How Apple and Amazon Security Flaws Led To Mat Honan's Identity Theft 222
An anonymous reader writes "The story behind the hacking of Mat Honan's multiple accounts has been revealed and points to massive failures in how Amazon and Apple handle password recovery. Accounts for both sites can be easily accessed with simple to find publicly available information. If you ask me, both companies should be liable for violating privacy laws."
the 4 last digit of CC are unsecure (Score:5, Interesting)
All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.
Re:the 4 last digit of CC are unsecure (Score:5, Informative)
"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."
All industry standard I know of is to hide the 12 foremost digits with * and show the last 4 or 5 (yes better would be to hide all, but client might need to recognize the CC number for some reason). Who in their right mind would consider that secure ? Apple apparently.
Indeed, the article itself makes this point: And it’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life..
Till receipts also commonly show this information.
Re:the 4 last digit of CC are unsecure (Score:5, Interesting)
I don't give credit card numbers to pizza boys. I give them cash. Or I pay with iDeal, a Dutch internet payment system that's actually secure, unlike all that credit card crap.
Really, rest of the world, you guys need to implement iDeal so I can use it for international payments. The only reason I have a credit card at all is because it's the only way to buy stuff online from non-Dutch sites. Steam uses iDeal. Once everybody else does too, we can finally get rid of those stupid credit cards.
Re: (Score:3, Insightful)
I don't know about iDeal, but I'm always appalled at how much trouble Americans have with securing their identity. It's not that hard:
Step 1) Have a *public* identifier for you. None of this "if you know the social security number" or "if you know all or part of a credit card number" or such nonsense.
Step 2) Have one or more *private* passcodes or other authentication schemes (really, everyone should have those rotating-passcode keychain devices like the banks give out here for use with important stuff).
Re:the 4 last digit of CC are unsecure (Score:4, Insightful)
Privacy issues for most of your post. People in general do not like the idea of a national ID system. This isn't just a US thing, either. A lot of countries try to fight this sort of system when it comes knocking.
As for personal checks, they are not used that frequently anymore. Most places I go to don't even accept them. I haven't encountered one personally in several years. They're used little more than promissory notes between people nowadays. Short of going to an ATM or bank, there's no easy way to give people cash. Personal checks still fill that role. Nothing wrong with that.
Re: (Score:2)
People in general do not like the idea of a national ID system
Just what do you consider a SSN to be?
Re: (Score:3)
Exactly. An ID number is just a unique representation of an individual - think of it as an alternative name, guaranteed to be unique. The difference is, the SSN is supposed to be "semi-secret", kind of secret, kind of not. It's your ID and password all bundled into one! Aka, idiotic. And not linked at all in a consistent, queryable manner with your contact information. Doubly idiotic. And while it functions as a kind-of password, it's semi-predictable. A triple-play of Fail.
Re: (Score:3)
In America, someone sends you a bill... how do you pay it? You write them a check.
Here, someone sends you a bill. You log on to netbanking (for example) with a password and rotating-code keyfob, go to the payments page, punch in the ID and account number information of who you're looking to pay, the bill pops up, you confirm the amount you want to pay and enter your netbanking pin... and that's that. No check ordering, no postal service, no stamps, no handwriting, no interpreting of handwriting, no fraud
Checks? What are those? (Score:4, Informative)
Not really, I live in America, I haven't written a check in 7 years.
All my bills are paid through a service known as Billpay. All the banks and credits unions have something similar.
Time to stop making fun of us backward Americans and do some real research before writing your rants about us.
And this applies to most of my co-workers also. The only Americans that rely on checks anymore are over the age of 70 and that is what they grew up with so it is kind of hard to change.
Re: (Score:3)
I use a billpay system also, but:
The billpay system has been unable to get my home mortgage billing details (I think the mortgage company would prefer that I use their own system to pay the mortgage, but I refuse to hand control of when my mortgage gets paid over to the biller)
There were some changes recently which meant that some bills stopped being available through the billpay system for
Re:Checks? What are those? (Score:4, Informative)
Then you're exceedingly unusual. A quick Google Search turns up this [jak-stik.ac.id]:
* Americans write 42.5 billion checks per year - that's one check per person every three days.
* In the United States checks are among the most popular form of payment, above credit cards.
* People write roughly 450 million "bad checks" or checks that bounce every year - that's 1.5 per person per year.
* 60 percent of all transactions not paid for with cash are paid by check.
* Consumers are 65 percent more likely to use checks than other forms of electronic payments.
* The number of checks used by Americans is increasing. In recent years check use rose 54 percent alone.
* More than 39 trillion dollars in payments are made every year with checks, compared to just 7 trillion for other forms of payment.
Mind you, I have no way to validate those numbers, but it matches my experience with the American check culture. A lot of places in America don't have options for online bill paying. You just happen to have lucked into being in a place that does. Americans typically write each other checks to send each other money as well - such as a "birthday check" from a parent or whatnot.
Re: (Score:2)
If you don't use computers then you can go to any bank and pay your bills there (essentially by doing a wire transfer), commercial banks might take a small fee for that and state-owned Sberbank is required to do this for free. I never understood the checks - you're writing a document authorizing somebody else to withdraw money from your account. Why not just do this directly?
Re: (Score:3)
First, there is no way for me to pay my rent, electric bill, water bill, and garbage bill if I did it electronically. The electric company has sent out a notice that sometime next year they will start taking payments online, but that's next year.
Second, I do not trust the security of my bank, or any bank, in the small town that I live in. A friend also banks at this bank and it only took
Re: (Score:2, Informative)
In Brazil, ALL bills share a common system. This means you can pay them anywhere: at drugstores, banks, ATMs, online, wherever. I just pay through my bank's online banking. The bank use two factor authentication, with a 8-digit PIN that's used exclusively to login at the online banking plus a 6-digit token whose value changes every minute, used for every sensitive operation. Any banking operation on the account (bills, investments, withdrawals, transfers, debit/credit card usage, etc) is immediately communi
Re: (Score:2)
Our system here in Iceland is like yours in Brazil. I just don't get how America can be so backwards in so many regards. And people there by and large don't even realize it.
Re: (Score:2)
Such systems do exist in the US, they're just not totally universal, depending on who you deal with.
But i totally can pay all my bills, rent, utilities, everything, via a unified system. Its not accessible from "anywhere" like the parent talked about, but it is accessible from ATMs everywhere and from my bank's website. I'm from Canada where the system is a bit more universal, but now that I live in the US, at least anything I actually need to deal with works through that system. Good enough. Everything at
Re:the 4 last digit of CC are unsecure (Score:4, Informative)
Re: (Score:2)
Only certain types of transfers cost money. Generally to the same banks they're free, and to pay bills and whatsnot, they're also free (at least to the payer).
I pay my rent via transfer, and it doesn't cost anything (and I doubt the owners are paying the fee for me, because they charge a stupid fee for credit card payments).
International transfers are another story.
Re: (Score:3)
How exactly do you propose to implement any of this in Mat Honan's situation? Give Apple, Google, and Twitter access to Iceland's national database with contact information for everyone in the country? Make the database public? Have Apple, Google, and Twitter send you keyfobs?
How is any of this scalable in way that doesn't lead to a single point of weakness where a compromise there will compromise all your accounts at once?
Re: (Score:2)
I'm saying that you should have your own system similar to ours, and that the reason you (and your companies) are so vulnerable to identity theft is because you don't.
Re: (Score:3)
I'm saying that you should have your own system similar to ours, and that the reason you (and your companies) are so vulnerable to identity theft is because you don't.
My point is that this statement is completely untrue; implementing your country's system might be good for many reasons, but it won't really help most forms of identity theft. Where on earth do you see an opportunity to use your system to make the situation better for companies from any nation, much less for multi-national companies like Apple, Google, and Twitter that much authenticate users from countries all over the world.
Your idea stops scaling as soon as you realize you're dealing with 200+ nations' w
That is not the problem with Amazon (Score:5, Interesting)
At first I was aghast at how they could implicate Amazon for revealing the last 4 digits of your card, when they appear in every transaction receipt printed etc.
However, after reading TFA it is obvious that Amazon has a serious security flaw as well that they need to address as well. It seems that you can call Amazon support knowing only the name, email and billing address of a person and you can add a bogus credit card number to their file. Then you call back and tell them you can't access your account and they will let you add a new email address to reset your password and you use the credit card number you had just added as verification of your identity!
True, Amazon showing the last 4 digits of your CCs on your account is not a problem, but giving access to your account to a person armed only with knowledge of your name, address and email is a serious flaw.
The summary and even the article don't make it that clear what the problem is with Amazon, you have to read through TFA.
Re: (Score:2)
My mortgage company has a similar jacked up login process.
Like a lot of places, they have you answer some pretty mind numbing security questions after typing in your user name and password. If you don't remember the security answer you can hit the "I forgot" button. What then happens is shocking - it takes you to a screen to reset the answers. Why in the world do you ask security questions after a user/pass auth if the same info lets you reset them?!!?
And the real kicker. When you want to make a PAYMENT th
Sallie Mae (Score:4, Interesting)
Even better, Sallie Mae calls me about my daughter's loan, and before the call is connected I have to give Sallie Mae my last four of my SSN to authenticate who I am, no way to authenticate that it's Sallie Mae calling me but I have to authenticate that Sallie called the right number. Even better no way to talk to a real person if I don't authenticate.
Remember I said Sallie Mae initiated the call. I could call any number of random numbers claim to be Sallie Mae and get individuals last four, ridiculous.
Re:the 4 last digit of CC are unsecure (Score:4, Informative)
Re: (Score:3, Informative)
Go back to your cave fanboi, if you RTFA they tried themselves calling Apple and the last 4 digits was all they asked. Also, vendors don't normally store the CVV code, because its purpose is exactly that - let the user verify the transaction by entering it themselves. So Apple storing it and letting their CSRs view it would be quite against established CC security practices.
Benefits of free services (Score:5, Interesting)
Re: (Score:2)
Re:Benefits of free services (Score:4, Informative)
I would argue that the biggest benefit of using free services (like GMail) is they offer no or crap phone support! Thus making it very difficult for a hacker to social engineer their way into your account.
We were hacked several months ago, and our Amazon EC2 account was hijacked. How did they do this? We host our domain names at a local provider, and somehow they got control over that account. Then they changed the DNS for the mail to their own service. We had two-factor logins at Amazon (normal login + generated key). They tricked Amazon into believing that the key was broken, that they were the rightful owner (with control over the mail), and Amazon removed it. We still wonder how they did all this.
Apple's Failure, Not Amazon's (Score:3, Insightful)
You missed the part about Amazons password reset (Score:5, Informative)
Amazon allowed a bogus card to be added to the account because all they did was check the check-digit, rather than doing that as step one, and then doing an authorization hold/authorization release after requiring the security code from the back of the card as step 2. This would have correlated the billing address and card number in the credit card company database, which would have failed, flagging it as a bogus card.
After this, a second call to Amazon using the bogus card information plus the (already known) billing information got them a password reset, again without them issuing an authorization hold/authorization release. And THAT is where they got the last 4 digits of the (actual) non-bogus credit card number to give to Apple. Admittedly, it's possible that this would cost a web site (other than Amazon, who owns their own payment provider) a transaction fee to do, but they could always require a transaction fee billed to the card being used as identification as part of the recovery process. For example, it looks like Norton Antivirus allows the same thing (just do a quick search for the phrase "the credit card number ending in", you'll see a bunch of people wondering about charges to cards they never registered with various services).
Apple using the last 4 digits as an identity verification was screwed up, but it wasn't information the bad guys had without Amazon's help, in this case.
Re: (Score:3, Interesting)
Re: (Score:2)
The problem here is that for the average Internet user, if you have someone's Amazon email address, you pretty much automatically have access to that person's Amazon account. Not everyone has multiple email accounts and the billing address and name can be gotten from agragators like http://www.spokeo.com./ [www.spokeo.com]
At that point the person can gain access to the users Amazon account and simply go on a shopping spree at the users expense. Getting into an iTunes account with the same email is just a bonus.
Re: (Score:2)
Re: (Score:2)
Are you stupid? To get access to someone's Amazon account you need their email address and billing address. To get access to someones Apple account you need their email address, billing address, and last 4 of their CC. Both of these systems are stupidly insecure, but it is pretty goddamn obvious Amazon's is the worse.
But what is Amazon protecting?
1) The ability to order goods using my credit card to be delivered to my registered address
2) The ability to order virtual goods using my credit card (music, ebooks, gift certificates).
1) doesn't really help the fraudster. 2) might, but they're difficult to resell and Amazon probably don't care about refunding these purchases -- they're very low value
Now, what is Apple protecting?
1) Everything using that email address
2) All Apple equipment registered to the account, and all fi
Re: (Score:2)
You forgot
3) The ability to takeover your Apple account
So clearly, Amazon is worse than Apple because Amazon is Apple and more!
Re: (Score:2)
And once they have complete access to your Amazon account, they can't just change the physical shipping address why?
If you try and do that (I did last week, to order something to be delivered to work) they ask for the CCV code from the back of the credit card (if you choose to pay with an existing card).
Re: (Score:2)
Because Amazon won't allow you to without extra information the person would not be able to provide. (CCV code)
Re: (Score:3)
He may be able to add extra shipping addresses, but he won't be able to use any of the cards on the account to ship to them. Amazon requires the CCV code on all purchases made with existing cards on the account when shipping to a new address.
Re: (Score:2)
Re: (Score:2)
FWIW, it need not be a bogus card. You can buy a VISA gift card (paying cash and showing no ID), then on the gift card website enter the name and address of your victim. It is now a perfectly legit card in that person's name. I use VISA gift cards on Amazon all the time (in my own name). You could probably do quite a bit of identity theft or creating false personas, using such a method.
Re: (Score:2)
Every e-commerce company in the world that allows you to store your card info will display the last four digits of your card number, because what other option is there? What other unique determinant could you possibly display in order to allow people to select one card from a set?
User-defined label when entering card details.
Online banking typically does this, so even though you see (some of) your account digits while online, it's really the name you gave it that's meaningful.
Re: (Score:3)
Which is great if you only have one card per brand-name issuer and completely useless in any case where that isn't true -- and it's certainly not true for me. Whereas the chances of the last few digits of your account number matching any other account for the same customer are exceedingly small. It may still be a bad idea, but "card issuer" is certainly not a reasonable replacement.
Re: (Score:2)
A bank may offer you a credit card and a debit card. Both from the same issuer.
You might have accounts at different banks, with credit cards from each bank, but they're all from Visa
You might have a company credit card and a personal card.
Unless you register all of your cards with a particular website, how does that website know how many digits it will take to make a difference?
Re: (Score:3)
I've never heard of anyone having more than one card from the same issuer before. Usually, a bank won't offer you a second card if you already have one with them. Why do you have multiple cards from the same bank?
1) If your answer is "your valid use case is wrong, you need to re-think how you're doing things", you're doing it wrong and need to re-think how you're doing things.
2) Multiple cards from the same bank can occur pretty easily. Nearly all airline cards are issued by the major banks (Chase, Citi, etc) - even though the branding may be Southwest Air, the actual issuer is Chase. So if you have an airline/hotel/retail-branded card and a card from a major bank, chances are good that they'll be from the same iss
Re: (Score:2)
Re: (Score:2)
I can see the possibility of not being able to add a card over the internet for whatever reason.
Typo, or can you tell us what reasons you can think of?
not privacy, data protection (Score:4, Informative)
"The United States prefers what it calls a 'sectoral' approach to data protection legislation, which relies on a combination of legislation, regulation, and self-regulation, rather than governmental regulation alone.[10] Former U.S. President Bill Clinton and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology." (emphasis added)
I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.
Nobody in their right minds would trust all of their data exclusively and only to a company (yes, you know, that "cloud" you like so much is operated by one or more companies with data protection and privacy policies changing by the weather). If you do so, something like the original article mentions can happen anytime.
I'm not saying you shouldn't use the "cloud" (how I hate that word, oh my), but you should never trust and rely on it completely without any (or weak and borderline useless) fallback. Remember, it's your data, it's your life, protect it as you would protect anything that you own and hold precious.
Thing is, since computing and PCs have become everyone's tools and don't require in-depth tech knowledge, it's pretty easy to get average users to use and rely on such services. It's simple, they don't really know what they are getting into. And it's for this reason that it's sad to see a more knowledgable person (i.e. article writer) fail so terribly.
Always remember, just because so many people are hooked to it and it's easy to use, that doesn't mean it's safe and reliable. It's not.
Re: (Score:2)
This breaks the trust feeling with generation of young US crypto experts who so want to feel the US gov is not allowing weak crypto for good intentions.
Self-regulation allows the US gov to sit down and have a nice chat to
Self regulation also protects eg CIA front
Re: (Score:2)
Hmm, isn't DES actually quite strong? It resisted both differential and linear cryptanalysis. The key size is not enough today but it certainly was in 1977.
Re: (Score:2)
Everytime you read the equivalent of "self-regulating" in a law, you know that lobbyists have again won a battle against citizens and democracy and that this regulation isn't worth the paper it's printed on.
Re: (Score:2)
I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.
I think the intent is that there'd be industry standards, with their own best practices, standards body, and compliance testing. Things like movie ratings and OpenGL compliance are self-regulated.
Re: (Score:2)
I never could really understand how this companies-should-self-regulate could work, and up to this day it didn't really prove to work. If companies are let to roam freely, then there's really nothing (good or bad) you can really expect from them, and even if one seems OK, they can change their policies from one second to the next and you're screwed.
I think the intent is that there'd be industry standards, with their own best practices, standards body, and compliance testing. Things like movie ratings and OpenGL compliance are self-regulated.
But. But. But. The Free Market!!!!
Re: (Score:2)
That *is* the free market. Trust is also a market feature that comes & goes, even though government demands blind trust in its own devices. If the market decides adhering to some standard is necessary (which takes education, marketing, and precedent in some combination), then providers adhere and ideally organize. If the market decides some standard doesn't bring anything of value, it falls out of use.
The issue is that these sorts of security problems are not a deciding factor for individuals or even
Re: (Score:2)
There are really two choices, that have (over time) an exactly equal minimum error rate (= probability of being hacked, etc.) - one is to have multiple independent, dynamically changing methods of securing things; the other is to have one central authority. I repeat - from first principles in information theory - these both have the exact same optimum. Let's say, for the purposes of argument, that the optimal probability of error is 5%. The difference between the two options is the distribution of errors
Multifactor Authentication (Score:2)
This isn't a new problem... This guy was naive/careless at best for not using multifactor authentication. But hey, at least his new article is getting some traffic, not that anyone will ever take him seriously again.
Re: (Score:3, Interesting)
a lot of mistakes here (Score:5, Insightful)
Not backing up data, able to get Amazon account data with 2 phone calls, able to get an Apple/Google/whatever password reset with just a little bit of work. They could have also stolen his CC statement from his mailbox, as well as a Utility bill and got part of the way to getting a new credit pin or drivers license and after a bit of time a new passport. This sort of hacking is not new, just different. Once the security questions used to be the standard 3, your mums maiden name, your city of birth, and your first pet/car/whatever, now the answers are often on-line or traceable via Facebook. The blame should be shared amongst everyone, including the person who did the hacking. Excuse me, I have to backup my computers.
Re: (Score:3)
Well, it's not the biggest and most effective way, but what I used to do (and still do if required) in such cases was that I picked randomly from the questions and gave totally unrelated random words as answers, which I recorded in a protected file. Unless someone could get to the file and crack it, there's no way to
Re: (Score:2)
I do similar, but a few years ago there was no choice, it was only 3 questions. ... as your Facebook email contains you FB ID, so you can also get a head start on cracking FB accounts, thanks to Facebook.
Re: (Score:2)
Of course that makes your password exactly as safe as if you had the password itself stored in a protected file, which would mean you'd theoretically never need your security question answers since you would never forget your password. Unless of course you lose the file, in which case... I really hope you keep those files in two different places.
Re: (Score:2)
Re: (Score:2)
I just made up a name of a pet to use.
No, it's not the name of the first girl who dumped me. Or even the tenth or twentieth.
But he's and IT Expert! (Score:5, Informative)
What an idiot.
Re: (Score:2)
Re: (Score:2)
Which is great, until you have a house fire, or your gear at home gets stolen.
Re: (Score:2)
It's probably related to the fact (according to a survey I read some years ago) that most accountants never balance their checkbooks. I would be willing to bet that 70+% of geeks don't backup their personal data regularly, and have less-than-ideal password policies for their own web accounts.
A very good article. Read it! (Score:5, Interesting)
This is a very good article, every /. nerd worth his honors should read it. It's pushed my paranoia levels almost up to normal again. That alone was worth the time. I've been dragging out that backup HDD for my MB Air far to long and will now change that.
I'm also going to solidly review my online presence and accounts, and how they could be linked. And fix any problems that pop up.
Bottom line: Read the article, it's a healthy wake-up call and if you're like me, you need that once in a while.
My 2 cents.
Re: (Score:2)
This is a very good article, every /. nerd worth his honors should read it. It's pushed my paranoia levels almost up to normal again. That alone was worth the time. I've been dragging out that backup HDD for my MB Air far to long and will now change that.
I'm also going to solidly review my online presence and accounts, and how they could be linked. And fix any problems that pop up.
Bottom line: Read the article, it's a healthy wake-up call and if you're like me, you need that once in a while.
My 2 cents.
Yes indeed, we may not be making the same mistakes as Mr Honan, but this should be treated as a wake up call to review your own security policies. Mine are better that most, as I guess is the norm on Slashdot, but our time would be better spent looking for the chinks in our own online armour, rather than mocking Mr Honan for not backing up his Mac. It was stupid though.
Secure your e-mail! (Score:2)
If you're a nerd you don't need the wake up call (Score:2)
Anyone sufficiently clued up on IT would
A) Have backed up their data on a physical medium, eg USB stick
B) Would not daisy chain their accounts that would allow the hacking of one lead to the others.
This guy might considered himself and expert - personally I consider him an idiot who bought into the whole Cloud we'll-look-after-your-data-for-you-no-need-to-worry marketing hype aimed at the clueless.
In broad technical terms there is no difference between a modern cloud service and an ftp server from the 1980s
Re: (Score:2)
In broad technical terms there is no difference between a modern cloud service and an ftp server from the 1980s - if someone gets your password you're scr3wed.
One might suggest that 25 years of minimal progress on security, in the face of a considerable expansion of the internet's hostile population, is a major failing... Especially since, unlike most ftp servers of the 80's, 'cloud' services are heavily marketed toward nontechnical users.
Re: (Score:2)
I'm not sure I trust a guy who doesn't back up. So much for a so-called "tech expert".
His story is also precisely why I don't cross link accounts like that so that if you lose one, you lose them all.
Blindness (Score:2)
Moreover, if your computers arenâ(TM)t already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use iCloud. Googleâ(TM)s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system yet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms â" which can be cracked,
Gmail should make 2-factor more prominent (Score:2)
Until recently, I wasn't even aware GMail offered 2-factor authentication. I think it was a little note on the login screen one day that it even existed.
I did set it up immediately, as my entire life runs through that account, but had been running for years without it.
Well, that didn't cause me any problems... (Score:4, Insightful)
From what I see here, the main problem was apple's security protocol, with amazon coming in a close second... All other things he could really have protected himself against... Using two factor authentication on google and so on. But you can't protect yourself from a company finding easily obtainable information good enough to just hand over control of your account with...
As far as I'm concerned Apple should be liable for damages in this case. They have acted as a gatekeeper, portrayed a sense of security, and then been blatantly lax in security.
What does the law say about a case where I hand over say my credit card information to a merchant and they act carelessly with it, thus allowing it to be intercepted by a criminal? Say I go to a restaurant and they take my card and then let it lay around on the counter for half an hour for anyone to see, scan, steal?
Re:Well, that didn't cause me any problems... (Score:4, Interesting)
So what should security questions be? (Score:2)
That's why I make up my answers per account, there's no way to find the answers unless you have access to my physical system with encrypted docs.
But let's be real, normal people won't g
Re: (Score:2)
Which is great, but in this case Apple allowed the hackers to completely bypass the normal security questions by answering a question that you can't 'make up', and in fact, that they didn't let you know was a security question.
That said, now that we know about it, there is a way of getting around it: Have a different credit card number for each site!
Though I hope Amazon's CS customer authentication and authorization procedures will get overhauled to eliminate these escalation attacks.
Whats that clucking I can hear? (Score:2)
Oh look , chickens dropping out of the Cloud and coming home to roost.
Identity is a GOVERNMENT FUNCTION (Score:2)
I've said it before, and I'll say it again -- managing identity is a quintessential government function, and should be handled by the government online as well. The basic problem here is that we should have a nationwide, and possibly global, single sign on system, with our rights protected by clear and unambiguous legislative features. Nobody thinks that the issuing of drivers' licenses should be done by private enterprise (or, if they do, they're idiots.) Why do we think online identity is less importan
Re: (Score:2)
I've said it before, and I'll say it again -- managing identity is a quintessential government function, and should be handled by the government online as well.
Oh, yes. Let's let a gang of psychopaths with guns own our online lives. They would never think of creating fake identities for themselves, selling our identity to others, or simply deleting or blocking our ID and preventing us from accessing anything.
Re: (Score:2)
It's not strictly about trust though, it's about if you want a single point of failure, or compartmentalized data. My father's hotmail was hacked (most likely phished I'd guess) not too long ago and he wasn't able to get it back. So he lost his hotmail. It's been a pain in the ass, but he got everything that he uses switched over to a new email within a week or two. If the government provides all authentication, what happens if someone hacks that? Or gets your credentials some other way? You lose absolutely
I Cringe (Score:2)
I read this on emptyage, when he still thought he'd been brute-forced, and I still don't understand using the apple email (esp if you don't use the apple email) — that's tied to all your gadgets — as a backup for an insecure gmail account that you use publicly for everything (ie, it's posted on twitter).
Are people really this stupid?
Do they have absolutely zero sense of self-preservation?
This is such an extreme case, it reads like a hypothetical. "Suppose someone gave the keys of their house to
I smell some B.S here. (Score:5, Insightful)
He says, when talking about the hackers, that "...their ultimate goal was always to take over [his] Twitter account". Why, then, did they delete his Google Account, and then remotely erase his iPhone, iPad, and MacBook? I might get that they want to erase evidence that could be used to track them down, and to that extent, wiping the Google account, which they had apparently gotten access to, makes a modicum of sense. But unless they were using his iPhone, iPad, and MacBook as well, I'm not sure how erasing all of them was in any way helpful to them in any regard whatsoever. No... the bastards that did this to him definitely had some malicious intent involved.
I'm not saying that he wasn't hacked... nor am I saying that he wasn't hacked in this way, I'm suggesting that the allegation that the hackers were only after his twitter account seems extremely dubious... at least to me.
Re:Why remote wipe? (Score:5, Insightful)
If your device is lost or stolen.
Re: (Score:2)
If your device is lost or stolen, data should not be permanently deleted, just locked away until the owner personally comes round to identify herself with a passport or other legal ID of some sort. You can more to permanent delete after some time has passed without a "restore" request.
I don't see why this should be any problem at all; Apple, Google and all their competitors claim to keep backups, which is effectively the same but with a user-"controlled" restore procedure.
Re: (Score:2)
the article says that the remote wipe is reversible with a four-digit pin made up at the time of deletion.
which leads me to wonder why apple couldn't just reverse it for the guy once he apprised a real human being of the situation. given the lack of sophistication everywhere else in this scheme, i seriously doubt that the four-digit pin is really used to encrypt your data. it must just be for authentication, so why couldn't this guy get apple to unwipe his drive?
Re: (Score:2)
Why didn't he keep backups?
I fail to see how Apple's remote wipe capability, designed to ensure that your data doesn't fall into the wrong hands rather than the "safety" of data on the device (ie, ease of deletion) is a problem.
If you accidentally remote wipe, or your friend pranks you because you were logged in and went to get a soda and he's a dick, or someone hacks your account and wipes your phone and computer, then you should just restore from backup.
No need to design the remote wipe system to be rever
Re: (Score:3)
Why didn't he keep backups?
Because he is an Apple fan-boy and turned off any and all technology knowledge of his decision process because of the emotional assurance he got from the Apple brand?
So by your logic, all Windows and Linux users keep backups then? That will really help me next time my parents' computer messes up, now that I know that they definitely keep backups because they don't have a Mac.
Re: (Score:3)
If your device is lost or stolen, data should not be permanently deleted, just locked away until the owner personally comes round to identify herself with a passport or other legal ID of some sort. You can more to permanent delete after some time has passed without a "restore" request.
From an enterprise security point of view, once the device is out of your hands you want the data off it, full stop. If it isn't there then there is no chance that someone can read it. If everything on the device were properly encrypted, then you could just delete any keys and the restore would simply mean putting the keys back on.
I don't see why this should be any problem at all; Apple, Google and all their competitors claim to keep backups, which is effectively the same but with a user-"controlled" restore procedure.
That is the solution, not "not deleting". The off-device backups are your restore point either if you get a new device or that one is returned to you. As long, of course, as the b
Re: (Score:2)
Re: (Score:2)
If your device is lost or stolen.
Why not just encrypt the drive? Seems more secure to me -- remote wipe presumably won't work if the target machine doesn't have net access.
(Of course, the drive will be unlocked if your machine is stolen while switched on and logged in, but the solution to that is to lock the screen whenever you're not at the computer.)
Re: (Score:2)
But why irreversibly wipe it? Arne't iOS devices encrypted by default, in which case you could keep a backup of the encryption key somewhere safe and just erase it off the device.
Re: (Score:2)
Fair enough.... are there *ANY* other remotely legitimate reasons for that?
Because if not, then *any* attempt to remote wipe a device should have an accompanying police report that can be correlated with the police report filed by the victim, and which would supplement it with all the evidence relevant to the wiping that can be obtained, including the reported IP address of the wiper, and the reported geographical location of the device at the time it was wiped.
Re: (Score:2)
There are differences. One is Google is not goading people into using its cloud with a walled ecosystem. And in Android:
"A remote wipe removes all device-based data like mail, calendar, and contacts from the device, but it may not delete data stored on the device's SD card."
Re: (Score:2)
Re: (Score:2)
Except for the you-must-give-RIM-your-email-password-to-get-email bit, sure. And that's ignoring all the limitations of their email system.
I really did like my BlackBerry in terms of the control provided to the subscriber -- as opposed to the retarded model on Android/iOS where the app developer decides what permissions are necessary -- but I don't see how trusting RIM is more secure than trusting Apple/Google/etc.
Re: (Score:2)
Credit cards themselves are of course woefully insecure. We need a better payment system.
Re: (Score:2)