
The weakest link by far is Apple - rsobers
http://www.marco.org/2012/08/07/how-apple-and-amazon-security-flaws-led-to-my-epic-hacking
======
danso
How is Apple the weakest link in this? According to Honan's account, Amazon
was as equally, if not more weak in its verification processes:

[http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-
hona...](http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-
hacking/all/)

> _First you call Amazon and tell them you are the account holder, and want to
> add a credit card number to the account. All you need is the name on the
> account, an associated e-mail address, and the billing address. Amazon then
> allows you to input a new credit card. (Wired used a bogus credit card
> number from a website that generates fake card numbers that conform with the
> industry’s published self-check algorithm.) Then you hang up._

> _Next you call back, and tell Amazon that you’ve lost access to your
> account. Upon providing a name, billing address, and the new credit card
> number you gave the company on the prior call, Amazon will allow you to add
> a new e-mail address to the account. From here, you go to the Amazon
> website, and send a password reset to the new e-mail account. This allows
> you to see all the credit cards on file for the account — not the complete
> numbers, just the last four digits. But, as we know, Apple only needs those
> last four digits. We asked Amazon to comment on its security policy, but
> didn’t have anything to share by press time._

At least to get into the Apple account, you need the credit card on file. For
Amazon, you can _send a fabricated credit card number_ and get complete access
(because you can add a new email account, to which you send a password reset
to).

Apple just seems like the worser player because Mat Honan put so much power
into the hands of iCloud. If Honan was in charge of administering enterprise
services using Amazon's EC2 services, and hackers used his account to wipe out
everything (or compromise corporate security), everyone would be calling out
Amazon.

 __Edit: I haven't seen this fact mentioned much, but Honan's billing address
was compromised through a WHOIS lookup on his domain. This is a huge reason to
use registry protection services. It's true someone could look you up using
things like Pipl and Spokeo, but that's only if you have something in public
records, such as a mortgage (or, in some cases, leases).

Honan is in an especially tough situation because of the uniqueness of his
real name.

~~~
pja
The level of security you apply to a service ought to be proportionate to the
potential loss. Apple have failed here completely, providing a woeful level of
security for a service where the potential cost (loss of all user data) for
the end-user is very high.

Amazon on the other hand doesn't (potentially) have the power to wipe your
machines and cause havoc. If someone compromises your Amazon account, then
worst case they can order goods in your name to be sent to you & Amazon will
be out the cost of shipping and re-selling those goods, plus the cost of any
chargebacks if they mess you about refunding your credit card. In other words,
the risk here lies with Amazon, not the end-user, so they are rightly free to
set the level of security applied to Amazon accounts to whatever they feel
meets their goals.

It's not Amazon's fault that the 4 digits that the credit card companies
decided that it was ok to leave on your receipts are precisely the four digits
that Apple accepts as evidence that you own the card in question. The fault
lies with Apple for accepting data that you leave behind every time you make a
purchase with your credit card (it's printed on every credit card receipt you
leave behind at the local pizza joint IIRC) as being suitable evidence to
permit an anonymous caller access to an Apple account.

Now, if Amazon applies the same level of security to accounts with personal
data or other costs to the end-user (cloud drive, Amazon S3 or EC2 accounts
and so on) then you'd be right to lay into them. Does anyone know if that's
the case?

~~~
rjsamson
Well, if you have AWS linked to your amazon account I would imagine this could
be disastrous...

~~~
jonknee
AWS supports two factor auth among other ways to secure your account.

------
alanh
It’s getting pretty annoying that Marco is _consistently_ able to recap
yesterday’s top tech news item, _add no insight,_ and hit the top of HN.

Or am I missing something? Is there value added in this process? Or do these
concerns end up reaching a much wider audience?

~~~
debacle
We like rehashing old news to feel better about ourselves.

Put another, less inflammatory way, Hacker News tends very highly towards the
ephemeral. I would argue certainly more highly than reddit and possibly even
more highly than something like 4chan.

This creates a detrimental effect because the discussion around these news
stories is more long-lived than HN (the discussion vector) would let us
believe.

This creates something I'd call the Hacker News Timeshift - blogspam based on
yesterday's news _purely_ on the off chance that the generated blog post will
act as a vector for spurring the truncated discussion, thus generating plenty
of ancillary or almost coincidental traffic to the blogspam.

Anyone who visits the new stories page once a day will see this effect in
action for roughly 50% of the stories that were on the news page yesterday.

~~~
frou_dh
Nice observation. I buy it, but question how often authors have that specific
intent in mind vs. unaffiliated submitters and voters creating the narratives
with what they can find. Who knows? There's a chance Madonna^WMarco himself
might not be targeting the HN masses with his latest post.

Regardless, it's finally dawning on me that the never-ending stream of Apple
punditry is a fucking bore, including the "high quality" sources in the echo-
chamber such as DF and 5by5.

~~~
debacle
Hacker News, in general, is a fucking bore. The nice thing about being random
access is that you can be highly selective in both the stories that you read
and the discussions you participate in.

------
debacle
Apple's performance here is inexcusable for a software company. It displays
either a complete disregard or a complete lack of understanding of basic
security.

~~~
ajross
I think that might be too harsh. For people like us, customer service policies
aren't normally included in "basic security". Obviously they should be. But my
guess is that this kind of vulnerability exists all over the world in all
sorts of industries.

In the US, at least, regulated banks have some security requirements that
might prevent this (though I'm not sure). But outside of that my guess is that
it's routine for a customer service agent to be able to make any modification
to an account they want, without an extra authentication factor or
supervision.

So yes: blame Apple. But be wary, they can't possibly be the only ones.

~~~
equalarrow
Yes, definitely blame Apple, no doubt about it. I'm still a little shocked
that the last 4 cc digits constitutes 'security'. An easy alternative - which
I think they already have - is the whole two security questions thing. I would
feel much better - as a customer - if they used those.

This type of thing is going to happen more and more and the fact that remote
wipe of all the devices happened totally negates any advantages of using cloud
services. I mean, what's the point of having everything backed up remotely if

a) the backup is not current b) the same remote servers can wipe your devices
at any time

In addition, it's possible the remote backups could be removed as well
(although not sure about that for iCloud) and in that case, you might as well
not back anything up and have a hard drive die (at least that could be
recovered I suppose).

Apple needs to jump out in front of this asap and announce a policy change in
regards to security in order to put people at ease. I'm glad this is making
waves and I think there needs to be more noise about it in order to get them
to change.

~~~
pooriaazimi
Well, If he had a backup (either remote or local) it wouldn't have mattered.
It would mean a few hours spent with Time Machine, but he wouldn't lose his
data. And a remote backup should not be "removable".

Also, don't ever expect Apple to do anything ASAP. Even if the whole world
shouts at them, they won't say anything. They take their time to (hopefully)
think this through.

~~~
bruceboughton
>> Well, If he had a backup (either remote or local) it wouldn't have
mattered.

For this specific thing, no. But this was a fairly blatant act by the hacker.
What if they silently read your iCloud mail, or used the Find my iPhone
functionality to stalk you.

~~~
pooriaazimi
They couldn't _silently_ do anything. They won't give you passwords, they give
you the ability to reset it. If the hacker were to reset it, the reporter
would notice (as he wouldn't be able to use his account anymore). And I think
Find my iPhone would cease working if the password saved by the app does not
match what's stored in the cloud (i.e. hacker's bogus password).

In case of cookie sniffing, Google shines. They show you the IP addresses of
people who have used your account recently. If you (or them) spot an stalker,
you can reset the password. I don't know how effective that could be with 3G,
but at least

\---

That said, It's no secret that Apple's password system is absolute garbage. I
had to reset it 5 times last month because someone was trying to get to my
iCloud account (probably brute-force). Apple would de-activate my account and
would require me to re-enter security questions and choose a "new" password
that I haven't used in the past year. And every time I had to spend an hour
typing the new password in my various devices. AND I WOULDN'T RECEIVE MAILS IN
THE MEANTIME. Just ridiculous.

------
crazygringo
This whole saga proves it's too hard for companies to implement effective
security policies on their own.

What's needed right away is a "badge of security approval" from an independent
third party, which verifies not just the technological side, but the customer-
service side too. Including things like:

\- password policies (e.g. not limiting to 16 characters)

\- hashing and salting passwords

\- standards for security questions (these are usually so horribly written)

\- standards for identity verification if you've forgotten password AND
sercurity question answers (most sites will not be big enough to bother with
this, so you just lose your account, but Facebook/Apple/Google/etc. need to
have a common model, so inconsistencies between companies can't be exploited)

\- policies for sending out password-reset emails, adding/changing e-mail
addresses, with appropriate user notification

\- waiting periods between changing emails and passwords, so you can't just go
and change everything about an account all at once

\- special unique privileges to initiate operations that can delete large
amounts of data (like a special second password, or extra security questions,
for deleting your account, remote wipe, etc.)

These are just vague ideas off the top of my head, not an actual proposal. But
we really need a set of "best practices", and a way of identifying that
companies are actually following those best practices.

A secure "lock" icon in the browser bar is no longer enough.

~~~
danweber
I think "Security questions" need to be completely destroyed and the earth
salted. Then we have a long talk about them before bringing them back in a
very careful, limited format.

Bank Of America is horrible in this. First off, if someone else tries to log
in using your username 3 times, it locks you out of your account. You need
access to your email to get back in.

But it demands you re-create three security questions after that. I chose a
simple username so other people stumble across it a lot. So I have to go
through this process frequently, and there is nothing I can do to stop it.

How securely are they storing this PII? Probably not at all. I try to give the
exact same questions and answers every time to limit what BoA knows about me,
but someone compromising by BoA account might be able to learn that
information and use it to cascade attacks into other services. (They display
by secret questions and their answers to me in plaintext.)

~~~
jeltz
There is no reason for banks to have any security questions at all, or even
passwords. They can mail security tokens to all their customers and rely on
the postal office validating the identity of the customer. And if the security
token breaks or is lost they can just mail a new one.

This is what all or virtually all Swedish banks do.

Only websites where the users need instant access or you have a low profit per
user cannot afford security tokens. Banks are obviously not included here.

~~~
makomk
No, they can't rely on the post office. The workers there aren't paid that
well, after all, and some of them would probably be quite happy to take money
on the side to make a few security tokens disappear into the hands of a
fraudster.

~~~
wonderzombie
They already send credit and debit cards in the mail. Is this substantively
different? Do we have widespread problems of postal workers stealing credit or
debit cards? What's in place to prevent that, and why couldn't the banks use
similar measures with an OTP device?

------
shawnc
I don't know where else to bring this up, and had no idea how to discuss it
when it happened. So i'll do it here, in this excellent thread of Security
discussion.

Dropbox doesn't send an email notification, or anything of the sort, when
adding a computer to your Dropbox account.

I discovered this, when one day I realized some of my files in Dropbox were
deleted. Specifically my 1Password file.

I logged in to check things out, and discovered that there was a weird
computer added to my account. I promptly changed my password to dropbox, did a
recover of my 1password file, changed the master password of that, then went
through and changed passwords of my most important information stored in
1password.

The fault lied with me, in that my dropbox account was still using my temp
'testing this service out' password I'd used when i first signed up. Stupid
me. My 1password master password was already very strong so I wasn't highly
concerned.

What ticked me off, was that there was absolutely no notification or
verification process when adding a computer to your Dropbox account! I wrote
Dropbox, and their only response, after MANY days, was 'make sure your
password is strong'.

~~~
rogerbinns
On the security page you can turn on email notifications for system additions:
<https://www.dropbox.com/account#security>

On your account page you can enable RSS feeds. The home page then has a link
to the feed, which I have in Google Reader. It includes all file changes, as
well as machine additions and removals.

~~~
shawnc
The email notifications for System additions most certainly didn't exist when
I wrote Dropbox about it. I did however, know about RSS but didn't choose to
use that as a notification system (and wasn't aware it notified about machine
additions or other system stuff).

Thanks :)

------
brudgers
Leaving aside Apple's choices regarding the degree of security employed to
protect their customers, this would be a non-story but for the fact that Apple
decided to treat Honan's Macbook as if it were an iPhone.

Email accounts get hijacked, phones loose data, and impersonation happens on
Twitter. A blog post about one of these or all in combination may make the
front page of HN, but unless the writing is compelling (and in this story none
of it is), it will not persist there.

This story is a story because the Macbook was wiped remotely. That's what's
scary. Losing data on a phone or iPad will never potentially entail the loss
of years of work. They are second and third devices, and intended primarily
for consumption not creation.

It's our computers which hold our work (and as this story shows, moving it to
"the cloud" may not offer significantly greater protection). An architect
doesn't store her design on her iPhone, nor a developer her code, nor an
entrepreneur his company's books. Our computers tend to hold important parts
of our lives. They are the tools we use to create and retain our work.

Apple forgetting that for the sake of a consistent sales sheet across product
lines is really the heart of this story's traction.

Remote wiping at the flick of a switch is a bug, not a feature in the consumer
world.

------
smoody
four digits are worthless. somebody was able to get the last four digits of my
social security number (how many times have we given that info to customer
service reps thinking it's "safe?") and used the digits to open a credit
account on BillMeLater (yes, they did not require the full social security
number to open an account). they then started buying stuff (nike shoes -- why
doesn't that surprise me?).

the _only_ reason i discovered this is because they didn't have my real email
address and BillMeLater called me to tell me they needed me to update my email
address. so, we also know that they don't even require email address
authentication. now all of my credit reports are locked. i recommend everyone
do the same.

sorry to hijack the discussion, but wanted to provide another "4 digits suck"
example.

~~~
kwamenum86
Why doesn't it surprise you?

~~~
jlgreco
People go to stupid lengths to get them. They are a luxury good that is just
cheap enough that a lot of people can realistically desire them, but just
expensive enough that people will do stupid things to get them, instead of
just paying for them.

------
vibrunazo
> It’s appalling that they will give control of your iCloud account to anyone
> who knows your name and address, which are very easy for anyone to find, and
> the last four digits of your credit card, which are usually considered safe
> to display on websites and receipts.

Not trying to defend anyone. But has this been reproduced enough to
confidently say they'll give control to "anyone"? Or was it just an employee
mistake not following the policies in place? It would be a mistake on their
part either way, but I'm just trying to understand what the mistake was.

~~~
knowtheory
If you read the Wired article by the fellow who was hacked
([http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-
hona...](http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-
hacking/all/) ), yes, Apple does this as a matter of policy, and even after
Apple assured the author that this was not policy, Wired went and tested the
method on two separate occasions and was able to gain access to other folks
iCloud accounts.

Quote:

 _On Monday, Wired tried to verify the hackers’ access technique by performing
it on a different account. We were successful. This means, ultimately, all you
need in addition to someone’s e-mail address are those two easily acquired
pieces of information: a billing address and the last four digits of a credit
card on file. Here’s the story of how the hackers got them._

------
tav
Even if Apple fix the account recovery process, the fact that any flaw in
iCloud security could easily lead to all attached devices getting remotely
wiped is extremely scary. All of your work gone in moments!

Don't get me wrong, remote wipes are useful. But they should be protected by
some kind of a "Remote Wipe Authorization Passphrase" that the user must set
up. Otherwise we are all simply at the mercy of the next access control
vulnerability in iCloud.

~~~
danso
I disagree. The onus is entirely on the user to backup his/her data.

Don't use remote wipe unless you have a backup solution. I mean seriously, the
very concept of remote wiping, whether intended or not, should make you buy an
external hard drive and activate Time Machine. Because a remote wipe could
happen in a database-server glitch on Apple's part, which would presumably
bypass a passphrase mechanism. So why leave your data to chance?

But the other reason to not have a passphrase...what is the purpose of having
a remote wipe? Because you are paranoid that ot only someone will steal your
laptop, but that they'll steal the data. Depending on your work situation,
time could be the main factor here. What happens if you forget your
passphrase...because really, how often are you going to be using that
passphrase? Then you've given your robber minutes/hours to access your data.

Just to be clear, the verification process is still incredibly flawed on
Apple's part, and the remote-wipe problem should not have happened in the
first place. But enabling any kind of remote-wipe-power without thinking
through the backup process is Honan's fault, as he admits in his article.

~~~
tjoff
I don't agree. You should have backups regardless and the odds of your laptop
drive just gives up or it falls to the floor or gets stolen should, in any
universe, be way more probable (regardless of usage) than a "database-server
glitch" on Apple's part.

Yes, you should backup but for way more important reasons than enabling remote
wiping.

~~~
danso
No argument there...but I'm just saying, remote wipe does what it does. Is
there any consumer out there who enables it without realizing that it indeed
allows the destruction of your device's data from "the cloud"? I assume that
the average consumer is sufficiently paranoid about these kinds of
technologies going awry...a database-server glitch is improbable, but don't
you think the average consumer assumes otherwise?

~~~
makomk
Apparently remote wipe is enabled by a little innocent-sounding checkbox
labelled "Enable Find My Mac", so consumers have almost certainly enabled it
without realising that it allows their data to be wiped by a poorly-secured
cloud system.

------
bilbo0s
Quick question for HN'ers... does anyone actually feel safe using cloud
services for personal data storage?

In the interest of full disclosure... I can barely muster trust enough for
gmail. Actually, I don't trust gmail, which is why I don't use it for anything
important or personal. I certainly would not put my child's photos onto a
cloud service and expect them to be safe. And from what I understand, these
people put, not only their data on iCloud, but their ACTUAL DEVICES are
administrable from iCloud. That seems insane to me. It seems that this is the
inevitable result of any such system.

I guess I am just a bit surprised at the surprise being expressed here. USB
drives are not THAT horrible are they? They seem, to me, far more reliable
backup methods.

~~~
rwallace
You need to have your stuff backed up to the cloud (in case your house burns
down) _and_ to a USB drive (in case your account is compromised). Neither is
adequate by itself.

~~~
reinhardt
I hear the "if your house burns down" line often and I can't tell if it's
meant literally in this context. I'd think that at least for most regular
folks, if their house and everything in it was turned to ashes, the last thing
they'd cry over would be their, say, iTunes collection or mostly useless email
archives hoarded over the last ten years.

~~~
wonderzombie
It's more likely they'd be upset over losing photos of their child growing up,
for instance. Or if they've digitized, say, financial records.

I mean, yeah, obviously the primary concern would be "oh my god my house burnt
down." But if you can minimize the repercussions by putting digital stuff
which is important to you offsite, maybe that's something to be _relieved_
about.

------
smackfu
It's also interesting that for Amex cards, that part of the card number is
very structured. The middle two of the last four are almost always 00 or 01
since it is just incremented for reissued cards.

------
robomartin
Nothing is 100% guaranteed secure. Let's start there.

As far as password recovery, I would like to see something more "physical", if
you will. For example, Apple charges a small random amount to the CC on file
and you have to come back and give them the amount.

A fingerprint scanner on every iPhone could be interesting.

I think the reality is that nearly all but the most safety conscious/paranoid
hackers reuse easy-to-remember passwords across a multiplicity of sites. Some
might have two or three passwords to fence-off, say, financially related
logins from non-financial stuff. Still, the vast majority of Internet users
are probably in the first group with a simple password across every single
login they have. That's the problem. And, with such tools as Facebook logins
you also have a situation where discovering on login gets you in to all manner
of sites.

How do you protect Mom, Dad and Uncle Fester from this? You are not going to
turn them into computer scientists or security experts. No, they are not going
to create and remember fifteen different thirty-two character passwords with a
mixture of alphanumerics and symbols. That's just not going to happen.

Not sure what the solution might be at this point. The Internet, due to the
nature of its organic evolution does not have an underlying security construct
that is, for lack of a better word, bulletproof.

------
griffindy
I can't think of a time when I didn't see the last four digits of my credit
card on a receipt. This is a totally boneheaded move on Apple's part

~~~
hartez
Sadly, I can :)

Just a few years ago I looked at my receipt from a local Dairy Queen and it
had all _but_ the last four digits printed on it. I complained to the guy
behind the counter, who didn't see the problem.

I assume most new POS systems nowadays don't even have the option to print
anything but the last four, but there are still some out there in the wild
which do. Which is why I still shred all my receipts.

~~~
lmm
It really shouldn't be a problem. In my teenage years I could memorize a
16-digit number from seeing it once; I can't be the only one. If credit card
security depends on keeping the big number printed on the front secret then
it's doomed to failure.

~~~
devcpp
Did anyone ever show you his credit card "okay but just once"? I doubt so. The
big number is indeed supposed to remain as secret as possible to avoid
trouble.

~~~
jlgreco
Ever use a credit card? You are almost always handing them over to other
people; often times they even leave the room with it for several minutes.

~~~
desas
In the UK at least you should never have to hand it over. You insert them into
the chip and pin device yourself. A lot of places will do this for you but
only in plain sight.

~~~
jlgreco
Well, in the US it is common to hand your card to servers after your meal who
will then carry it off to the register (wherever that may be, usually not
visible) and bring it back to you with a receipt.

The UK may have a better protocol, but that doesn't change the fact that for a
significant population, the number on the card is really anything but private.
Certainly Apple should know this, being based in the US...

This is usually ok since credit card companies have the whole fraud thing
figured out for the most part. It only becomes "not ok" when companies like
Apple make them into something that absolutely _needs_ to be secret.

------
chris123
RE: "At the bare minimum, for this level of recovery that bypasses security
questions, they should require confirmation of the entire credit-card number
and verification code."

That's still a fail because if your wallet probably contains credit cards,
which have your name and credit card number, obviously. And driver's licenses
in the US, as far as I know, include an address. So it's all there. You're
screwed.

What is necessary is 2-factor authentication, which is what a lot of us have
been saying for a long time (I wrote this blog post in 2009, after another
Twitter-related hacking: "Why The Twitter Breach Is Bullish for Two-Factor
Authentication": [http://chrisco.wordpress.com/2009/07/16/why-the-twitter-
brea...](http://chrisco.wordpress.com/2009/07/16/why-the-twitter-breach-is-
bullish-for-two-factor-authentication/)). If not 2-factor, at least don't make
recover possible with things so easily obtained, such as information from
items typically contained in a person's wallet.

~~~
ams6110
My thought is that they should additionally charge a fee for this, using a
card that passed name, zip code, and CVC checks. Now you have a higher bar to
fake your way over, and in addition whatever laws were broken by the
perpetrator, he would have credit card fraud as well, and that's something
that prosecutors, courts and juries can understand a lot more easily.

------
dfc
Why is this at the top of HN? Just because its from marco? There is nothing
new in the article. Can a moderator please change the title to the actual tile
of the post "Apple and Amazon Security Flaws Led to Mat Honan’s Hacking"? The
current title is just linkbait for people that thought it was a general
discussion about apple's weaknesses from marco.

------
kaffeinecoma
Does "remote wipe" also wipe attached drives, or just the system disk? It
would really suck to also lose your Time Machine backups that way. I alternate
my TM backups between several disks, leaving one of them off-site in case of
catastrophe, but I'd still lose a good chunk of data if remote wipe targets
attached volumes.

------
tomp
Instead of a remote wipe, what they should do is a remote encryption. Generate
a pair of public/private keys, use the public one to encrypt the data, and
destroy the private one after a month or so. Encrypted data is
indistinguishable from random data, but at the same time, the user can get it
back.

~~~
tjoff
_When you perform a remote hard drive wipe on Find my Mac, the system asks you
to create a four-digit PIN so that the process can be reversed. But here’s the
thing: If someone else performs that wipe — someone who gained access to your
iCloud account through malicious means — there’s no way for you to enter that
PIN._

From: [http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-
hona...](http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-
hacking/all/)

But ultimately, if the attacker has the ability to remote wipe/encrypt your
device he/she is probably in control of any keys required to undo it.

~~~
tomp
The way I would do it, if I were apple, I would keep the keys myself and
require the customer to go to the store, personally, with their
wiped/encrypted device, and present some proper form of id, for the sales rep
to undo the wipe.

------
Zenst
I have one question as I'm not aware of any - has anybody had there blackberry
hacked and remotely wiped.

What proportion of share price is effected by security, as that is all a
company realy care about.

Now maybe the whole credit card system that we have is at fault - one number
to rule them all to pay for things. Maybe is we had a system were we could
give each transaction a unique number you could was unique to each vendor you
used. Then if that number is leaked it woud be clear were it leaked from and
only effect the people who leaked it. Until then there are disposable credit
cards.

If Apple only accepted Apple credit cards and if Amazon only accepted Amazon
credit cards, then this would not of happened. Can see what the outcome of
this will be and people will still complain.

------
ashray
AFAIK almost every bank in India has now been ordered by the government to use
2 factor authentication. What's more, a specific bank I use has also included
an interesting approach against phishing attacks.

You are basically assigned an access phrase and access image. They ask you to
look at these two things and know what they are. Then, when you visit the site
you enter ONLY your username. Once you click submit you're shown your access
phrase and access image. If this were a phishing site, there is a high chance
that your access phrase and image wouldn't match so you'd know to GTFO.

This is followed with a 2 factor authentication. Pretty solid IMHO :)

~~~
sigkill
Bank of America has been doing this for over 3 years. It's called SiteKey.

But iirc certain banks in India have a alphabet board behind the card with
letter-number pairs, right? Something like A-14 B-65 and so on. Then they just
ask you to enter random 3 boxes.

------
PsyGeek
The title of this article is completely misleading. It really is astonishing
how the author is primarily targeting Apple to be at fault here. While
protecting customer information is a top priority for reputable companies such
as Apple, you cannot equate one non-diligent AppleCare employee to the entire
organization. Clearly, the AppleCare employee that was easily socially-
engineered did not follow standard operating procedures. For the record, the
"hackers" who destroyed Honan's digital life should be prosecuted. Its sad
that Honan is letting these young punks get away with their malicious and
unethical acts.

~~~
eropple
"Astonishing how the author is primarily targeting Apple"? Do you even know
who Marco _is_? He's constantly accused of being an Apple fanboy. If anything
he's biased _for_ Apple.

The idea that "one non-diligent AppleCare employee" did this is reality-
averse. Wired managed to duplicate what happened to Mat after-the-fact using
other people's details. Even if you were correct, "one non-diligent AppleCare
employee" should not be _able_ to do what this employee did (apparently in
accordance with policy, FWIW). A company that cared about security would not
allow it.

So you can put down that water you're carrying (boy, does it look heavy!) any
time you'd like.

------
antidaily
Obviously. And yet, you have to admire the sneakiness of the hacker to even
think of something so simple. If nothing else, this whole fiasco called
attention to a terrible system that's probably already been changed by Apple.

~~~
sp332
It's not "creative" to think of this. Sarah Palin's email was "hacked" by
someone who looked up her security questions in Google.

~~~
danso
And Paris Hilton's phone was hacked because her security question was the name
of her dog.

------
mikesun
What if Apple provided some sort of 2-factor auth that you had verify with the
phone rep? Like they'll send you an email or sms and you verify the code back
to the rep?

------
PanMan
I think this will result in Apple selling less apps: People will set a way
better password on their Apple account, and since you need the same password
to buy $1 apps (every time!) as you do for remote wipe, people will buy less
apps. They should probably have several levels: one simple PIN code for less
intrusive stuff, and a lot of checks for the remote wipe (or expensive
purchases).

------
kmfrk
I don't know how this whole affair reflect on Apple as a company, but this
seems like Apple's best opportunity to let users know whether it should be
taken seriously as a cloud service and specifically e-mail provider.

------
rmc
The EU has data protection law which means companies that store personal data
are legally obliged to protect it. I wonder if Apple are in breech of the law
here? Will someone affected make a complaint?

------
ma2xd
The last four digits are the ones on almost any receipt from a payment done
with credit card which is not censored. And all the other info is in the
phonebook or other places on the net.

------
chris_wot
Oh wonderful. Replace one set of weaknesses with something much, much worse -
allowing any customer service rep access to your entire credit card (including
CCV)!

I do like his second idea though.

------
Zenst
Weakest link is having a chain of events that prevent you from doing a backup.
Two phrases that spring to mind "back don't fudge up" and "trust nobody".

Remember time beats all security.

------
livemyjourney
Name, Address and last 4 digits of your credit card... Seems like one would be
screwed if you lost your wallet with you DL in it.

