
Hackers got access to Matt Honan's iCloud account by calling Apple Support - _frog
https://twitter.com/mat/status/231958263149764609
======
jacques_chester
There's a lot of verification steps that are bunk.

Full name? Home address? Available from the electoral roll in Australia. Phone
number? Look it up. Date of birth? Check with the Registrar of Births, Deaths
and Marriages. Mother's maiden name? Ditto.

Too many of these verification questions rely on shared secrets that ...
aren't secrets.

~~~
gojomo
...and it's getting worse with all the extra 'security questions' random sites
now ask. Why do I have to drop all these obscure-but-not-really-secret details
into all these databases? Are they all guarding them as well as a salted-hased
password? Do I now have to give them all unique fake answers lest it become
another path-of-least-resistance for compromise?

~~~
suresk
They really are horrible. When I'm given a small list of questions to choose
from, they generally fall into three buckets:

\- Completely non-applicable (I'm not married and don't have any kids or pets)

\- Transitory and inane (I don't really have a favorite meal or movie, and if
I did, who is to say it will be the same forever?)

\- Rely on information that is relatively easily to figure out (birthplace,
high school mascot, mother's maiden name, etc)

Security questions alone should never be sufficient to reset a password or
gain access to an account, and I'm not really sure they add a whole lot in
other contexts either.

~~~
mmariani
I find them horrible as well. That's why when I'm given the opportunity to
write my own questions I always do so. Then in this security theater I
hopefully am a little bit safer than most people that just pick a question
from a list.

On a side note, one of these days I've got really scared when a reputable
credit card company asked me for one of these security questions. WTF?!

------
epaik
It's easy to forget that social engineering is one of the oldest and easiest
way for a hacker to get access to a system.

~~~
mturmon
So true. Speculation in the original comment thread
(<http://news.ycombinator.com/item?id=4337938>) included MITM attacks,
keyloggers, sleeper programs left over from an earlier (known) breakin, brute
force, etc.

Most of the ideas batted around were technical in nature and somewhat
advanced.

------
celerity
This is just a good reminder to treat all cloud services out of your control
as semi-public.

------
feefie
"Wow. Okay. So I've confirmed with both the hacker and Apple how this
happened. Was via a phone call to Apple tech support."

There should be enough of a trail to track down the hacker and have him
charged, right? The call to Apple would be logged by at least the telephone
company, wouldn't it?

~~~
fuzzleonard
You subpoena the phone company for that kind of information when terrorism is
involved. This is more like having your bicycle stolen. There is not going to
be a CSI team, fingerprinting, detectives, interrogations or high-speed car
chases.

Apple's call center probably has the CLID of the caller logged, but equally
probably that person called from a prepaid cell phone.

~~~
iamdave
_There is not going to be a CSI team, fingerprinting, detectives,
interrogations or high-speed car chases._

Sure, probably not from the police. But I will put down the rest of my year's
salary that Apple will be investigating like all hell how this happened and
taking all kinds of steps to make sure this _never_ happens again. Whether or
not it actually will is a different story.

~~~
fauigerzigerk
I would expect so, but catching the guy who did this isn't necessarily part of
it.

------
Zenst
So question is now, what are Apple doing about it given the impact. Think they
said it would take alot of forensic work to restore the iMac as well, I've got
the popcorn ready to follow this one.

~~~
taligent
The iMac is gone.

The remote wipe would be equivalent to a format so you may be able to get some
data back but most of it would be unusable. I don't think Apple can do much
about not having a backup. What Apple probably needs to do is have a popup to
remind people to backup when they switch on the Find My Mac feature. But I
doubt they can do more than that.

~~~
fuzzleonard
Even if Apple could recover the data by doing so they would be admitting their
remote wipe feature is worthless.

I rather doubt they will add a "I see you have enabled Find My Mac--you better
back up your system because we will give any random idiot who calls in access
to wipe your hard drive. Thanks for choosing Apple!" popup, though.

~~~
r00fus
Useless? No, flawed, but if the guy has backups like most folks should - he'd
have been fine.

Apple even makes it easy with Time Machine - they can't be faulted for the
wipe (I don't have this on my Mac - I just use disk+memory encryption).

Apple can be faulted for allowing the security breach.

------
tzs
Suppose a Mac has multiple drives. Say, two internal drives and an external
drive. Does remote wipe just wipe the boot drive, just the internal drives, or
all the drives?

------
thornofmight
At the very least Apple should pay to have professional forensics restore the
lost data.

~~~
gcr
Why should they treat this person any different than their other paying
customers?

The remote wipe isn't the root issue here.

~~~
thornofmight
Isn't the root issue the fact that Apple's lax security allowed the hacker to
do the remote wipe?

------
lostlogin
How?

------
drivebyacct2
I find it hilarious that Apple wants to store my File Vault decryption key and
hide it behind three security questions.

------
rogerchucker
I'm totally lost now.. look at the last line on the screenshot of Mat's Gmail
inbox. Seems like they reset the password through iforgot.apple.com since
instructions were emailed? Or was that just an attempt?

------
rogerchucker
Wait a bloody minute... if you are calling about iCloud password, wouldn't
Apple's tech support automatically suspect why the caller isn't going to
iforgot.apple.com instead? I mean it doesn't make sense if the person calling
says "Oh I badly need the iCloud password, but I don't have access to a
browser".

On the other hand, if the person said "yes yes I tried iforgot.apple.com but I
can't seem to remember any of my security answers/email address used", then
that should naturally raise suspicion in the mind of the Apple tech support
person, right??

~~~
lallysingh
Nope, lots and lots of apple customers who aren't techs.

------
cageface
The really annoying thing about this is that it's going to be that much more
difficult now to persuade Apple support to intervene in legitimate cases now
that they've been burned this badly in public.

Hackers (in the pejorative sense of the term) and software pirates really are
the scum of the earth.

~~~
antihero
As opposed to, for instance, rapists, war criminals, and corrupt politicians?

~~~
cageface
People abusing the information networks are disproportionately damaging
because they empower those that are just looking for excuses to turn the whole
internet into one big surveillance machine.

~~~
antihero
No, they are unnecessary, if those who are in power want it to happen, they
will find a way, regardless of our actions.

