Depending on how valuable the data is to you, it might be easier to just pay off a CSR, and then fake a phone call where you pretend to convince that CSR that you are that person. The person will get fired, but probably won't go to jail unless they can prove collusion. And then they can either find a new job, or depending on which country the person is living in, they can live nicely off of the money for a while.
I'm not sure how to solve this problem, except by having highly paid and specially trained CSRs that do the account resetting, or by never allowing resetting ever, and if you forget your password and your security questions, you're SOL.
I have to admit this only makes me more leery of putting anything on cloud storage, although my own personal data is pretty useless to anyone, which is my only saving grace. Others who are more important might need to think twice about relying on these types of services.
This should make every iCloud user reeeeeaally nervous.
Very few, if any, defenses against social engineering, other than (A) Not allowing it, or (B) Requiring a Notarized-registered-letter of identification to start the process.
I'm a fan of using Notaries for password resets. Particularly to my email account, as it's the most valuable thing I own. Double-notarize in the event of two-factor resets. Make it a HUGE burden. Lock me out of email for a week or two if required, but don't give anyone access to my email.
When Facebook was still granting new users access by checking that their email matched a school's domain, I was able to make accounts at multiple schools by sending a forged email (claiming to originate from the school domain) to Facebook support saying something like: "I never received the confirmation email. Will you please activate my account at email@example.com?"
And it worked 90% of the time.
I wonder how many websites nowadays would be susceptible to a targeted and personalized forged email to customer service (especially since emails are frequently used to prove account ownership).
The long times it takes for them to even answer a mail (if at all) would probably give a heads-up to anything fishy going on in your account. Secondly, unless your account is actually worth the wait, they would probably try to attack an easier target instead of Google or Facebook.
I think neither of these is the solution. If you can't talk to a human you'll never get help if you're locked out. If human support is available, there is always a chance they'll hand over your account to some scammer. Two-factor authentication means you'll be screwed if your second medium is unavailable or highjacked.
Maybe the only way to protect yourself is having independent (offline?) backups that only can control. Sadly, that's not an option regarding a lot of walled-garden services such as Facebook or iCloud.
"Sir, we are just going to need to send an SMS to your phone number"
"Ok which number is that.. "
"it is the 065 488 48.."
"..that is my old work phone, which I no longer have access to"
Works all the time. The tip with social engineering is to ask for a little at a time. You don't call up and say "I don't have my phone, email, password, and nor do I know my mothers maiden name.. please let me into my account"
You take it all a step at a time and give it a narrative, just like a real user in the predicament would (and I have been in the predicament and called Apple). Works almost every time.
Makes you wonder if offering accessible customer service, at scale, eventually it's not even the guy on the phone that's the problem. The policy person cries uncle.
Social engineering will always work.
I had the misfortune to lock myself out of my bank account once or twice and the process for unlocking it was so dreadful (a 30 minutes interrogation with questions like "when and where did I make my last ATM transaction") that
since then I keep the required sensitive info in a GPG encrypted file so that I never have to call them again. Other equally frustrated but less tech savvy customers are probably doing the same with post-it notes. Is this an improvement?
Security at the bank seems discretionary at best.
No, it is a cost benefit decision. Do you know they don't check the signature on cheques or credit card transactions? Heck I bet if you mail in a change of address they will go ahead and do it, possibly sending something to your old address.
The reality is that fraud is at low levels compared to legitimate transactions. Putting in lots of extra hoops just makes the legitimate transactions harder, and chances are it won't affect those trying to commit fraud since they have a wide variety of things to try while tellers don't (eg fake id in this case).
In this specific case, anyone coming into the branch is on security cameras inside and out. TV shows, the Internet and technology make it increasingly easier to match up the footage with real people. And the bank doesn't bear the full costs of any investigation since they are passed off to the police/FBI.
If you ran the bank would you add a dollar in expenses and one minute per transaction that has a 10% chance of catching fraud, and fraud occurs one in every 25,000 transactions? Would you have the same measures in every branch across the country or have their expense and severity proportional to the amount of fraud that does actually happen at any location?
Despite what we see in films and TV shows, bank robbery is pitiful way to not make money:
1) Cost benefit analysis and discretionary security is not mutually exclusive. It's cost benefit analysis ergo discretionary security.
2) Crime pays. You just have to be sophisticated and powerful enough to not be indicted. (TARP?)
The interesting thing about your comment is when you apply your logic towards combating terrorism. The cumulative harm of prevention of terrorism outweighs the damage and death caused by the terrorism itself. The 'cost-benefit analysis' must take into account the 'positive' externalities for those who advocate those policies.
For 2) white collar crime certainly has shorter prison sentences in the US. It is a little harder to apportion blame as directly as with a bank robber. The general cause of problems has been the US government bailing out creditors. Because of that creditors have been laxer in their standards, had lower oversight and a greater tolerance for risk. This is virtually US government policy and has been going on since the 1984 rescue of the creditors of Continental Illinois. Ultimately fixing this involves fixing the US government and the corruption of Congress - see Lawrence Lessig's talk about they operate around money - and smaller things like regulatory capture.
The response to 9/11 has been to massively amplify the original effects, giving a huge return on investment to Al-Qaeda. In the positive column has been some of the security theatre - the appearance of improved security will be reassuring to some people. But everything else has been negative - the government expenditures, making new enemies in Iraq and Afghanistan, the loss of freedom for Americans, the massive invasive spying on Americans, the use of "terrorism" as an excuse for inexcusable things, the loss of American prestige (Guantanamo Bay isn't good PR), the additional friction on American life in both time and money (try taking a flight) and the list goes on.
I don't want to belittle 9/11, but the same number of people die each and every single month on American roads. It happened that same month, and every month since.
IMHO it would be a far better remembrance to the victims if we said "fuck you" to the perpetrators and lived free and open lives despite them, rather than the crippling effects that did happen.
Very few are murders. Murders and accidents are not the same thing and not equally bad.
One difference: if you don't do anything about accidents, the rate stays the same. If you don't do anything about murder and just let it happen, the rate goes up as more people realize they can get away with it and serial killers or terrorists get more bold.
Yes. Without the strict checks by your bank, none of their customers would be secure. With their checks in place, some, including you, are now secure.
They removed the copy on their website that claimed that "Macs don't get PC Viruses". They disabled automatic execution of Java Applets in response to Flashback. The introduction of Gatekeeper and the App Store model shows their intention for reducing the vectors average users can install random software (which reduces rogue installations like Flashback). ASLR is fully implemented in Lion now, and the inclusion of FileVault 2 suggests they are aware of and trying to mitigate offline attacks
Regardless if you think this is enough, it does show that they are doing something. For every couple steps forward in closing a security issue, issues such as this article show that more could be done. Security is hard, no OS or company will ever be Perfectly Secure(tm). Apple is not "doing nothing". Claiming that they aren't is an uneducated answer, claiming that they could do more and be more transparent about it is a more valid argument.
Almost everything is sandboxed and there are no known viruses out there (for devices that haven't been jailbroken).
Jailbreaks are still possible (like you said nothing is perfectly secure), but have been slowed down to a point where hackers wait for a big OS release, before they decide to burn the exploits.
Improve Apple ID Security
- To help ensure the security of your Apple ID, choose three security questions and answers.
Just random because I don't have challenge responses on record, or immediate low-hanging fruit in response to this breach?
My solution at the moment is to remove every passwords from icloud. There're some nice scripts online - just did that and blogged about it on http://en.blog.guylhem.net/post/28778777551/icloud-remove-ke...
It's obvious it can't be trusted until 2-way auth is implemented. hell - if I manage to forget my password and loose my cellphones and homephone numbers, I WANT my icloud data to be gone for good!
It's easily solved, banks and other institutions have been doing it for years.
The solution is trivial, too: Require physical ID.
In order to open a bank account you have to either show up in person, or provide equivalent proof (e.g. PostIdent).
Why should it be different with cloud-services whose stated goal is to silo all your life's data? Why are they excused on lax security?
The less information the other person (hacker/user) has to offer, the more time it should take to reset. In the meantime Apple should be notifying all the contact information on file about what's going on and offer a way to stop it.
Almost ten years ago, I asked an old friend (that got rich doing security for online gambling companies) about verifying identity with VISA cards.
He told me that the Russian mob would open a new account in e.g. the English countryside. When the security people called the (non-mobile) phone number, then someone answered and verified that it was their VISA card and yes, they wanted to open an account.
Edit: If my point isn't clear -- it is that the present capabilities of the criminal networks are probably much superior these days. (Addition: I assume he knew where the criminals came from because of police reports.)
Still pretty good for now, though.
Edit: anyone know what the cost is per query for these services? I assume it's not free, thus likely not feasible for services that don't stand a good chance of providing enough revenue to offset the cost.
The solution exists, its in use now and it is mind boggling that for hundreds of dollars in apps, my file vault password, my payment details and of course a remote wipe facility for my hardware it isn't even an option.
There are lots of ways to mitigate this, but would drive up costs considerably.
I mean, there's a reasonable limit of what companies may want to check, but once those proofs can be faked, it's not their responsibility to fix the issue anymore.
(PS. some countries have more restrictions than others too - for example in Poland you need two IDs with a photo to get any kind of mobile plan on a contract - that leaves plenty of ways to verify your identity)
When I go to the store and buy beer, they want to see my license. They always make me take it out, which means the clerk can feel it, and the "feel" will often give away a fake to someone who has handled thousands of legit IDs. Next, they look at the pic on the ID and then look at me to make sure they at least kinda match. Nobody is really holding them up for a side-by-side, but you at least kind of have to look like the guy on the ID, which immediately limits the pool of people who could be faking my identity. Then, assuming it feels right and looks like me, they scan the ID and verify a record of that ID card with the state, which simply confirms that the state issued such an ID.
Between those three things, the system is actually pretty secure. But when you ask someone to scan in and email a copy of the front of their license as proof of ID, all three of those "checks" are eliminated.
Here's a professor spoofing high-end fingerprint scanners with gelatin and a printer: http://vast.uccs.edu/~tboult/tmp/fingerprint-boult-koaa-medi...
(sorry for the sensationalism at the beginning)
But that doesn't prove that requiring a physical ID is a safer method, just that there is a better workaround.
Easy. CSR has exactly the same screen as you do. With the same security questions as you have. In this case it seems, those questions were never asked. You design CSR frontend where they must themselves answer those questions before proceed. You may pay off that CSR, but she/he does not know answers to those questions so she/he can not do a thing.
If you forgot answer to those questions, alert is escalated, which needs two together CSR's + their supervisor to unlock your account + you must make Facetime call + whole process gets documented carefully.
What did I miss?
1) You have the device with you
2) You are the same person as the picture of the owner
Would set a reasonably high bar to cross.
Although it's extremely inconvenient to wait 1 full day to get back in, forgetting a password should be a rare circumstance .
Checking a physical ID would be a somewhat effective barrier. Checking an emailed or faxed image of an ID? Useless.
ID is not a panacea, especially in this case. Apple is probably best to roll out some form of multi-factor auth.
Apple will double down in security now, especially regarding iCloud, but even doing so there is a chance that this will happen again. Same for Microsoft, Sony and, yes, Google.
There's no magic solution other than being careful. And even with that security is always an illusion. Your door lock is easily opened, no matter how much money you put in it, the only thing preventing you from being robbed is that are more houses in your neighbourhood and that some of those could seem like an easier target.
It requires the existence of a customer service in the first place. Good luck trying to call Google.
There is no "magic" solution, there are just solutions. But to suggests its all the same... Thats just lazy.
Apple is more vulnerable, because they do do customer support. Sony was more vulnerable, because they just dint give a shit, and didnt bother anything to secure it.
Microsoft and Google still have a zero incident record. After all this time. They even went beyond their own responsibility many times, getting police involved because they suspected targetted (political) malware.
And no, in the world of formal discrete systems (computers) there are provable correct, and provably incorrect solutions. For example: DRM can always be hacked, but we can secure ourselves from the middlemen.
Any analog with a "door" deserves only ridicule.
In the last case, the top links are to Microsoft's FAQ pages.
Not having any customer support worth a damn is a different kind of policy failure. (For example.)
Most people who get hacked hardly ever report it, they just want their account(s) back.
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account.
Here Gmail was only as strong as the weakest password recovery email service it was linked to. I consider this a failure on Google's part.
The imap/pop thing is still a legitimate concern. App-specific passwords let those continue working, but they have security issues of their own.
Im not suggesting that doing nothing is the same of doing something. Im just saying that not matter how secure and prepared Apple had been, this could have happened anyway.
Zero incident record, in any case, seems very unrealistic. I don't know any particular case first hand but then again i'm sure this is not the first time this happens with an iCloud account either. Mat is a public person and has commented his case publicly and thats why we are openly talking about it here.
When i claimed certain high target technological companies have a zero incident grade, im talking about the fact the companies were never themselves the weak link.
If this guys account was hacked because he tattoos his password on his forehead, Apple too would be in the clear. But here, not the user, but the company screwed up.
There are many, many companies which do not have incidents, or take full responsibility when they do. The type of incidents we complain about, often indicate just gross negliance. (and this is gross negliance by Apple)
You are repeating the claim that there is no watertight security. This claim is wrong. Software can be provably secure. Authentification can be provably secure, just like any type of Content protection is provably unsecure.
Now, you are also making the claim, that we are talking about this, because of the affected users popularity.
Maybe thats why you are talking about it. But most of us are actually surprised because of the gross negliance. ICloud has no authentification, one can just call up, and take over the account. As we now know.
And if this was any other company, i doubt anyone would argue against this obvious and pretty much indisputable fact. But this isnt Sony, this is Apple, and they can never do anything wrong right? Eventhough, statistically, just like any other company, they might could not excel in every way. Maybe this is just one area, where they just screwed up?
Theyll learn from it, hopefully. But lets not pretend it didnt happen, or that it isnt as big as a fuckup as it actually is, back here in reality.
But back to my point social engineering doesn't require voice. you can do it via email just as easily.
(I am a Google Apps for Business user and have had to contact Google Apps support a few times … the process has never been really pleasant.)
One thing I do know, though, is that like you said, security is likely going to get tightened across the board, and that means that it's going to get a lot more inconvenient for all of us. I guess that's a good thing, but it will definitely impact the usability of these services.
If it means that all vendors will tie their services to a two-factor authentication scheme linked to our phone, well that might just stop me from using the services altogether.
None of these will be 100% effective, but it will make things more difficult for attackers and not too uncomfortable for users.
All they needed for verification was my home address.
I am also pretty leery of putting anything online.
In fact that entire blog post is pretty on point.
What about people protecting $500?
Anyway, to answer your initial point, two factor authentication helps with this problem, as you have to still have the security token to authenticate. And if the "Something you have" gets stolen, then you need a manager to work through it to get you set up again, and all resets are heavily monitored and audited.
But what if your website is secured behind an Amazon EC2 or Linode CSR? Isn't Instagram and Netflix run at least in part on EC2? I have no clue what the security schemes are for either of those service providers, but if they allow CSRs to change passwords, then it's the same thing. If the CSRs can be paid off, or fooled over a phone call, then it might be cheaper to just do that if they want to inflict potentially millions of dollars worth of damage to a rival.
Having the security of your entire business behind a single CSR or a cell phone is the equivalent of millions of dollars worth of Cisco firewalls being outdone by a $20 wifi-router plugged into the internal network.
So, let's get this straight...a hacker "decides" to hack the account of a semi-high profile tech guy and then after committing several serious crimes like fraud that could land him in jail for an extended period of time repeatedly contacts the person he hacked when he must know that Apple will surely pursue this matter?
I smell a rat...
The fact that a hacker would repeatedly contact its victim and that Gizmodo has reasons for not being particularly found of Apple (after the lost iPhone incident) was not something I had though of at first, but did strike me as odd.
You say that post "got you thinking." Got you thinking what?
APPLE SHALL USE REASONABLE SKILL AND DUE CARE IN PROVIDING THE SERVICE. THE FOLLOWING LIMITATIONS DO NOT APPLY IN RESPECT OF LOSS RESULTING FROM (A) APPLE'S FAILURE TO USE REASONABLE SKILL AND DUE CARE; (B) APPLE'S GROSS NEGLIGENCE, WILFUL MISCONDUCT OR FRAUD; OR (C) DEATH OR PERSONAL INJURY. [Blanket disclaimer of liability in all other cases follows.]
I'd be curious if there is any good precedent on product liability for cloud services.
A lot of terms are flat out bluffing to scare off folk like you.
This is why it is always a good investment to ask your lawyer.
This reminds me of facebook and how all its employees were stalking people using the god password.
They can and should follow bank protocol. Require an ID, make every action reversable ( like being able to undo a wipe ) and have both employee and requester on tape, with id's.
Your average iCloud user is not necessarily going to want to a) prove their identity initially or b) do so again to get support.
I think you are better off taking the approach of "don't put something in the cloud if you can't afford to lose/expose it." Yeah, that pretty much limits its usefulness, at least or now. So it is.
Having every underpaid store clerk being able to reset the account of every customer, is just dangerously stupid.
Just not having a reset feature is even better.
Wait what? Sorry to get off topic but when did this happen?
Including being able to read private messages of their friends, families, ex-girlfriends, etc
This wasnt just true when facebook was a university startup, but even when they were already the largest social network in the US.
BUT: you'd be hosed if you ever needed recovery, you wouldn't be able to use full-disk encryption, and there's likely other bits of the OS that would break in subtle and interesting ways without it there. Tread _very_ carefully.
Isn't this not an option in relatively recent Macs, which have the recovery functionality baked into the EFI firmware and not as a partition on the disk?
Newer Macs have that functionality out of the box, and a bunch from 2010 and early 2011 that did not originally ship with the recovery firmware ended up getting it later via update: http://support.apple.com/kb/HT4904
apaulin:~/ $ diskutil list [13:38:41]
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *121.3 GB disk0
1: EFI 209.7 MB disk0s1
2: Apple_HFS Macintosh HD 120.5 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
I frequently want to quickly purchase a song on my iPhone. I also, frequently tell my friends my password so they can do the same. How many of you have typed your Apple ID password on your Apple TV with others watching? I wouldn't really ask my friends to exit the room to type in a super secure and long password with many characters groups (one that should be required for remote wipe functionality).
How many users keep their password secure knowing the main place they enter it is on their iOS device? For the many every day Apple users I know, they set their passwords to something easy so they don't have to hit their keyboard too many times when entering them.
If Apple, can separate the two authentication functions as they do with OS X and FileVault it would go a long way to preventing these types of rare but high impact events. Another suggestion would be to separate the remote wipe into two phases, erasing the keys and cleaning up the data. The initialization vectors (seed) do present a bit of a problem but I think the FileVault solution is more than adequate. If the encryption keys and the key escrow system is cleared remotely, that would leave me comfortable that my data is still secure. If we really trust our crypto algorithms, then erasing data and removing the encryption keys should really be no different. Users that do not have iOS data protection and OS X FileVault turned on, cannot be considered any level of secure anyway. And even with that data protection turned on, there are still many issues due to each app needing to implement security properly. It would be really great to see Apple improve their App Store to really audit the security of each application more than they do today.
Most of the work lies with Apple but it is a hard problem that will take time. I think Apple is going in the right direction by centralizing on iCloud rather than the PC as the central hub. This will give them a lot more flexibility and agility to move quicker and deliver secure results to the masses.
In the end, a company has to constantly weigh the cost of strong protections versus the risk, and what this exposure will cost them in terms of customer goodwill as well as any civil penalties that may arise.
If the former it's not Apple's fault. If the latter; that's inexcusable.
Usually they'll ask a few (2~3 is normal) questions like your full name, date of birth, address with zipcode, email address, etc. Notice the problem of these? All of them, I mean, ALL, are PUBLIC INFORMATION THAT ANYONE KNOWS SOMETHING ABOUT YOU WILL HAVE.
This is almost as silly as credit cards, where you are supposed to give the card number, card holder's name (not required most of the time), expire date, and the 3-digit PIN. Anyone who touches your card will have that information, once and forever. Yes, ANYONE, that includes your grocery store cashiers, your favorite bar tenders, your mobile phone billing representatives, etc. The list could go on very, very long.
And I'm totally amazed that both systems persist as a fallback plan in this digital world with countless attacking vectors.
The trouble with cloud systems is that all the losses fall on the end user who has no influence over the security systems put in place to protect their data. (Except with Google where you can at least choose to use 2-factor authentication.)
The fact that 'identity theft' is a commonly used name for bank fraud is another example. When some bank opens an account for person Y, there should be zero consequences for person X (regardless of any fraud committed by Y), but the banking system isn't quite set up that way.
Keep in mind though; you can answer anything you want. Use a 1password generated string for each and store the answers redundantly. That's what I did.
What was the first car you owned?
Who was your first teacher?
What was the first album you owned?
Where was your first job?
In which city were you first kissed?
Which of the cars you’ve owned has been your favorite?
Who was your favourite teacher?
What was the first concert you attended?
Where was your favourite job?
Who was your best childhood friend?
Which of the cars you’ve owned has been your least favorite?
Who was your least favourite teacher?
Where was your least favourite job?
In which city did your mother and father meet?
Where were you on January 1, 2000?
Those questions are terrible.
Answering with a random string is the only sensible solution. But it is just as mindbogglingly bad. Because then you could just as well write down the password - and bam, you'd never lose it (well, if you did lose it you would have lost the answers to these questions as well so either way you are screwed).
What was your first car? "spaceship" is perfectly acceptable response, and its not discoverable by public means.
it does however mean you need to know what you would have typed in for each of the questions.
Even if someone had properly identified themselves as Mat Honan, neither of these should be permitted.
I think the screenshot is from after he regained control of the Gmail account.
This would mean that the attacker would have to commit mail fraud, which (a) is quite difficult; and (b) carries heavy penalties in law.
A better solution is require a notarized physical mail in the event of password changes for high-security accounts. Everything else just goes to your email account.
I helped a friend set-up a account with some provider the other day and one of the security question was the classic choice of mothers maiden name, favourite colour or favourite number. All of which are hardly secure as they can be obtained or educated-guessed a lot easier than most, but that’s another discussion. He wanted his favourite football player's name, so I told him pick mothers maiden name and use your favourite football players name. He knows this, and even if somebody who knew his mothers maiden name would still fail on that security check.
What could Apple do; And they will do something I suspect. Well they could add voice recognition to there support call system or/and add preregister calling numbers only (excluding device phone numbers already to cover losing said device) like your office phone. But they will step up-to the plate and hopefully turn this around, any good tech company will do that (even if it is going oops and we added password salts now - they evolve).
The whole aspect about all this that concerned me was how you can have what you perceive as a cloud backup that can then be taken away as well as your copy of the data. That is a lesson for the user more than Apple though. But will be reassuring to find out they have a backup system and maybe also concerning. That is a individuals perception of thought for them to ascertain for themselves, everybody is different.
I might also add that the chap who initial got hacked and subsequently also had his twitter accounts hacked said in a tweet that he is leaving the hacked tweets in the same way he does not go about removing scars on his body. Shows a insightful mindset and in many ways shows that pride was not a part of this and in that we would probably not of read about this had he been burdened by pride. Respect has to be noted there for him stepping up and going, this happened before he found out how it had been done and without knowing it was not an act of his own doing.
In the middle of a 'major crisis' this guy finds time to type up a story, on a computer? He can still access work machines to submit? And then the hacker is kind enough to tell him what happened? And oddly, there is no mention of involving the police or the FBI?
This episode is either an inside job or a complete fabrication. My prediction is it will fall apart within the week, rather like Gizmodo's exclusive story based on the purchase of stolen prototype equipment.
The guy who hacked Honan is certainly guilty of the misdemeanor (which could wind you up in jail) and depending on what he erased and how they want to interpret his motives, he could be guilty of the same felony.
I don't think this is Apple versus non-Apple. I think this is everything-in-the-cloud versus everything-local.