

Apple Suspends Over-the-Phone AppleID Password Resets - derpenxyne
http://www.wired.com/gadgetlab/2012/08/apple-icloud-password-freeze/

======
X-Istence
"After Epic Hack [...]".

Sorry, not that epic. Yes, multiple steps were required but the biggest issue
in security once again was the human element.

Epic would be finding the flaws in SSL/TLS that allows you to generate a valid
cert for any domain (Moxie Marlinspike) or a bug in DNS that is such cause for
concern that people have to upgrade their infrastructure (Dan Kaminsky) or
intercepting GSM calls (Chris Paget) while making the device believe it is on
a legitimate network.

This hack came down to social engineering and using flaws in two companies
verification systems. That isn't epic. People have been calling companies and
people on the phone for decades and having them hand over information without
proper identification/verification. The guys stuff got remote erased, well
damn, the system worked as it was supposed to work ... other than that the
right person wasn't at the controls ... remote wipe worked as expected.

Yes, changes have to be made, and yes security and verification of identity
has to be made more secure when there is a lot at stake, but this hack was by
no means epic.

~~~
notJim
I think the description of it as epic refers to the amount and nature of the
damage done, not the technical accomplishment. We expect that someone might be
able to hack our online accounts, but that they could hack our online accounts
and then use that to reach into our homes to nuke data off of our hard drives
is different.

~~~
taligent
Remember that you have to explicitly enable this feature.

Remote wipe is NOT enabled by default.

~~~
kevingadd
It's too bad the feature is named 'Find My Mac' instead of 'Remote Wipe'.

~~~
codeka
I really do think these things should be separate, with separate
enabled/disabled settings.

Especially on the iPhone/iPad where a lost device (i.e. behind the couch or
something) is far more common than a stolen one.

~~~
ralfd
I don't know. I travel a lot per train and losing my iPhone there or at a
random bar/party I certainly want to remote wipe it.

~~~
sigkill
But if you have enabled a 4-digit pin, why worry?

------
craz
I think having to re-enable remote wipe on each device after a password reset
would be a reasonable compromise.

~~~
Zenst
Would be nice if they offered the option to remote encrypt and you can only
decrypt with a visit to a Apple store. But nomatter what you offer, there will
always be a way to offer a little more.

Your approach does leae users open to there own hindsight and if you lost a
device you might in some situations reset the password first and then thing
about remotely wiping the device and in those situations you will be a bit
erked. That said it would be nice to at least have that option, options are
nice as they allow the user to pick the level of control they want, more
options more choice. Still be nice if a device being remote wiped checked its
location and went - oi hang on your at home I need to verify this first, scary
but doable.

------
nileshtrivedi
Wouldn't it be much better if video calls (or Facetime) became ubiquitous (and
mandated for auth)? The mere fact that the attacker needs to show his face for
getting the password reset should improve things a lot because it would make
detection as well as post-facto investigation much easier.

------
vm
Wired mentions Apple 46 times in the article (including twice in the title)...
and Amazon 3 times. In fact, most of the public and HN outrage about this
incident has been directed at Apple.

That's the downside of Apple being so close to perfect. We expect perfection
from them at all times. And when they make a mistake, it seems 100x more
outrageous than if it were any other company.

Don't get me wrong, they made a terrible mistake in this case, but Amazon has
gotten off lightly in comparison.

~~~
suresk
The bulk of the damage was done as a result of the breach in Apple's security
- all the Amazon breach did was give the attacker the last 4 digits of a card,
which is not super private anyway. It isn't 100% fair - and to be clear,
processes at both companies were pretty poor - but I don't think people are
out to get Apple here.

And, while Apple is very good, they are nowhere near perfect - especially when
it comes to online services. Apple fans playing the victim card for them is
just as tiring as people jumping all over them when they slip up.

~~~
Kerrick
> all the Amazon breach did was give the attacker the last 4 digits of a card,
> which is not super private anyway.

Precisely. Go to any mall, restaurant, or shopping center in the U.S. and
you're bound to find at least one discarded receipt with the last four digits
of the shopper's credit card number on it, possibly with their name and/or
signature.

~~~
nicholassmith
But that's the fault of the shopper for not policing their information
properly, in this case it wasn't Honan's fault that his last 4 leaked. The
last 4 still shouldn't be given out over the phone, _ever_ , most companies
have a policy of not confirming any card detail on their system on the phone
in the UK.

~~~
Goronmon
Are you arguing that it's Amazon's fault, not Apple's, that this "hack"
happened?

~~~
nicholassmith
No, I'm arguing that Amazon is at fault for handing out card details willy
nilly, Apple is at fault for not training their CS staff to, in the word's of
House, assume everybody lies.

------
jsz0
Does Apple do in-store password resets? I'm thinking with their retail
presence this would be a good solution. If you want your password reset come
into the store with a photo-ID and the physical credit card on your account.
Doesn't get much better than that. I realize not everyone has an Apple Store
nearby but many do.

~~~
majormajor
"I realize not everyone has an Apple Store nearby but many do."

That could be a handy additional service to offer, but they'd still have to
provide a non-in-store method for all the people who don't, so it wouldn't be
any more secure.

~~~
Kadrith
Facetime?

~~~
minikites
You need an Apple ID for FaceTime.

------
willfulwizard
> In an earlier attempt on Tuesday to change an AppleID password (which is the
> same password used to log into iCloud and iTunes), Apple customer service
> offered up a different response, saying that passwords could only be changed
> over the phone if we were able to supply a serial number for a device linked
> to the AppleID in question — for example, an iPhone, iPad or MacBook
> computer.

Adding (or worse, substituting) a serial number helps, but seems insecure in
the event of a lost/stolen phone. A device serial number, plus all the already
mentioned info: name, address, last 4 characters of a credit card, are all
reasonably easy to extract from a stolen phone. Would be nice if some piece of
info not usually stored on a phone were required. I suppose that a lost phone
is already a security breach, but any containment would be an improvement.

~~~
ryannielsen
On many Apple devices, the only way to access the serial is to actually log
into the device and open Settings or About this Mac. If the attacker's able to
do that then – in the majority of cases – they likely already have access to
your mail and probably many other accounts as well. At that point, it's pretty
much game over for you; containment's impossible.

(Two big loopholes on the Mac side are guest accounts and the recovery
partition. Both of those offer ways to get your machine's serial number which
do not require the attacker to log into your account.)

~~~
lloeki
The serial is engraved/printed on the case of my Macbook Pro and iPhone 4.

~~~
ryannielsen
Ah, you're correct on the MacBook case. I didn't have any laptops nearby to
confirm.

I can't find anywhere on my phone where the serial number's printed, though.
The numbers on the back are not the phone's serial number.

------
yalogin
Interestingly Google will not get into this situation because they do not
offer over the phone support. That is the advantage of being a free service I
guess! People do not expect customer service beyond a point.

Of course they offer two factor authentication.

~~~
sigkill
Google have their own problems with Youtube's aggressive Content ID system and
pulling down of public domain NASA videos on the grounds of (wtf?) copyright
infringement.

------
aufreak3
I see no reason not to use a password manager (ex: keychain on macos) to keep
different usernames and passwords for each account. It is very little overhead
(at least with keychain).

And yes I mean different user names even if it is required to be a valid email
id. If you use gmail, you can use "yourid+RandomNumberOrAnything@gmail.com" as
the email address. This is additional protection against remote hackers since
guessing the account name of one account doesn't get you the names of accounts
on other services.

And yes ABSOLUTELY NO reason to not have 2 factor auth for your google
account.

~~~
shadesandcolour
You didn't really read the article about what happened did you? It didn't
really come down to the email address especially since part of it was
concealed. This came down to both companies letting you do things over the
phone with minimal personal information.

~~~
aufreak3
This is merely things that I practice that I think may be useful to some. I
did read the full article and not just this one all the others including Matt
Cuts post on 2fa. The companies are to blame, yes, but the "victim" is also
responsible to some extent. "Only the paranoid survive." (I think that's by
Andy Grove).

Honan owned up to not backing up, for example. Would it have been an "epic
hack" if he could restore up to date data because he had a time machine
backup?

