Apple Support Allowed Hackers Access To User's iCloud Account 266
Robadob writes "Yesterday a hacker gained access to Mat Honan's (An editor at Gizmodo) Apple iCloud account allowing the attacker to reset his iPhone, iPad, and Macbook. The attacker was also able to gain access to Google and Twitter accounts by sending password recovery emails. At the time this was believed to be down to a brute-force attack, however today it has come out that the hacker used social engineering to convince Apple customer support to allow him to bypass the security questions on the account."
Easy to demand more security (Score:5, Insightful)
But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.
The trouble is that the security appropriate for someone's professional e-mail accounts and security appropriate to the occasional elderly e-mail user are so far apart that having a single policy is guaranteed to serve one of the two market segments very badly.
Weak security questions (Score:4, Insightful)
This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.
"What was the name of your first pet?" Hell you can find that with Google.
"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.
Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".
Too much stuff in one place. (Score:5, Insightful)
Had the user set up Two Factor authentication, his Google stuff probably would have been safe"
As for 2 factor authentication preventing this, it would have kept my google account from being deleted, and probably kept them off of my Twitter feed, but it wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud. Nonetheless, I’m setting it up on my Google account once I have access to it again.
As for all his devices being wiped by one single hack, relying on a single point of security, makes for a single point of failure.
I'm not sure I would have chosen this route even if I was a total Apple fan joined at the hip to iCloud.
Apple support has some serious 'splaining to do. But this is likely to happen again, probably not for a while, but any time you are tied so closely
to one single point of security.
And what would he have done if he was just Joe Corporate Drone?
He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting.
Seriously? contacts at Google and Twitter?
1) very few people have that kind of contacts.
2) didn't those two companies just violate their own security standards by helping this guy kill accounts he couldn't prove were his??
Re:Why believe the hacker? (Score:5, Insightful)
That's a password with somewhere around ~20 bits of entropy. Let's be generous to weak passwords and consider one with 16 bits of entropy, meaning that a dictionary attack has to make (around half of) 60000 attempts to crack it.
If you've got the hashed password, this is trivial to do. But if you're trying to break a remote login and the computer on the other side lets you make 60000 attempts, then there are far bigger issues at work than a weak password.
Re:Yeah but.... (Score:5, Insightful)
This is really unrelated to any specific company. It *is* an excellent lesson in relying only on online backups.
Re:My answers.. (Score:5, Insightful)
Quick, now, without cut and paste could you please enter those again?
No.
Though not.
Fail.
Re:They Know Best (Score:5, Insightful)
The absolute problem is that no matter how many authentication factors you add, recovery will always be the weakest link.
People will always lose their tokens, and they will always need a way of getting access to their account.. and that way is usually someone making minimum wage with 3 weeks of training.
Personally I wish there was a way to opt out of recovery. Basically a "I accept the risk, if I ever lose my token and forget my recovery questions / password.. I'm shit out of luck" option. This option would have to make it literally impossible for a support person to greant access to the account.. because if they technically can, someone will social engineer one to do so...
Such resets SHOULD be possible, but HARD (Score:5, Insightful)
My bank will mail me a new temporary computer login if I ask. Yes, I have to wait for it to arrive through the post office.
Apple could have said "Okay, we'll snail-mail you a temporary password to an address we can verify against information we already have on file, such as a credit card number, product-warranty-registraiton-information, etc.," or,
"Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."
That would've at least made sure the crook would have to commit more crimes along the way, likely intimidating him. It would've also made it much more likely that the police would be able to put a face to one of the crooks.
Re:Easy to demand more security (Score:4, Insightful)
Yeah, because people blaming others for their own mistakes was invented in 1963.
Re:Yeah but.... (Score:4, Insightful)
It's also a lesson in not putting all your eggs in one basket.
That one _is_ apple specific. Tight integration has it's price. If someone gets into my email, I won't lose access to every damn piece of technology I own. I actually find it pretty damn impressive how much damage they managed to pull off.
Re:Is it too hard to read the summary? (Score:3, Insightful)
In addition. the walled garden approach means a single point of failure (in this case, social engineering) will cost you everything. Apple should have recognised that and provided better internal security.
Re:Such resets SHOULD be possible, but HARD (Score:5, Insightful)
"Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."
"Listen I'm in Istanbul (or where ever), I've just been robbed. They took everything, including my wallet!!! I don't know if there is an Apple Store around here. Please help me mitigate the damage before they get access to my emails and my bank accounts through my iPad (I was in the middle of using my iPad so the screen wasn't locked). "
Now, I'm not saying this is the script they used, most likely not. I'm sure the hacker used a much better one, probably one that's based on the hard-earned experience and real world testing of thousands of other hackers and scam artists that came before him.
I'm just saying that it takes excellent ongoing training to make sure none of your staff gets bamboozled by this kind of scenario. Hard coded corporate rules and security manuals are all well and good for 99% of the scenarios that come up during the normal course of business hours. But what happens if someone tells you a very plausible story and tells you they could very well die if you don't give them access to their account. Most likely that scenario is not listed in your security manual, and the manual prevents you from disclosing their account information, but it's not the first time, nor the last time, that a customer service representative will ignore the poorly written manual that came from above, and use their own personal judgement to make a quick decision on the spot for the perceived welfare of the caller.
Re:They Know Best (Score:5, Insightful)
I'd prefer Microsoft and Apple not evolve towards banks, actually. In fact, I'd rather my bank evolve towards Blizzard Entertainment and offer me some real security.
It never ceases to amaze me that my Diablo III loot is better protected than my salary.
Re:Yeah but.... (Score:4, Insightful)
Uhm... no? Gmail has no function in it to remotely wipe an android phone.