Apple tech support 'socially engineered' in hack of journalist's iCloud account

12346

Comments

  • Reply 101 of 121
    So, here we are and Monday is half over. Where's the Wired update that was promised? Surely this should be their highest priority.
  • Reply 102 of 121
    mj webmj web Posts: 918member


    Apple Care mixed up my ID too this weekend, though it was no hack... It was a crack in Apple's database! Tech asks my phone # so he can get back if we're disconnected and I ask "Don't you have that on record?" And he says yeah, your name is Joe S and the # id blah blah blah. And I said WTF? I gave you my name, it certainly isn't Joe S and that's not my #! The tech replies, "Oh,  well, our database got screwed up... Give me the proper info and I'll update it."


     


    To which I repeat, WTF?

  • Reply 103 of 121
    zoolookzoolook Posts: 657member

    Quote:

    Originally Posted by EricTheHalfBee View Post



    So, here we are and Monday is half over. Where's the Wired update that was promised? Surely this should be their highest priority.


    Maybe, with them being a magazine with real journalists and a reputation to care about, they don't want to just shove out a story without fact-checking before hand. You know, that thing that separates journalism from blogging.

  • Reply 104 of 121
    vandilvandil Posts: 187member


    This is one of the reasons why I don't use iCloud. Once you trust your data to someone else, and give them remote access to your physical devices, they are not secure any more.


     


    Trust your data and syncing to the only fully secure method: managing it yourself.  It's not that hard to have bookmarks set up on your devices.  It's not hard to pass information between devices.  Moving pictures you just took to a computer is solved by a cord and Image Capture. Oh the horror of manual connections!

  • Reply 105 of 121
    mazda 3s wrote: »
    Why does everyone keep saying he works for Gizmodo? He USED to work for Gizmodo, he now works for WIRED. I find WIRED to be much higher quality than Gizmodo and tends to attract good writers.
    Not everyone that was attached to Gizmodo in the past is trash, so get the stick out of your ass.

    Some stains you can never remove from your pants. In Gizmodo's case, they're brown ones.
  • Reply 106 of 121
    boeyc15boeyc15 Posts: 986member
    vandil wrote: »
    This is one of the reasons why I don't use iCloud. Once you trust your data to someone else, and give them remote access to your physical devices, they are not secure any more.

    Trust your data and syncing to the only fully secure method: managing it yourself.  It's not that hard to have bookmarks set up on your devices.  It's not hard to pass information between devices.  Moving pictures you just took to a computer is solved by a cord and Image Capture. Oh the horror of manual connections!

    Touché
  • Reply 107 of 121

    Quote:

    Originally Posted by Zoolook View Post


    Maybe, with them being a magazine with real journalists and a reputation to care about, they don't want to just shove out a story without fact-checking before hand. You know, that thing that separates journalism from blogging.



     


    Or maybe there isn't any real story here at all. At least not one the Apple haters are hoping for.

  • Reply 108 of 121
    gatorguygatorguy Posts: 24,608member


    Wired has put up a story with the timeline's, Apple's response generally confirming the story, and a Wired test confirming the way it worked, and still worked. Worth a read.


    .http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

  • Reply 109 of 121
    muppetrymuppetry Posts: 3,331member
    gatorguy wrote: »
    Wired has put up a story with the timeline's, Apple's response generally confirming the story, and a Wired test confirming the way it worked, and still worked. Worth a read.
    .<a href="http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/" style="font-family:inherit;font-style:inherit;background-color:rgb(237,237,237);font-size:16px;" target="_blank">http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/</a>;

    That's very interesting reading, and, if it's accurate, they need to make some security enhancements.
  • Reply 110 of 121


    I'm not sure why this is an Apple problem.


     


    First they go to Google to see his alternate e-mail address (even with blocked out characters, the fact it ends in @me gave them enough). They used Whois to get the billing address for his personal website. Then they go to Amazon and add a credit card to his account (how could Amazon let you add a credit card without first confirming who you are is beyond me). Then they call Amazon back and provided the new credit card number as a verification to change the account e-mail, and once they reset the password with the new e-mail they can see all the CC's he has on file (only the last 4).


     


    After all that work they finally go to Apple with information they need to reset his account (billing address, e-mail and last 4 of the CC on file).


     


    And all the news stories are yapping about how Apple has some huge flaw in their security.

  • Reply 111 of 121
    muppetrymuppetry Posts: 3,331member
    I'm not sure why this is an Apple problem.

    First they go to Google to see his alternate e-mail address (even with blocked out characters, the fact it ends in @me gave them enough). They used Whois to get the billing address for his personal website. Then they go to Amazon and add a credit card to his account (how could Amazon let you add a credit card without first confirming who you are is beyond me). Then they call Amazon back and provided the new credit card number as a verification to change the account e-mail, and once they reset the password with the new e-mail they can see all the CC's he has on file (only the last 4).

    After all that work they finally go to Apple with information they need to reset his account (billing address, e-mail and last 4 of the CC on file).

    And all the news stories are yapping about how Apple has some huge flaw in their security.

    I think it's a problem because there are plenty of ways to get a billing address and credit card number - the whole thing, not just the last four digits. Neither are especially private - that's the point of having secret questions and passwords. So even though this indicates flaws in Amazon and Google security too, it still shows a major weakness in Apple's security.
  • Reply 112 of 121

    Quote:

    Originally Posted by muppetry View Post





    I think it's a problem because there are plenty of ways to get a billing address and credit card number - the whole thing, not just the last four digits. Neither are especially private - that's the point of having secret questions and passwords. So even though this indicates flaws in Amazon and Google security too, it still shows a major weakness in Apple's security.


     


    Can you tell us what my billing address is? Any 4 digits of any of my CC cards? Well, if you snooped through my mail at my house you could get that information. But you'd still need an e-mail to attach it to, and it's not that easy to get all 3 of those for one person.


     


    If someone has such easy access to an entire CC and your billing address, then having an Apple account (or GMail or Yahoo or.....) getting compromised is the least of your worries. You should be worried about identity theft and someone else opening up bank accounts and CC's in your name and going to town.


     


    Plus this guy is stupid. He's a tech writer and made so many mistakes. Like using his @me address for his Gmail alternate contact. Or using the same CC on multiple online stores (Apple and Amazon at least). Not using an alternate contact e-mail for his website instead of his main e-mail. Not using a different e-mail on his online stores (they never would have been able to get into Amazon in the first place if he didn't use the same e-mail for Amazon).

  • Reply 113 of 121
    muppetrymuppetry Posts: 3,331member
    muppetry wrote: »
    I think it's a problem because there are plenty of ways to get a billing address and credit card number - the whole thing, not just the last four digits. Neither are especially private - that's the point of having secret questions and passwords. So even though this indicates flaws in Amazon and Google security too, it still shows a major weakness in Apple's security.

    Can you tell us what my billing address is? Any 4 digits of any of my CC cards? Well, if you snooped through my mail at my house you could get that information. But you'd still need an e-mail to attach it to, and it's not that easy to get all 3 of those for one person.

    If someone has such easy access to an entire CC and your billing address, then having an Apple account (or GMail or Yahoo or.....) getting compromised is the least of your worries. You should be worried about identity theft and someone else opening up bank accounts and CC's in your name and going to town.

    Plus this guy is stupid. He's a tech writer and made so many mistakes. Like using his @me address for his Gmail alternate contact. Or using the same CC on multiple online stores (Apple and Amazon at least). Not using an alternate contact e-mail for his website instead of his main e-mail. Not using a different e-mail on his online stores (they never would have been able to get into Amazon in the first place if he didn't use the same e-mail for Amazon).

    Obviously I can't since I don't even know who you are, but I'll bet there are others you might not trust who can. Anytime you order something by phone you give out that combination, and possibly your email address too.

    But my point was broader than any specific case; most people's billing address is publicly available (i.e. their home address), and their credit card numbers, while not advertised, are not a closely kept secret such as a password would be. It seems very unwise not to require any secret information or key to be able to unlock an account.
  • Reply 114 of 121
    jragostajragosta Posts: 10,473member
    Can you tell us what my billing address is? Any 4 digits of any of my CC cards? Well, if you snooped through my mail at my house you could get that information. But you'd still need an e-mail to attach it to, and it's not that easy to get all 3 of those for one person.

    If someone has such easy access to an entire CC and your billing address, then having an Apple account (or GMail or Yahoo or.....) getting compromised is the least of your worries. You should be worried about identity theft and someone else opening up bank accounts and CC's in your name and going to town.

    Plus this guy is stupid. He's a tech writer and made so many mistakes. Like using his @me address for his Gmail alternate contact. Or using the same CC on multiple online stores (Apple and Amazon at least). Not using an alternate contact e-mail for his website instead of his main e-mail. Not using a different e-mail on his online stores (they never would have been able to get into Amazon in the first place if he didn't use the same e-mail for Amazon).

    I agree, although there are some flaws here.

    1. It's interesting that Amazon is the one who gave out identifying information (4 digits of his credit card number) yet Apple is the one who is indicted in almost every press report on the problem.

    2. If this isn't a put up, have they contacted law enforcement authorities? It sounds like there's enough evidence here to put someone in jail - yet they've never made any attempt to report it (at least not that they've mentioned publicly). Makes you wonder.

    3. I agree that the last 4 digits of your credit card plus your billing address is not a high level of security and Apple should probably have higher standards. OTOH, if they go too far the other direction, then everyone would be complaining that Apple has your full credit card number accessible to the call center person for verification. There is no exact answer and someone's going to be unhappy no matter what vendors do. The real answer is that this person should have set up security questions and should have backed up his information.

    4. I just hope we don't get to requiring even more stupid security questions. I hate it when I get a list of questions and I can't remember any of them. "what is the name of your first girlfriend's pet turtle?" "What was your favorite color when you were three?" "What was your favorite ice cream when you were in kindergarten?" Who the heck remembers garbage like that?
  • Reply 115 of 121
    muppetrymuppetry Posts: 3,331member
    jragosta wrote: »
    Can you tell us what my billing address is? Any 4 digits of any of my CC cards? Well, if you snooped through my mail at my house you could get that information. But you'd still need an e-mail to attach it to, and it's not that easy to get all 3 of those for one person.

    If someone has such easy access to an entire CC and your billing address, then having an Apple account (or GMail or Yahoo or.....) getting compromised is the least of your worries. You should be worried about identity theft and someone else opening up bank accounts and CC's in your name and going to town.

    Plus this guy is stupid. He's a tech writer and made so many mistakes. Like using his @me address for his Gmail alternate contact. Or using the same CC on multiple online stores (Apple and Amazon at least). Not using an alternate contact e-mail for his website instead of his main e-mail. Not using a different e-mail on his online stores (they never would have been able to get into Amazon in the first place if he didn't use the same e-mail for Amazon).

    I agree, although there are some flaws here.

    1. It's interesting that Amazon is the one who gave out identifying information (4 digits of his credit card number) yet Apple is the one who is indicted in almost every press report on the problem.

    2. If this isn't a put up, have they contacted law enforcement authorities? It sounds like there's enough evidence here to put someone in jail - yet they've never made any attempt to report it (at least not that they've mentioned publicly). Makes you wonder.

    3. I agree that the last 4 digits of your credit card plus your billing address is not a high level of security and Apple should probably have higher standards. OTOH, if they go too far the other direction, then everyone would be complaining that Apple has your full credit card number accessible to the call center person for verification. There is no exact answer and someone's going to be unhappy no matter what vendors do. The real answer is that this person should have set up security questions and should have backed up his information.

    4. I just hope we don't get to requiring even more stupid security questions. I hate it when I get a list of questions and I can't remember any of them. "what is the name of your first girlfriend's pet turtle?" "What was your favorite color when you were three?" "What was your favorite ice cream when you were in kindergarten?" Who the heck remembers garbage like that?

    Even the entire card number would not be good security. There has to be something that you don't ever give out in other contexts - a password or a secret question. They're not that hard to deal with.
  • Reply 116 of 121

    Quote:

    Originally Posted by muppetry View Post





    Obviously I can't since I don't even know who you are, but I'll bet there are others you might not trust who can. Anytime you order something by phone you give out that combination, and possibly your email address too.

    But my point was broader than any specific case; most people's billing address is publicly available (i.e. their home address), and their credit card numbers, while not advertised, are not a closely kept secret such as a password would be. It seems very unwise not to require any secret information or key to be able to unlock an account.


     


    To battle that I use common sense. I have a different card for Apple and Amazon (curiously, the only two retailers I actually leave this data with). For all other purchases I have a pre-paid credit card that I keep only as much money on as I plan to spend (I load it up just before a planned purchase). I use this at gas stations, restaurants and other likely places to get "skimmed" by a staff member collecting CC data. I also use it for online purchases at retailers I'm not familiar with.


     


    I also use different e-mails for Apple and Amazon, and I have a "throwaway" e-mail when dealing with all the smaller stores. None of the techniques these people used would have worked on me, since I keep things separate. This guy used the same e-mail and CC on both Amazon and Apple, which made it easy to "link" his accounts once one was compromised.


     


    Apple could add more items to their security questions, but as mentioned customers would get mad at having to jump through more hoops to create an account (or get customer support). I think people should be better educated on using accounts, credit cards and e-mails online. It's funny how people will create fake e-mails so they can post in an online forum, yet can't be bothered to create a separate e-mail for banking or other online transactions.

  • Reply 117 of 121
    muppetrymuppetry Posts: 3,331member
    muppetry wrote: »
    Obviously I can't since I don't even know who you are, but I'll bet there are others you might not trust who can. Anytime you order something by phone you give out that combination, and possibly your email address too.

    But my point was broader than any specific case; most people's billing address is publicly available (i.e. their home address), and their credit card numbers, while not advertised, are not a closely kept secret such as a password would be. It seems very unwise not to require any secret information or key to be able to unlock an account.

    To battle that I use common sense. I have a different card for Apple and Amazon (curiously, the only two retailers I actually leave this data with). For all other purchases I have a pre-paid credit card that I keep only as much money on as I plan to spend (I load it up just before a planned purchase). I use this at gas stations, restaurants and other likely places to get "skimmed" by a staff member collecting CC data. I also use it for online purchases at retailers I'm not familiar with.

    I also use different e-mails for Apple and Amazon, and I have a "throwaway" e-mail when dealing with all the smaller stores. None of the techniques these people used would have worked on me, since I keep things separate. This guy used the same e-mail and CC on both Amazon and Apple, which made it easy to "link" his accounts once one was compromised.

    Apple could add more items to their security questions, but as mentioned customers would get mad at having to jump through more hoops to create an account (or get customer support). I think people should be better educated on using accounts, credit cards and e-mails online. It's funny how people will create fake e-mails so they can post in an online forum, yet can't be bothered to create a separate e-mail for banking or other online transactions.

    Those are all good ideas, and good practices, but to require all customers to have multiple credit cards and multiple emails for different accounts, just to stay secure, seems much more inconvenient than putting in place a simple, yet robust authentication system. That's how banks and other financial institutions work - they would be crucified if they used CC, email and address. I guess I'm just a bit baffled by your resistance to that solution.
  • Reply 118 of 121
    I wouldn't touch iCloud with a ten foot pole -
    Do we even have a clue who actually runs it - owns it?

    I'd rather use Rack Space - an entity that has a real face - address - and phone number.

    Ever Since iCal became a worthless way to live - of missed birthdays - missing past events -
    I've given up on Apples childish attempts at anything iCloud based solely to keep the airway alive by 3rd party kickbacks vs hard core real data on a device that doesn't need a connection to some entity.

    Everything would be just fine - had I stuck with Yahoo Calendar -
    in ten years - it has always worked -
    Has always sent an alert of the event.

    Still no calendar from Apple - Stuck at iCal 4.0.4
    A search on iPad at App Store led to hundreds of others - not one from Apple.

    I went Apple 6-7 years ago with everything -
    the childish acts of software are still there -
    even down to the names of files.

    There's no Professional business I know that uses Apple vs Rim for solid Apps.
  • Reply 119 of 121
    jlljll Posts: 2,713member

    Quote:

    Originally Posted by Philscbx View Post



    I wouldn't touch iCloud with a ten foot pole -

    Do we even have a clue who actually runs it - owns it?


    Apple!


     


    And what do you mean by "Still no calendar from Apple - Stuck at iCal 4.0.4. A search on iPad at App Store led to hundreds of others - not one from Apple."?

  • Reply 120 of 121


    Did I knowingly allow Apple to transfer my private information or was it transferred by default?  


     


    Kind of like saying to your neighbor "You door was unlocked so I just walked in".  OSX 10.8 was defaulted to "just walk in".  Communities can not survive on low ethical, moral standards such as that.  There must be a basic set of community standards, that everyone knows, or there will be more "you allowed" comments because you didn't read all the fine print and turn off all the defaults.  A situation made more difficult because of automated install processes.


     


    Such substandard behavior will grind free enterprise to a halt with reams of convoluted contracts.


     


    More appalling was what it took to correct the "default".  Apple wasn't doing what you would do for your neighbor if you had inadvertently wronged them.  There was not obvious, famously Apple clean way to reverse the process.


     


    Ethics, morals and self responsibility are no longer taught in state run mandatory attendance public education.  Apple's and responses like yours are good indication of the results.

Sign In or Register to comment.