or other bad actors.
EB
     
anonspec
Fresh-Faced Recruit
Join Date: Mar 2011
Status: Offline
Reply With Quote
Aug 7, 2012, 11:37 AM
 
Testudo nails it. The security questions need to be improved. Account credentials are the number one sticking point at Personal Setup.

Answers to these questions need to be highly personalized, immediately recallable fact-based things, but for questions that the customer can decide. Favorite color or favorite food will change over time and the typical customer we assist in Setup will never remember what they wrote... not to mention letter case originally used.

There are a number of good solutions, like Google's 2-step verification (which I wish Apple would implement - they certainly have the devices and infrastructure in place), but it's going to take a lot of personal education of consumers. We have to drill Backup into their heads, along with the myriad of accounts and credentials to remember. It's easy for the typical audience here, but not so easy for our many technophobic customers.

I just take it one customer at a time and do what I can in the available time.
     
testudo
Forum Regular
Join Date: Aug 2001
Status: Offline
Reply With Quote
Aug 7, 2012, 11:46 AM
 
Originally Posted by ebeyer View Post
I have a technical question for this group.
Find my iPhone is used to nuke a laptop remotely. Is this data erased securely, with lots of 1s and 0s written over the hard drive? Is it possible that some of this precious data might still be recovered?
If so, yay for this guy, but I question if a remote wipe ought not then be made more secure so that it can't be recovered by thieves, spies or other bad actors.
EB
Well, if you used File Vault 2, you're screwed. Don't know about the other, but if someone wants your computer to steal data, they're going to be smart enough to know to pull the drive or boot into firewire disk mode.

Maybe that's why Apple wants to make it harder for people to change out the hard drive. It's all about security!!!
     
blahblahbber
Banned
Join Date: Feb 2005
Status: Offline
Reply With Quote
Aug 7, 2012, 11:59 AM
 
looks like everyone one is right on this thread.... Apple screwed up BIG TIME.... Imagine, losing all your data on all devices, all over redundant info they call "privacy"... Stupid, stale, old, smelly fruit company.
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Online
Reply With Quote
Aug 7, 2012, 12:00 PM
 
Originally Posted by testudo View Post
This also shows the stupidity of the normal 'safety' questions, most of which are pre-selected and of stupid nature that can be figured out via facebook or the like. "Best friend in school". "Street you lived on" "First pet's name" or "First car". Heck, most of those allow anyone you know to hack you. Just let me come up with my own, like "What did you have for dinner on the night of April 30th, 1986?" Easy for me, hard for others!
This shows NOTHING about security questions.

As per the MacNN summary above:

The security questions were actually bypassed in this case. They weren't even asked.
     
blahblahbber
Banned
Join Date: Feb 2005
Status: Offline
Reply With Quote
Aug 7, 2012, 12:26 PM
 
Originally Posted by Spheric Harlot View Post
This shows NOTHING about security questions.
As per the MacNN summary above:
The security questions were actually bypassed in this case. They weren't even asked.
Testudo nor anyone needs to know that the security questions were bypassed. Most already know they can easily be bypassed because if you know how the Apple privacy questions go, they are simple, common, and researchable. To have a cloud system that syncs to all your devices, the security protocols need to be changed effectively.

Harlot, lots of companies think they can get away with common security, but they don't change until duki hits the fan.... or they implement a half-butt solution until they really figure it out, which is totally unacceptable when it comes to security and data at stake. Accept it or not. Excuse my PG rating response
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Online
Reply With Quote
Aug 7, 2012, 12:49 PM
 
Originally Posted by blahblahbber View Post
Testudo nor anyone needs to know that the security questions were bypassed. Most already know they can easily be bypassed because if you know how the Apple privacy questions go, they are simple, common, and researchable.
I know how the Apple privacy questions go. You, apparently, do not.

The Apple privacy question, when you set up a new Apple ID, is an empty text box prompting you to enter a specific question, followed by its answer in the next text box.

There is no pre-fabricated selection to be made. It is completely up to you.

My apologies for once again having to show you up as a person who has absolutely no idea of which you speak.


Aside:
Since you and testudo appear to share your ignorance, and testudo has already pretty much admitted that you're just a sock-puppet, isn't it time you gave up the charade? You're pretty much on your own here, and it's little use pretending that two clueless trolls might be more convincing than one....
     
anonspec
Fresh-Faced Recruit
Join Date: Mar 2011
Status: Offline
Reply With Quote
Aug 7, 2012, 03:16 PM
 
Originally Posted by Spheric Harlot View Post
I know how the Apple privacy questions go. You, apparently, do not.
The Apple privacy question, when you set up a new Apple ID, is an empty text box prompting you to enter a specific question, followed by its answer in the next text box.
There is no pre-fabricated selection to be made. It is completely up to you.
It depends how and where the Apple ID is set up, and how recently any existing security questions were created (if any). Some avenues allow (or allowed) a single security question (either prefab or custom), but lately they are asking three questions among unique groups of rather unsuitable options, with no ability to create your own. That is mostly when this is done directly on iOS.

Apple needs to standardize the process, because it can be very different depending on the origin.

Source: I am a Red Zone Specialist.
     
blahblahbber
Banned
Join Date: Feb 2005
Status: Offline
Reply With Quote
Aug 7, 2012, 04:39 PM
 
Originally Posted by Spheric Harlot View Post
I know how the Apple privacy questions go. You, apparently, do not.
The Apple privacy question, when you set up a new Apple ID, is an empty text box prompting you to enter a specific question, followed by its answer in the next text box.
There is no pre-fabricated selection to be made. It is completely up to you.
My apologies for once again having to show you up as a person who has absolutely no idea of which you speak.
Aside:
Since you and testudo appear to share your ignorance, and testudo has already pretty much admitted that you're just a sock-puppet, isn't it time you gave up the charade? You're pretty much on your own here, and it's little use pretending that two clueless trolls might be more convincing than one....
How does it feel to sit on the shocker? Knew u'd like that... Again, know what you are talking about before you claim your stake. Ur silly; you keep showing your limitations the more you type.
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Online
Reply With Quote
Aug 7, 2012, 04:57 PM
 
Originally Posted by anonspec View Post
Originally Posted by Spheric Harlot View Post
I know how the Apple privacy questions go. You, apparently, do not.
The Apple privacy question, when you set up a new Apple ID, is an empty text box prompting you to enter a specific question, followed by its answer in the next text box.
There is no pre-fabricated selection to be made. It is completely up to you.
It depends how and where the Apple ID is set up, and how recently any existing security questions were created (if any). Some avenues allow (or allowed) a single security question (either prefab or custom), but lately they are asking three questions among unique groups of rather unsuitable options, with no ability to create your own. That is mostly when this is done directly on iOS.

Apple needs to standardize the process, because it can be very different depending on the origin.

Source: I am a Red Zone Specialist.
Creating a new Apple ID in iTunes on a Mac gives a blank text field for a custom security question.

Creating a new Apple ID on an iPad gives a blank text field for a custom security question.

Creating a new Apple ID on an iPhone gives a blank text field for a custom security question.

Apple USED TO give a selection of security questions.


Source: empirical testing.
     
testudo
Forum Regular
Join Date: Aug 2001
Status: Offline
Reply With Quote
Aug 8, 2012, 10:52 AM
 
Originally Posted by Spheric Harlot View Post
This shows NOTHING about security questions.
As per the MacNN summary above:
The security questions were actually bypassed in this case. They weren't even asked.
I never said they were bypassed. I said it also showed the stupidity of most security questions, because they're so stupid a little knowledge or investigation into someone can garner answers, esp. using "social media". As the above article even states, "the customer's data was compromised by a person who had acquired personal information about the customer.". In this case it was part of a card number. In other cases, it's just knowing the person (for example, this is how Sarah Palin's email was hacked, the questions were stupid).

I also never said Apple was at fault because of the security questions. In fact, never mentioned apple at all.

But why let little things like a grander discussion ruin your pre-conceived notions, right.

Although in this whole series, Apple's security was the biggest issue. And that was mostly because the bone-head didn't insist on the answer to the security question.
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Online
Reply With Quote
Aug 8, 2012, 01:42 PM
 
Originally Posted by testudo View Post
Originally Posted by Spheric Harlot View Post
This shows NOTHING about security questions.
As per the MacNN summary above:
The security questions were actually bypassed in this case. They weren't even asked.
I never said they were bypassed. I said it also showed the stupidity of most security questions, because they're so stupid a little knowledge or investigation into someone can garner answers, esp. using "social media".
It doesn’t show the stupidity of most security questions, because security questions weren’t involved here.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 09:12 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,