Simple hack bypasses iOS passcode entry limit, opens door to brute force hacks [u]

13»

Comments

  • Reply 41 of 50
    SpamSandwichSpamSandwich Posts: 30,834member
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here coupled with inconvincing yourself with all these long creative passcodes doesn't seem worth it. A simple 6 digit passcode is all that almost anyone needs IMHO. 
    Being someone who was directly affected by the Equifax hack and experienced the shock of discovering some m—f—er was attempting to get a loan in my name, the issue of devastating data breaches and a nearly unlimited supply of bad actors out there made me acutely aware of the importance of good security. I upped the complexity of my password, instituted 2-factor authentication on everything and took other strong measures to protect my most critical information. The worst time to suddenly become concerned is AFTER a problem has reared it’s ugly head.
    edited June 2018
  • Reply 42 of 50
    SoliSoli Posts: 8,678member
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here coupled with inconvincing yourself with all these long creative passcodes doesn't seem worth it. A simple 6 digit passcode is all that almost anyone needs IMHO. 
    Being someone who was directly affected by the Equifax hack and experienced the shock of discovering some m—f—er was attempting to get a loan in my name, the issue of critical data breaches and a nearly unlimited supply of bad actors out there made me acutely aware of the importance of good security. I upped the complexity of my password and took strong measures to protect my information afterward. The worst time to suddenly become concerned is AFTER a problem has reared it’s ugly head.
    Did you lock your credit on all 4 major bureaus, too?
  • Reply 43 of 50
    GeorgeBMacGeorgeBMac Posts: 4,125member
    Soli said:
    Soli said:
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here and in convincing yourselfal or your better half with all these long creative passcodes doesn't seem worth it. A simple four digit passcode or 6 digit passcode is all that you need IMHO. 
    I've never had my house broken into before but I do lock up when I leave the house. Nor do I advertise on social media when I'm leaving, and then only post pictures of my trip after I've gotten back. Additionally, I've never my identity stolen, but I also take the time to make stealing my identity too much trouble for attackers looking for an easy win.

    Would I have been safe had I never locked my doors, publicly posted when I'd be out of my house, and never locked down my credit or periodically monitored access to my accoun? Maybe, but I'm not going to take that risk.
    While I agree with the general point of your post, to be confident that your "identity" (meaning your personal identifying information) has never been stolen (because you protect it) is likely misguided and incorrect.

    That is:  while I don't doubt that you protect it well, much of it is simply not under your control.
    That's true, which is why I mentioned being "too much trouble for attackers looking for an easy win."

    I've used the analogy (possibly in this thread) that the best any of us can hope for is to not be the slowest and weakest of the herd. I also mentioned that if you're a celebrity (i.e.: someone that could be targeted directly) then your chances of being hacked or having your identity stolen increase considerably even if you have additional security measures. I even used the example that I shred all documents why any personal data before throwing them away, but if I was a celebrity I'd be burning them because my confetti shredder should still technically be used to put those papers back together again.

    But just because you can't guarantee absolute protection doesn't mean you shouldn't protect yourself. I implore all people to use a password manager, with unique and complex passcodes. After that's set up, I then implore people to start changing email linked to a website to include an alias (if the option is allowed) to make it harder for someone to guess, then change usernames (where allowed) to a unique or random string of characters, and finally recovery answers to something random (not actual answers that can looked up).
    You missed my point completely:
    While your protection of your personal information is worthwhile and well advised, your personal information is not under your control.   It exists on countless databases and servers over which you have zero control.  Often you don't even know they exist -- but the hackers do... 

    These days, for the most part, hackers don't hack individuals directly.   Instead they hack the big databases (like Equifax of Target)  and scoop up names, addresses, birthdates, SSN's, passwords, security questions, financial information of millions of people at once.  Then they sell it to the highest bidder.   It's a very cost efficient business.   It costs the hackers very little and it costs the hacked very little.   The only ones who suffer are the individuals whose personal info is floating around out in the dark web -- and they typically don't even know it until it gets used....
  • Reply 44 of 50
    SoliSoli Posts: 8,678member
    Soli said:
    Soli said:
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here and in convincing yourselfal or your better half with all these long creative passcodes doesn't seem worth it. A simple four digit passcode or 6 digit passcode is all that you need IMHO. 
    I've never had my house broken into before but I do lock up when I leave the house. Nor do I advertise on social media when I'm leaving, and then only post pictures of my trip after I've gotten back. Additionally, I've never my identity stolen, but I also take the time to make stealing my identity too much trouble for attackers looking for an easy win.

    Would I have been safe had I never locked my doors, publicly posted when I'd be out of my house, and never locked down my credit or periodically monitored access to my accoun? Maybe, but I'm not going to take that risk.
    While I agree with the general point of your post, to be confident that your "identity" (meaning your personal identifying information) has never been stolen (because you protect it) is likely misguided and incorrect.

    That is:  while I don't doubt that you protect it well, much of it is simply not under your control.
    That's true, which is why I mentioned being "too much trouble for attackers looking for an easy win."

    I've used the analogy (possibly in this thread) that the best any of us can hope for is to not be the slowest and weakest of the herd. I also mentioned that if you're a celebrity (i.e.: someone that could be targeted directly) then your chances of being hacked or having your identity stolen increase considerably even if you have additional security measures. I even used the example that I shred all documents why any personal data before throwing them away, but if I was a celebrity I'd be burning them because my confetti shredder should still technically be used to put those papers back together again.

    But just because you can't guarantee absolute protection doesn't mean you shouldn't protect yourself. I implore all people to use a password manager, with unique and complex passcodes. After that's set up, I then implore people to start changing email linked to a website to include an alias (if the option is allowed) to make it harder for someone to guess, then change usernames (where allowed) to a unique or random string of characters, and finally recovery answers to something random (not actual answers that can looked up).
    You missed my point completely:
    While your protection of your personal information is worthwhile and well advised, your personal information is not under your control.   It exists on countless databases and servers over which you have zero control.  Often you don't even know they exist -- but the hackers do... 

    These days, for the most part, hackers don't hack individuals directly.   Instead they hack the big databases (like Equifax of Target)  and scoop up names, addresses, birthdates, SSN's, passwords, security questions, financial information of millions of people at once.  Then they sell it to the highest bidder.   It's a very cost efficient business.   It costs the hackers very little and it costs the hacked very little.   The only ones who suffer are the individuals whose personal info is floating around out in the dark web -- and they typically don't even know it until it gets used....
    Then I'm still not getting your point. Are you saying that you should do nothing to protect yourself because of this notion that all your data is out there somewhere already?

    Frankly I'm absolutely lost on your comments about a "6-digit PIN."
    edited June 2018
  • Reply 45 of 50
    GeorgeBMacGeorgeBMac Posts: 4,125member
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here coupled with inconvincing yourself with all these long creative passcodes doesn't seem worth it. A simple 6 digit passcode is all that almost anyone needs IMHO. 
    Being someone who was directly affected by the Equifax hack and experienced the shock of discovering some m—f—er was attempting to get a loan in my name, the issue of devastating data breaches and a nearly unlimited supply of bad actors out there made me acutely aware of the importance of good security. I upped the complexity of my password, instituted 2-factor authentication on everything and took other strong measures to protect my most critical information. The worst time to suddenly become concerned is AFTER a problem has reared it’s ugly head.
    While I agree with you, I hope that you also realize that there is no precaution that you can take that will prevent another Equifax type hack of your personal information.

    In fact, let me ask:   How much more could they get from your phone than they have already gotten from Equifax and sold out on the dark web?
    edited June 2018
  • Reply 46 of 50
    SoliSoli Posts: 8,678member
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here coupled with inconvincing yourself with all these long creative passcodes doesn't seem worth it. A simple 6 digit passcode is all that almost anyone needs IMHO. 
    Being someone who was directly affected by the Equifax hack and experienced the shock of discovering some m—f—er was attempting to get a loan in my name, the issue of devastating data breaches and a nearly unlimited supply of bad actors out there made me acutely aware of the importance of good security. I upped the complexity of my password, instituted 2-factor authentication on everything and took other strong measures to protect my most critical information. The worst time to suddenly become concerned is AFTER a problem has reared it’s ugly head.
    While I agree with you, I hope that you also realize that there is no precaution that you can take that will prevent another Equifax type hack of your personal information.
    And yet there are proactive measures you can take to protect yourself if and when "another Equifax type hack" presents itself.

    In fact, let me ask:   How much more could they get from your phone than they have already gotten from Equifax and sold out on the dark web?
    Is that a serious question? Do you think that Equifax had my logins for all my stocks and security holdings? Do you think that Equifax has a copy of my bitcoin paper wallets? Those thieves have my TaxID, some addresses, various account types, and limits (which they could use to paint a very good picture of me being a good target for identity theft compared to the majority of people in the US), but that's where it stops because anything after that becomes a pain for them compared to the majority of people in the US.

    If you're not freezing your credit across the 4 major bureaus (especially after the Equifax breach), if you're not getting a free credit report from each major bureau (ideally spaced out every 3 months—this is easy to put into a repeating Calendar event), if you're not actively watching all the transactions that occur from your accounts (which is very easy today with digital notifications), and if you haven't created an account with strong, unique password for at least ssa.gov then you haven't been paying attention.

    I wouldn't say that you deserve to get your identity stolen—no one does!—but you sure don't warrant much sympathy with your comments that show your lack of diligence in self-preservation.


    Steve and Mark are camping when a bear suddenly comes out and growls.  Steve starts putting on his tennis shoes.
    Mark says, “What are you doing? You can’t outrun a bear!”
    Steve says, “I don’t have to outrun the bear—I just have to outrun you!”
    edited June 2018
  • Reply 47 of 50
    GeorgeBMacGeorgeBMac Posts: 4,125member
    Soli said:
    Soli said:
    Soli said:
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here and in convincing yourselfal or your better half with all these long creative passcodes doesn't seem worth it. A simple four digit passcode or 6 digit passcode is all that you need IMHO. 
    I've never had my house broken into before but I do lock up when I leave the house. Nor do I advertise on social media when I'm leaving, and then only post pictures of my trip after I've gotten back. Additionally, I've never my identity stolen, but I also take the time to make stealing my identity too much trouble for attackers looking for an easy win.

    Would I have been safe had I never locked my doors, publicly posted when I'd be out of my house, and never locked down my credit or periodically monitored access to my accoun? Maybe, but I'm not going to take that risk.
    While I agree with the general point of your post, to be confident that your "identity" (meaning your personal identifying information) has never been stolen (because you protect it) is likely misguided and incorrect.

    That is:  while I don't doubt that you protect it well, much of it is simply not under your control.
    That's true, which is why I mentioned being "too much trouble for attackers looking for an easy win."

    I've used the analogy (possibly in this thread) that the best any of us can hope for is to not be the slowest and weakest of the herd. I also mentioned that if you're a celebrity (i.e.: someone that could be targeted directly) then your chances of being hacked or having your identity stolen increase considerably even if you have additional security measures. I even used the example that I shred all documents why any personal data before throwing them away, but if I was a celebrity I'd be burning them because my confetti shredder should still technically be used to put those papers back together again.

    But just because you can't guarantee absolute protection doesn't mean you shouldn't protect yourself. I implore all people to use a password manager, with unique and complex passcodes. After that's set up, I then implore people to start changing email linked to a website to include an alias (if the option is allowed) to make it harder for someone to guess, then change usernames (where allowed) to a unique or random string of characters, and finally recovery answers to something random (not actual answers that can looked up).
    You missed my point completely:
    While your protection of your personal information is worthwhile and well advised, your personal information is not under your control.   It exists on countless databases and servers over which you have zero control.  Often you don't even know they exist -- but the hackers do... 

    These days, for the most part, hackers don't hack individuals directly.   Instead they hack the big databases (like Equifax of Target)  and scoop up names, addresses, birthdates, SSN's, passwords, security questions, financial information of millions of people at once.  Then they sell it to the highest bidder.   It's a very cost efficient business.   It costs the hackers very little and it costs the hacked very little.   The only ones who suffer are the individuals whose personal info is floating around out in the dark web -- and they typically don't even know it until it gets used....
    Then I'm still not getting your point. Are you saying that you should do nothing to protect yourself because of this notion that all your data is out there somewhere already?

    Frankly I'm absolutely lost on your comments about a "6-digit PIN."
    LOL...    Since I never mentioned a 6-digit PIN it's no wonder you're lost.

    As for getting my point:   You probably need to reread my post(s):
    Am I saying you should do nothing to protect yourself because of the "notion" that your data out there already?  
    First, I congratulated you on taking excellent security precautions and said they were worthwhile.  Those weren't empty words -- I meant them.   However, I also cautioned you to not think that they are sufficient because, the "notion" that your private, personal data is "out there somewhere" is not just a notion.   For many tens of millions (probably hundreds of millions) it IS already "out there" -- stolen from large databases that you have no knowledge or control over.

    My personal data has been stolen 3 times that I know of from:
    -- Kiplinger
    -- Target
    -- Equifax
    In none of those cases was there anything I could have done to prevent it.  (ALthough I did stop dealing with the first two of those...)

    My basic message was that of Lord Aragorn to Frodo:   "You SHOULD be scared because I know what hunts you"
  • Reply 48 of 50
    SoliSoli Posts: 8,678member
    Soli said:
    Soli said:
    Soli said:
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here and in convincing yourselfal or your better half with all these long creative passcodes doesn't seem worth it. A simple four digit passcode or 6 digit passcode is all that you need IMHO. 
    I've never had my house broken into before but I do lock up when I leave the house. Nor do I advertise on social media when I'm leaving, and then only post pictures of my trip after I've gotten back. Additionally, I've never my identity stolen, but I also take the time to make stealing my identity too much trouble for attackers looking for an easy win.

    Would I have been safe had I never locked my doors, publicly posted when I'd be out of my house, and never locked down my credit or periodically monitored access to my accoun? Maybe, but I'm not going to take that risk.
    While I agree with the general point of your post, to be confident that your "identity" (meaning your personal identifying information) has never been stolen (because you protect it) is likely misguided and incorrect.

    That is:  while I don't doubt that you protect it well, much of it is simply not under your control.
    That's true, which is why I mentioned being "too much trouble for attackers looking for an easy win."

    I've used the analogy (possibly in this thread) that the best any of us can hope for is to not be the slowest and weakest of the herd. I also mentioned that if you're a celebrity (i.e.: someone that could be targeted directly) then your chances of being hacked or having your identity stolen increase considerably even if you have additional security measures. I even used the example that I shred all documents why any personal data before throwing them away, but if I was a celebrity I'd be burning them because my confetti shredder should still technically be used to put those papers back together again.

    But just because you can't guarantee absolute protection doesn't mean you shouldn't protect yourself. I implore all people to use a password manager, with unique and complex passcodes. After that's set up, I then implore people to start changing email linked to a website to include an alias (if the option is allowed) to make it harder for someone to guess, then change usernames (where allowed) to a unique or random string of characters, and finally recovery answers to something random (not actual answers that can looked up).
    You missed my point completely:
    While your protection of your personal information is worthwhile and well advised, your personal information is not under your control.   It exists on countless databases and servers over which you have zero control.  Often you don't even know they exist -- but the hackers do... 

    These days, for the most part, hackers don't hack individuals directly.   Instead they hack the big databases (like Equifax of Target)  and scoop up names, addresses, birthdates, SSN's, passwords, security questions, financial information of millions of people at once.  Then they sell it to the highest bidder.   It's a very cost efficient business.   It costs the hackers very little and it costs the hacked very little.   The only ones who suffer are the individuals whose personal info is floating around out in the dark web -- and they typically don't even know it until it gets used....
    Then I'm still not getting your point. Are you saying that you should do nothing to protect yourself because of this notion that all your data is out there somewhere already?

    Frankly I'm absolutely lost on your comments about a "6-digit PIN."
    LOL...    Since I never mentioned a 6-digit PIN it's no wonder you're lost.
    Doh! Mea culpa. That one's on me.

    As for getting my point:   You probably need to reread my post(s):
    Am I saying you should do nothing to protect yourself because of the "notion" that your data out there already?   
    First, I congratulated you on taking excellent security precautions and said they were worthwhile.  Those weren't empty words -- I meant them.   However, I also cautioned you to not think that they are sufficient because, the "notion" that your private, personal data is "out there somewhere" is not just a notion.   For many tens of millions (probably hundreds of millions) it IS already "out there" -- stolen from large databases that you have no knowledge or control over.

    My personal data has been stolen 3 times that I know of from:
    -- Kiplinger 
    -- Target
    -- Equifax
    In none of those cases was there anything I could have done to prevent it.  (ALthough I did stop dealing with the first two of those...)

    My basic message was that of Lord Aragorn to Frodo:   "You SHOULD be scared because I know what hunts you"
    I've stated on this forum many times that one should always assume that your data is compromised and compromisable, hence the precautions I take to hopefully be too much trouble. When the Equifax story first broke people checked to see if they were part of the group whose data was stolen and were glad to see there's was not, but I said that they should just assume that it was because Equifax could both be lying and unaware by how much they've been compromised.

    I've always stated that a highly targeted attack is almost assured destruction. Kind of like there's safety in numbers, but if you're being targeted your odds decrease dramatically regardless of the environment. Even the safest activity in the world can become deadly if there's, say, an assassin that is setting you up to be killed by that activity. Ooh! That gives me an idea for a plot line.
    edited June 2018
  • Reply 49 of 50
    GeorgeBMacGeorgeBMac Posts: 4,125member
    Soli said:
    Soli said:
    Soli said:
    Soli said:
    gatorguy said:
    Question for everyone here.

    Has any AI member ever had anyone other than a  nosy boyfriend-girlfriend/spouse/ child try to break into their iPhone? Ever?

    It seems like such an unlikely scenario where anyone is going to try to break into your phone that all this hand-wringing I see here and in convincing yourselfal or your better half with all these long creative passcodes doesn't seem worth it. A simple four digit passcode or 6 digit passcode is all that you need IMHO. 
    I've never had my house broken into before but I do lock up when I leave the house. Nor do I advertise on social media when I'm leaving, and then only post pictures of my trip after I've gotten back. Additionally, I've never my identity stolen, but I also take the time to make stealing my identity too much trouble for attackers looking for an easy win.

    Would I have been safe had I never locked my doors, publicly posted when I'd be out of my house, and never locked down my credit or periodically monitored access to my accoun? Maybe, but I'm not going to take that risk.
    While I agree with the general point of your post, to be confident that your "identity" (meaning your personal identifying information) has never been stolen (because you protect it) is likely misguided and incorrect.

    That is:  while I don't doubt that you protect it well, much of it is simply not under your control.
    That's true, which is why I mentioned being "too much trouble for attackers looking for an easy win."

    I've used the analogy (possibly in this thread) that the best any of us can hope for is to not be the slowest and weakest of the herd. I also mentioned that if you're a celebrity (i.e.: someone that could be targeted directly) then your chances of being hacked or having your identity stolen increase considerably even if you have additional security measures. I even used the example that I shred all documents why any personal data before throwing them away, but if I was a celebrity I'd be burning them because my confetti shredder should still technically be used to put those papers back together again.

    But just because you can't guarantee absolute protection doesn't mean you shouldn't protect yourself. I implore all people to use a password manager, with unique and complex passcodes. After that's set up, I then implore people to start changing email linked to a website to include an alias (if the option is allowed) to make it harder for someone to guess, then change usernames (where allowed) to a unique or random string of characters, and finally recovery answers to something random (not actual answers that can looked up).
    You missed my point completely:
    While your protection of your personal information is worthwhile and well advised, your personal information is not under your control.   It exists on countless databases and servers over which you have zero control.  Often you don't even know they exist -- but the hackers do... 

    These days, for the most part, hackers don't hack individuals directly.   Instead they hack the big databases (like Equifax of Target)  and scoop up names, addresses, birthdates, SSN's, passwords, security questions, financial information of millions of people at once.  Then they sell it to the highest bidder.   It's a very cost efficient business.   It costs the hackers very little and it costs the hacked very little.   The only ones who suffer are the individuals whose personal info is floating around out in the dark web -- and they typically don't even know it until it gets used....
    Then I'm still not getting your point. Are you saying that you should do nothing to protect yourself because of this notion that all your data is out there somewhere already?

    Frankly I'm absolutely lost on your comments about a "6-digit PIN."
    LOL...    Since I never mentioned a 6-digit PIN it's no wonder you're lost.
    Doh! Mea culpa. That one's on me.

    As for getting my point:   You probably need to reread my post(s):
    Am I saying you should do nothing to protect yourself because of the "notion" that your data out there already?   
    First, I congratulated you on taking excellent security precautions and said they were worthwhile.  Those weren't empty words -- I meant them.   However, I also cautioned you to not think that they are sufficient because, the "notion" that your private, personal data is "out there somewhere" is not just a notion.   For many tens of millions (probably hundreds of millions) it IS already "out there" -- stolen from large databases that you have no knowledge or control over.

    My personal data has been stolen 3 times that I know of from:
    -- Kiplinger 
    -- Target
    -- Equifax
    In none of those cases was there anything I could have done to prevent it.  (ALthough I did stop dealing with the first two of those...)

    My basic message was that of Lord Aragorn to Frodo:   "You SHOULD be scared because I know what hunts you"
    I've stated on this forum many times that one should always assume that your data is compromised and compromisable, hence the precautions I take to hopefully be too much trouble. When the Equifax story first broke people checked to see if they were part of the group whose data was stolen and were glad to see there's was not, but I said that they should just assume that it was because Equifax could both be lying and unaware by how much they've been compromised.

    I've always stated that a highly targeted attack is almost assured destruction. Kind of like there's safety in numbers, but if you're being targeted your odds decrease dramatically regardless of the environment. Even the safest activity in the world can become deadly if there's, say, an assassin that is setting you up to be killed by that activity. Ooh! That gives me an idea for a plot line.
    There's [a False sense of] Safety in Numbers...
    We tend to believe that we live in an orderly society where we are relatively safe from crime and that criminals are identified, hunted down and removed from doing any further harm.

    But, in the Equifax type mass hacks, nothing could be further from the truth:  The Equifaxes and Targets of the word collect our personal information without our knowledge or consent for their own fun and profit -- but then suffer almost no consequences if it is stolen.   As a result, they devote material resources to collecting it but minimal resources to protecting it.

    It's almost like a bank who takes our deposits but then leaves their doors and their vault open at night for anybody to walk in and take.

    While I totally agree with you that we have to do what we can to minimize the danger, our government and legal systems need to step in and punish those who put our personal data at risk for being stolen.  They could start with hefty fines on those irresponsible corporations who let that happen - but jail time for a few executives would work better.
Sign In or Register to comment.