Hacker News new | past | comments | ask | show | jobs | submit login
The weakest link by far is Apple (marco.org)
421 points by rsobers on Aug 7, 2012 | hide | past | web | favorite | 166 comments

How is Apple the weakest link in this? According to Honan's account, Amazon was as equally, if not more weak in its verification processes:


> First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

> Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.

At least to get into the Apple account, you need the credit card on file. For Amazon, you can send a fabricated credit card number and get complete access (because you can add a new email account, to which you send a password reset to).

Apple just seems like the worser player because Mat Honan put so much power into the hands of iCloud. If Honan was in charge of administering enterprise services using Amazon's EC2 services, and hackers used his account to wipe out everything (or compromise corporate security), everyone would be calling out Amazon.

Edit: I haven't seen this fact mentioned much, but Honan's billing address was compromised through a WHOIS lookup on his domain. This is a huge reason to use registry protection services. It's true someone could look you up using things like Pipl and Spokeo, but that's only if you have something in public records, such as a mortgage (or, in some cases, leases).

Honan is in an especially tough situation because of the uniqueness of his real name.

The level of security you apply to a service ought to be proportionate to the potential loss. Apple have failed here completely, providing a woeful level of security for a service where the potential cost (loss of all user data) for the end-user is very high.

Amazon on the other hand doesn't (potentially) have the power to wipe your machines and cause havoc. If someone compromises your Amazon account, then worst case they can order goods in your name to be sent to you & Amazon will be out the cost of shipping and re-selling those goods, plus the cost of any chargebacks if they mess you about refunding your credit card. In other words, the risk here lies with Amazon, not the end-user, so they are rightly free to set the level of security applied to Amazon accounts to whatever they feel meets their goals.

It's not Amazon's fault that the 4 digits that the credit card companies decided that it was ok to leave on your receipts are precisely the four digits that Apple accepts as evidence that you own the card in question. The fault lies with Apple for accepting data that you leave behind every time you make a purchase with your credit card (it's printed on every credit card receipt you leave behind at the local pizza joint IIRC) as being suitable evidence to permit an anonymous caller access to an Apple account.

Now, if Amazon applies the same level of security to accounts with personal data or other costs to the end-user (cloud drive, Amazon S3 or EC2 accounts and so on) then you'd be right to lay into them. Does anyone know if that's the case?

You make a good argument. I was going to say that in Apple's defense, there's some expectation that a user who enables remote-wipe knows what he/she is getting into and has some responsibility to have a backup solution. But that point is mostly moot since Apple also hosts personal email/data accounts, which would be compromised by this hack. Amazon does to a lesser extent...there's data, but not terribly actionable data. Whereas if Apple is your email account used to retrieve passwords...well, then you're in Honan's terrible position.

AFAIK, though, I use the same credentials to get into my Amazon consumer account as I do my Amazon EC2 and S3 account and into my affiliate account (and Kindle, etc.). Does the security level elevate as soon as I've been flagged as a developer-user who isn't just buying books/CDs? If there is, I've seen no sign of it.

Isn't remote wipe enabled by default in iCloud?

I think it comes along for the ride with "Find my <Apple Device>" which would for most users seem to be a fairly innocuous feature. I don't think the possibility of total data loss if they lost control of their iCloud account would occur to most people.

It is an option you need to approve on the Mac the iPhone automatically backers itself up so it is a non issue unless your computer or Mac is not backed up too.

Apparently - and I don't have any way of confirming this myself - if you enable automatic backups to iCloud your iPhone refuses to automatically back itself up to your computer anymore. So all your eggs are basically in one iCloud-shaped basket.

Unless you've synced your iPhone to a Mac which gets remote wiped along with the iPhone itself. Then you've got problems.

Well, if you have AWS linked to your amazon account I would imagine this could be disastrous...

AWS supports two factor auth among other ways to secure your account.

I remember reading somewhere how Amazon actively optimizes security vs user experience. I.e. as far as possible they try not to make the user login or enter a password unless absolutely necessary.

You could have a stale login from months ago and still access some parts of your account, but you need to enter your password before you purchase or access some sensitive information.

Why would they have to send the stuff to you?

Amazon make you re-enter all your credit card details every time you want to ship to a new address.

If I have to rely on keeping the billing address a secret, that's pretty messed up. I'm self employed, which over here means that I have to register as a company with the chamber of commerce. Chamber of commerce records are public and include the address of my business (which is my home address).

And obviously most people share their address with various online retailers and friends/family, etc. This is not something I expect to have to keep secret to securely use amazon.com.

(ps. I'm not an iCloud user. But I am a frequest amazon.com user, so I've sent them an e-mail voicing my concerns -- I hope they fix their policies).

I don't know where you are, but in the US, almost everybody has at least one residential address in public records somewhere.

In addition to the points outlined in the article, Apple is also at fault for issuing a temporary password when the caller failed to answer security questions correctly:

From Honan's post:

"In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover."

Sounds like Apple support needs some lessons on social engineering prevention.

I actually had a similar issue recently where I forgot my PayPal password and I didn't know the answers to my security questions. PayPal then sent me a pin through snail mail to the address they had on file. IMO, this bit of inconvenience is worth the added security.

It's called "human error". And it happens. A lot. I don't know how much training Apple provides to it's customer service reps (does Apple even run their own CS or is it farmed out?); but nothing can prevent "human error".

Nothing can prevent human error. But systems can be set up in such a way that limits the risk of that human error causing failure. If the agent has to actually enter the answers before being able to issue a temporary password, then (assuming the author is correct) this particular problem wouldn't have happened.

"Human error" doesn't explain continuing the process after failing the security questions, unless by human error you mean merely that "someone did it."

It's not human error. Their policy allowed for password resets given these 2 bits of information. Wired retried it and verified that it was indeed the case.

There's this joke about hiring the cheapest security guard to watch over your most prized possession. I'm not only talking about the wages being paid to the Apple CSR, but also of their technical ability to know the value of the data they possess.

Sure, if I was a facebook db admin I'd be semantically satiated with the data, but that doesn't mean it isn't important.

You're right, but that is essentially Marco's point. My view is that Amazon did the same thing (let hackers add an email account, to which it sent the password reset), and required slightly less information to do so.

"I haven't seen this fact mentioned much, but Honan's billing address was compromised through a WHOIS lookup on his domain. This is a huge reason to use registry protection services. It's true someone could look you up using things like Pipl and Spokeo, but that's only if you have something in public records, such as a mortgage (or, in some cases, leases)."

There used to be books that they put on everyone's doorsteps that had everyone's name, address and phone number in them. Society managed. Addresses should not be considered private information, nor should birthdays, mother's maiden name, etc.

The entire "account recovery" concept just reeks of ad-hoc solutions piled on top of ad-hoc solutions. They're designed primarily so that legit customers who can't get into their accounts suffer as little inconvenience as possible, and they try to toss some security in on the side.

My favorite is bank accounts:

'Tell us your account number, as well the amount of a recent transaction on the account'.

Oh, so you gave me a personal check? Great, let me go deposit it, so that's a transaction that I know about. And I already have your account number (and routing information) from the check itself.

This isn't just to be able to drain all funds from the checking account (for which the numbers on the check alone are sufficient) but to reset the passwords on the account, which usually gives you access to any linked accounts as well.

My bank is a lot more careful then this. I actually called them a few days ago to get a password, and they asked:

* SSN?

* Full name?

* How long have you been with the bank?

* How many accounts do you have?

* Do you have a business account?

* How many business accounts?

* What's the name of the business?

* Have you set up auto-debit?

* Have you set up electronic-debit?

* To what companies?

* What was your last charge on your credit card?

* Do you have any monthly transfers set up?

* For what amounts?

* Do you have any loans?

* Do you own any investment funds?

* Which?

* Have you reset the password before?

* <My security question>?

* How many two-factor auth thingies do you have?

* Serial number on your two-factor auth thingy?

* Model of the above?

Are the questions I recall. So at least not every bank is careless enough to only require you to name a recent transaction.

I've had this recently.

The banks seem to have worked out that they have access to a reasonable amount of information that they can use it in this way.

The answers weren't easily guessable and there was a threshold so you didn't need to get everything right which allows them to make the questions a little trickier.

The system wasn't perfect - if you broke into my house and got my papers you could probably get past it - but it was a million times better than asking where I went to school.

What bank? Seriously, I will consider switching.

Including business accounts and brokerage accounts (which are often handled separately with different security processes), I've had numerous accounts with many different providers, and never had anything close to that level of security.

Yeah, but at least it's a bit more trackable - they know they gave you a check.

And yet they were so happy that someone off of craigslist was willing to accept a check.

(private browsing, throwaway email, tor, check cashing place, etc.)

Looks like the social-engineering form of privilege escalation.


I always imagined "social engineering" as using some sleazy tactics that rely on exploiting emotions of the people with access, e.g. calling the lonely clerk at the phone a "sweetie" and commenting on her beauty/softness of her voice, or giving some gambling tips/bonus to the gambling junkie clerk, or so.

This, on the other hand, was simply following procedure. No social "engineering" here.

"Oh, shoot, I have so many credit cards... is it this one? This one? This one?"

Seeming clueless when doing malicious things is unquestionably a form of social engineering.

Seriously? Imagine the following...

Say I'm a naive person and say I go for dinner and pay via credit card. Since there's not much information on there, I throw the receipt away. On the receipt (at least those I get here) is my last name, as well as the 4 last digits of my CC number. Now assume my last name was sufficiently rare in the area for a potential attacker to make sure that this was actually my receipt. Also assume, that I'm an Apple nerd with an iCloud account (which I'm not).

Some potential hacker finds my receipt, puts 1 and 1 together and calls Apple and gains complete access using nothing but a receipt with 4 digits and a name on it.

Is the restaurant to be hold responsible for it because they printed those 4 digits on the receipt? Hell no! Is Apple responsible for giving access to my account to a complete stranger possessing nothing but a CC receipt? Yes.

In this case, Apple is after all responsible for the data loss and their security measures are clearly questionable. One should never use a security key which is obtainable by everybody and his grandma. The last 4 digits of your CC number are not private because the card companies decided that it's secure enough to show them.

There's a difference between a restaurant using a standard machine which prints those details because they may be useful (so customers can later go back and check which card they put it on) and Amazon giving those away without any reason at all.

Don't get me wrong, 95% of the fault rests with Apple, but Amazon should review their processes. There is simply no reason for them to be handing these details out, particularly without valid confirmation of the person's identity - if they need to confirm the card details the customer can give the four digits and the customer service representative can confirm them.

One of the basic rules of security, don't do anything that's not necessary and this is entirely unnecessary.

> but that's only if you have something in public records, such as a mortgage (or, in some cases, leases).

Or a driver's license, or a voter registration form....

Amazon's process is becoming more flawed as it grows. Originally for protecting against unauthorized purchases (balancing the write off of fraudulent purchases vs losing customers because of excessive security), it no longer works when the same account is used for their cloud services.

Excuse me while I delete all of my files from Amazon's Cloud Drive...

Exactly. Amazon has very good protections against someone ordering things with your credit card to their address, and that used to be their primary exposure. Not so much anymore.

Use a different account for cloud services (which most companies would already do) and use two factor auth. Easy breezy.

I consider my home address public – and companies such as Amazon should too and therefore never use such public information to verify etc. users. The same goes for birthdays, credit card numbers, well, simply everything that others could know.

> How is Apple the weakest link in this? Because for privacy, card processors and POS systems only expose the last four digits of a credit card. Using last-4 as a secret is a security hole. Apple processes cards too. They should have known better.

This is a huge reason to use registry protection services

In this case it's a bit of a red herring given that his private address is right there on his personal website -- the whois is just an extra, completely unnecessary, step. Hide behind a whois protection service, but anyone motivated can get your address easily.

A personal address is not a secret bit of information. Pretending that it is brings nothing but an illusion of security. The same goes for many other laughably easy to acquire bits of information about someone -- what primary school you went to, one's mother's maiden name, etc: These are things that we've never treated as secret, and it's only the laziest of hackers that it discourages.

Not to mention countries like Germany, where you are required by law to make your address public. Honestly, I've always viewed whois protection as a huge scam. Those who really want your address can get it with trivial ease, and those who don't want it won't seek it anyway.

> I've always viewed whois protection as a huge scam

Private registrations allow you to anonymously register a domain. That's still a useful service for a lot of people.

It’s getting pretty annoying that Marco is consistently able to recap yesterday’s top tech news item, add no insight, and hit the top of HN.

Or am I missing something? Is there value added in this process? Or do these concerns end up reaching a much wider audience?

We like rehashing old news to feel better about ourselves.

Put another, less inflammatory way, Hacker News tends very highly towards the ephemeral. I would argue certainly more highly than reddit and possibly even more highly than something like 4chan.

This creates a detrimental effect because the discussion around these news stories is more long-lived than HN (the discussion vector) would let us believe.

This creates something I'd call the Hacker News Timeshift - blogspam based on yesterday's news purely on the off chance that the generated blog post will act as a vector for spurring the truncated discussion, thus generating plenty of ancillary or almost coincidental traffic to the blogspam.

Anyone who visits the new stories page once a day will see this effect in action for roughly 50% of the stories that were on the news page yesterday.

Nice observation. I buy it, but question how often authors have that specific intent in mind vs. unaffiliated submitters and voters creating the narratives with what they can find. Who knows? There's a chance Madonna^WMarco himself might not be targeting the HN masses with his latest post.

Regardless, it's finally dawning on me that the never-ending stream of Apple punditry is a fucking bore, including the "high quality" sources in the echo-chamber such as DF and 5by5.

Hacker News, in general, is a fucking bore. The nice thing about being random access is that you can be highly selective in both the stories that you read and the discussions you participate in.

I'm happy to keep seeing this as a top-ranked story if it puts quick pressure on Apple and encourages more people to think about account security.

It's not annoying (to me) since I happen to like Marco. But I do notice a pattern. (a) story happens (b) it makes HN (c) marco makes a one or two sentence comment on it (d) his comment makes HN.

Similar to the way Daring Fireball blogs about Apple stories, except he doesn't make HN as much.

People like to hear about Apple stuff. People like to hear about security stuff. And Marco has name recognition, so maybe people who wouldn't otherwise take a second look come by, upvote, and comment.

I totally agree with you. No added value at all and that applies to most of his posts.

Apple's performance here is inexcusable for a software company. It displays either a complete disregard or a complete lack of understanding of basic security.

I think that in particular it shows that they don't have their own internal security team trying to find a way in.

If you run a system on the scale of iCloud, and you don't crack it yourself, you can bet someone else will save you the trouble.

I think you are confused.

iCloud was NOT hacked. There was simply a mistake made by a customer service rep as acknowledged by Apple.

Except that Wired claims to have replicated the "mistake" at least twice (on top of the original attack). So that's a systematic error, and dedicated self-attack team ("tiger team") could have found that, and the hole could have been closed.

For support organizations, hackers and social engineers are still edge cases. The primary use case is dealing with paying yet indignantly impatient non-technical users. These people treat identity verification as stalling, thinking you're trying to get them off the line so you don't have to deal with their problem.

Munich is why you don't have a one-size-fits-all approach.

If I can't figure out how to turn on my shiny, new Mac, there is zero need to any verification. If I'm asking for a password reset, they should know for sure who I am by the end.

I had to remove an authentication from my Blizzard account once. They required me to do all the normal verification stuff (secret questions, password, etc), send an ID and confirm the process via a contact point I already had on the account. It took 24 hours. And they did it right.

It is always interesting to see what my iPad decided I was trying to say. I wish the edit window was a bit longer. I don't check back immediately.

For the record, "Munich" == "Which" in iPad-ese.

I think that might be too harsh. For people like us, customer service policies aren't normally included in "basic security". Obviously they should be. But my guess is that this kind of vulnerability exists all over the world in all sorts of industries.

In the US, at least, regulated banks have some security requirements that might prevent this (though I'm not sure). But outside of that my guess is that it's routine for a customer service agent to be able to make any modification to an account they want, without an extra authentication factor or supervision.

So yes: blame Apple. But be wary, they can't possibly be the only ones.

Yes, definitely blame Apple, no doubt about it. I'm still a little shocked that the last 4 cc digits constitutes 'security'. An easy alternative - which I think they already have - is the whole two security questions thing. I would feel much better - as a customer - if they used those.

This type of thing is going to happen more and more and the fact that remote wipe of all the devices happened totally negates any advantages of using cloud services. I mean, what's the point of having everything backed up remotely if

a) the backup is not current b) the same remote servers can wipe your devices at any time

In addition, it's possible the remote backups could be removed as well (although not sure about that for iCloud) and in that case, you might as well not back anything up and have a hard drive die (at least that could be recovered I suppose).

Apple needs to jump out in front of this asap and announce a policy change in regards to security in order to put people at ease. I'm glad this is making waves and I think there needs to be more noise about it in order to get them to change.

Well, If he had a backup (either remote or local) it wouldn't have mattered. It would mean a few hours spent with Time Machine, but he wouldn't lose his data. And a remote backup should not be "removable".

Also, don't ever expect Apple to do anything ASAP. Even if the whole world shouts at them, they won't say anything. They take their time to (hopefully) think this through.

>> Well, If he had a backup (either remote or local) it wouldn't have mattered.

For this specific thing, no. But this was a fairly blatant act by the hacker. What if they silently read your iCloud mail, or used the Find my iPhone functionality to stalk you.

They couldn't silently do anything. They won't give you passwords, they give you the ability to reset it. If the hacker were to reset it, the reporter would notice (as he wouldn't be able to use his account anymore). And I think Find my iPhone would cease working if the password saved by the app does not match what's stored in the cloud (i.e. hacker's bogus password).

In case of cookie sniffing, Google shines. They show you the IP addresses of people who have used your account recently. If you (or them) spot an stalker, you can reset the password. I don't know how effective that could be with 3G, but at least


That said, It's no secret that Apple's password system is absolute garbage. I had to reset it 5 times last month because someone was trying to get to my iCloud account (probably brute-force). Apple would de-activate my account and would require me to re-enter security questions and choose a "new" password that I haven't used in the past year. And every time I had to spend an hour typing the new password in my various devices. AND I WOULDN'T RECEIVE MAILS IN THE MEANTIME. Just ridiculous.

The security questions business is hard, too.

Many sites use things which are public information (mother's maiden name) but even question's like "Where were you on this important date?" or "what was your first car?" start to look pretty silly in the age of Facebook. Worse, a dropbox-loving facebooker who's checking his gmail account from his iPhone probably has enough information in many of those places to compromise the other accounts.

You should never give legit answers to these security questions. I just paste in the output of pwgen -s 32 1. This may make your account harder to "recover" but it also makes it harder to steal.

Yes, this is exactly what I do. I have interesting results sometimes;

  Bank: I'll just need you to confirm your mother's maiden...um...um
  Me: Yes, it's a long string of random characters, want me to read it?
  Bank: No, that's ok, thanks.

For a compromise, you can add the correct answer but with a quirk. (that is easier, unless you forget the quirk)

like, put the first name in "Mother's maiden name", or the middle name, or swap their position

And you are right to treat it as a passsword

I've had plenty of banks ask me to call back later because I didn't meet all of their screening vectors for identity verification simply because I didn't have a certain piece of information available at the time.

Frustrating? Yes. But good security can't be transparent to the user.

Amazon was a great example of this for me. I was trying to get a phone I had purchased through them replaced, and they asked me what my "display name" was.

Now I had completely blanked on what that was.. was it my username? Was it my full name? Was it the beginning part of my email? gah, I'm on break outside a cafe and thought I could get this settled quick..

So the person on the phone, in quite a polite and understandable way, gave me a number to call back directly when I could remember it as I had passed all other verification steps. Had a moment of clarity and called back 2 seconds later and got on with it. They overnighted me a brand new phone.

I rate that interaction a 10/10. 9/10 if we can imagine a world of omniscient amazon that knows when I've received broken items..

Frustrating? Yes. But good security can't be transparent to the user.

Nearly always security is the opposite of convenience. Once people realise that you can be "more secure" or "more convenient" we'll all be better off. This implies to be "more secure" you must be "less convenient". It's always a trade off.

In the US, at least, regulated banks have some security requirements that might prevent this (though I'm not sure). But outside of that my guess is that it's routine for a customer service agent to be able to make any modification to an account they want, without an extra authentication factor or supervision.

The EU has data protection law, which means companies that store personal data are legally required to ensure it's safe. I wonder if Apple are in breech of the law here?

I'm not a lawyer, but technically the hacker didn't "hack" the computer systems. So I'd wager that you can't slap a data protection law. But on the other hand, they definitely are legally liable for even a social-engineered attack. Maybe they'll get hit with negligence?

EU Data protection law is not about "data in the computer sense" but personal information. It's not related to computers per se at all. If someone can just ring up and ask for personal information, that would be against the law. If customers personal details are written up in walls on their public offices, that would probably be illegal aswell.

<flippant>But par for the course for a consumer entertainment products company</flippant>

In my blinkered world, Google and Facebook seem to be the companies to beat in the area of security for consumer services. 2-factor auth, proactive account security such as geographic checks etc.

I can see how Apple's corporate mindset would find it painful to sacrifice user experience for security. Google, not so much.

As an aside, it's about time Microsoft offered 2-factor auth for their accounts.

This whole saga proves it's too hard for companies to implement effective security policies on their own.

What's needed right away is a "badge of security approval" from an independent third party, which verifies not just the technological side, but the customer-service side too. Including things like:

- password policies (e.g. not limiting to 16 characters)

- hashing and salting passwords

- standards for security questions (these are usually so horribly written)

- standards for identity verification if you've forgotten password AND sercurity question answers (most sites will not be big enough to bother with this, so you just lose your account, but Facebook/Apple/Google/etc. need to have a common model, so inconsistencies between companies can't be exploited)

- policies for sending out password-reset emails, adding/changing e-mail addresses, with appropriate user notification

- waiting periods between changing emails and passwords, so you can't just go and change everything about an account all at once

- special unique privileges to initiate operations that can delete large amounts of data (like a special second password, or extra security questions, for deleting your account, remote wipe, etc.)

These are just vague ideas off the top of my head, not an actual proposal. But we really need a set of "best practices", and a way of identifying that companies are actually following those best practices.

A secure "lock" icon in the browser bar is no longer enough.

I think "Security questions" need to be completely destroyed and the earth salted. Then we have a long talk about them before bringing them back in a very careful, limited format.

Bank Of America is horrible in this. First off, if someone else tries to log in using your username 3 times, it locks you out of your account. You need access to your email to get back in.

But it demands you re-create three security questions after that. I chose a simple username so other people stumble across it a lot. So I have to go through this process frequently, and there is nothing I can do to stop it.

How securely are they storing this PII? Probably not at all. I try to give the exact same questions and answers every time to limit what BoA knows about me, but someone compromising by BoA account might be able to learn that information and use it to cascade attacks into other services. (They display by secret questions and their answers to me in plaintext.)

There is no reason for banks to have any security questions at all, or even passwords. They can mail security tokens to all their customers and rely on the postal office validating the identity of the customer. And if the security token breaks or is lost they can just mail a new one.

This is what all or virtually all Swedish banks do.

Only websites where the users need instant access or you have a low profit per user cannot afford security tokens. Banks are obviously not included here.

My bank (a credit union actually) requires you to come in to a branch office during normal business hours if you need to get your password or ATM PIN number changed, or if you've tried the wrong password too many times and locked your account.

They also use two-factor auth on logins from new computers (or when you've cleared your cookies).

No, they can't rely on the post office. The workers there aren't paid that well, after all, and some of them would probably be quite happy to take money on the side to make a few security tokens disappear into the hands of a fraudster.

They already send credit and debit cards in the mail. Is this substantively different? Do we have widespread problems of postal workers stealing credit or debit cards? What's in place to prevent that, and why couldn't the banks use similar measures with an OTP device?

Security questions are pretty useless for protecting access as well. They're typically information that is easily available to a lot of people you wouldn't want to have access to your account.

Which is why I type random data I wouldn't remember and don't write that stuff down either whenever I'm asked to provide an answer to a "security question". They're the worst idea someone could think of to implement a security scheme. I am appalled at the fact that most (all ??) of the big names on the internet use them. Even google who should know BETTER what with all the first class software engineer they have.

I don't mind the ones where you can set your own questions but things like maiden names and first schools are asking for trouble.

The comedian Lucy Porter does a nice sketch about setting your own security question, claiming that one of hers was "Are you really going out dressed like that?" to which the answer was "You're not my real dad, you can't tell me what to wear."

Be careful with that strategy, as sometimes sites will force you to provide answers to security questions to access your account. Probably better to treat each question as its own password, despite the hassle.

As far as best practices wrt. security, I've been a long-time fan of the OWASP ASVS checklist: http://code.google.com/p/owasp-asvs/wiki/Verification

Both apple and amazon are in violation of V2.9: "Verify that users can safely change their credentials using a mechanism that is at least as resistant to attack as the primary authentication mechanism."

Clearly the secondary authentication controls are weaker than the primary authentication controls.

It would be so awesome if all the common web app providers published ASVS compliance reports. Never gonna happen though.

How would they be any better than current "effective security" badges? People see "Verified by VeriSign" and "TRUSTe" all the time, I don't think they'd treat a new one any better.

What's needed right away is a "badge of security approval" from an independent third party, which verifies not just the technological side, but the customer-service side too.

That sounds so good and the appeal of this kind of problematic scheme is what makes security such a hard, one that we likely won't see easily solved.

Aside from the usefulness or not of the stuff on your checklist, any "badge of security approval" is basically outsourced security. And that won't work because any wholesale security provider must provide one-size-fits-all security and one-size-fits-all fails because it must either so secure no one could break and so be far too unwieldy for most uses or it must be fairly flimsy and so fail exactly when the use case becomes critical (and of course trusting any third party expands your perimeter of trust in a fashion that you might not aware of).

The physical locks and strong boxes we have are scaled according to what we're facing and still real human beings to keep an idea of whether they are really secure. I live in a good neighborhood. I've lived in bad neighborhoods. It's part of becoming an adult. The lock on my gate is flimsy but it's enough. But I watch to see if the neighborhood is going down hill, if there's some factor which would make me a target. It's a paltry measure but it actually has pretty well. My security level can't be carte blanch guaranteed by anyone. Even if I hire security service, I'm not ultimately leaving everything to them.

Outsourced security won't work in the sense of entirely outsourced security*. The information age can't really get away from the "rings of trust" situation where the most highly entities can not really, should not be trusted to give away their trustedness on a wholesale basis. Some people can and should rely on outsourced security but the biggest targets should not and cannot.

And it is all a matter of levels. Average consumers can trust the browser bar (more than a lot of things) because they aren't special targets. That's OK.

If I'm going to trust some expert to certify that other websites are following specific best practices, I'd prefer the expert simply implement those best practices, and I'd log into everywhere else by their OpenID.

I don't know where else to bring this up, and had no idea how to discuss it when it happened. So i'll do it here, in this excellent thread of Security discussion.

Dropbox doesn't send an email notification, or anything of the sort, when adding a computer to your Dropbox account.

I discovered this, when one day I realized some of my files in Dropbox were deleted. Specifically my 1Password file.

I logged in to check things out, and discovered that there was a weird computer added to my account. I promptly changed my password to dropbox, did a recover of my 1password file, changed the master password of that, then went through and changed passwords of my most important information stored in 1password.

The fault lied with me, in that my dropbox account was still using my temp 'testing this service out' password I'd used when i first signed up. Stupid me. My 1password master password was already very strong so I wasn't highly concerned.

What ticked me off, was that there was absolutely no notification or verification process when adding a computer to your Dropbox account! I wrote Dropbox, and their only response, after MANY days, was 'make sure your password is strong'.

On the security page you can turn on email notifications for system additions: https://www.dropbox.com/account#security

On your account page you can enable RSS feeds. The home page then has a link to the feed, which I have in Google Reader. It includes all file changes, as well as machine additions and removals.

The email notifications for System additions most certainly didn't exist when I wrote Dropbox about it. I did however, know about RSS but didn't choose to use that as a notification system (and wasn't aware it notified about machine additions or other system stuff).

Thanks :)

Thanks for this, as well.

I had perhaps a dozen or so old entries on there. Now, I don't know if there are actually any serious security implications here, especially since most of those instances are genuinely defunct. However there's no sense in leaving them around if I'm not using them anymore. Maybe it's worth checking out and pruning? I don't know.

FYI: They added these notifications recently.

Leaving aside Apple's choices regarding the degree of security employed to protect their customers, this would be a non-story but for the fact that Apple decided to treat Honan's Macbook as if it were an iPhone.

Email accounts get hijacked, phones loose data, and impersonation happens on Twitter. A blog post about one of these or all in combination may make the front page of HN, but unless the writing is compelling (and in this story none of it is), it will not persist there.

This story is a story because the Macbook was wiped remotely. That's what's scary. Losing data on a phone or iPad will never potentially entail the loss of years of work. They are second and third devices, and intended primarily for consumption not creation.

It's our computers which hold our work (and as this story shows, moving it to "the cloud" may not offer significantly greater protection). An architect doesn't store her design on her iPhone, nor a developer her code, nor an entrepreneur his company's books. Our computers tend to hold important parts of our lives. They are the tools we use to create and retain our work.

Apple forgetting that for the sake of a consistent sales sheet across product lines is really the heart of this story's traction.

Remote wiping at the flick of a switch is a bug, not a feature in the consumer world.

four digits are worthless. somebody was able to get the last four digits of my social security number (how many times have we given that info to customer service reps thinking it's "safe?") and used the digits to open a credit account on BillMeLater (yes, they did not require the full social security number to open an account). they then started buying stuff (nike shoes -- why doesn't that surprise me?).

the only reason i discovered this is because they didn't have my real email address and BillMeLater called me to tell me they needed me to update my email address. so, we also know that they don't even require email address authentication. now all of my credit reports are locked. i recommend everyone do the same.

sorry to hijack the discussion, but wanted to provide another "4 digits suck" example.

I'd like to know more. How did BillMeLater know your phone #? Did PayPal/BillMeLater absolve you of all charges, considering they basically bill anyone someone else points to?

Many of our financial systems rely on trust alone. For example, anyone you give a personal check to can drain your checking account. All they need is your account # and routing #, that are on the check.

Why doesn't it surprise you?

People go to stupid lengths to get them. They are a luxury good that is just cheap enough that a lot of people can realistically desire them, but just expensive enough that people will do stupid things to get them, instead of just paying for them.

I'm not surprised. Nikes are totally badass sneakers.

Another place four digits is used is paper receipts of credit card payments for example - http://salesreceiptstore.com/fake_store_receipts/fake_credit...

> It’s appalling that they will give control of your iCloud account to anyone who knows your name and address, which are very easy for anyone to find, and the last four digits of your credit card, which are usually considered safe to display on websites and receipts.

Not trying to defend anyone. But has this been reproduced enough to confidently say they'll give control to "anyone"? Or was it just an employee mistake not following the policies in place? It would be a mistake on their part either way, but I'm just trying to understand what the mistake was.

If you read the Wired article by the fellow who was hacked (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-hona... ), yes, Apple does this as a matter of policy, and even after Apple assured the author that this was not policy, Wired went and tested the method on two separate occasions and was able to gain access to other folks iCloud accounts.


On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. We were successful. This means, ultimately, all you need in addition to someone’s e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of how the hackers got them.

In the Wired article, they mention that they were able to reproduce it. It seems that is their policy, and in my opinion, that policy is the mistake. There should be no easy way to end-run user defined security like this - Mat could have the most secure account in the world, doing everything right, and this still would have gotten him hacked. That is a problem, and a big one.

> Or was it just an employee mistake not following the policies in place?

The employee should not be given the ability to not follow the policy.

Policy? There should be no policy of resetting passwords. Instead there should be procedure where you as customer support fill in the data, answer(s) to security question(s) and then you can press the button. And then temporary password is generated and set in place. If you have policies - do that, dont do that - you are already screwed. Like Apple is right now.

Even if Apple fix the account recovery process, the fact that any flaw in iCloud security could easily lead to all attached devices getting remotely wiped is extremely scary. All of your work gone in moments!

Don't get me wrong, remote wipes are useful. But they should be protected by some kind of a "Remote Wipe Authorization Passphrase" that the user must set up. Otherwise we are all simply at the mercy of the next access control vulnerability in iCloud.

I disagree. The onus is entirely on the user to backup his/her data.

Don't use remote wipe unless you have a backup solution. I mean seriously, the very concept of remote wiping, whether intended or not, should make you buy an external hard drive and activate Time Machine. Because a remote wipe could happen in a database-server glitch on Apple's part, which would presumably bypass a passphrase mechanism. So why leave your data to chance?

But the other reason to not have a passphrase...what is the purpose of having a remote wipe? Because you are paranoid that ot only someone will steal your laptop, but that they'll steal the data. Depending on your work situation, time could be the main factor here. What happens if you forget your passphrase...because really, how often are you going to be using that passphrase? Then you've given your robber minutes/hours to access your data.

Just to be clear, the verification process is still incredibly flawed on Apple's part, and the remote-wipe problem should not have happened in the first place. But enabling any kind of remote-wipe-power without thinking through the backup process is Honan's fault, as he admits in his article.

As long as you keep your data on your own machine, it is your responsibility to back it up. In the cloud, it's different though. The average user now expects the service provider to be responsible for keeping their cat pictures secure, warm and cozy.

And in the same way that users don't accept that hitting a delete button deletes their content - there are tons of complaints on such issues - they won't accept that remote wipe effectively rids them of all their cat pictures.

I see where you're going and every tech person should definitely keep a backup. Then again every tech person should be aware of how the cloud can fail and how putting your life into the cloud can fail you. However, the above is sadly true for Mr. John User, who has no idea what the cloud actually is, he justs wants his things synchronized between his devices. The act of paying for a services raises expectations, and data integrity as well as permanency is probably part of those expectations.

I don't agree. You should have backups regardless and the odds of your laptop drive just gives up or it falls to the floor or gets stolen should, in any universe, be way more probable (regardless of usage) than a "database-server glitch" on Apple's part.

Yes, you should backup but for way more important reasons than enabling remote wiping.

No argument there...but I'm just saying, remote wipe does what it does. Is there any consumer out there who enables it without realizing that it indeed allows the destruction of your device's data from "the cloud"? I assume that the average consumer is sufficiently paranoid about these kinds of technologies going awry...a database-server glitch is improbable, but don't you think the average consumer assumes otherwise?

Apparently remote wipe is enabled by a little innocent-sounding checkbox labelled "Enable Find My Mac", so consumers have almost certainly enabled it without realising that it allows their data to be wiped by a poorly-secured cloud system.

> All of your work gone in moments!

Your work should never be dependent on a single device staying functional.

Quick question for HN'ers... does anyone actually feel safe using cloud services for personal data storage?

In the interest of full disclosure... I can barely muster trust enough for gmail. Actually, I don't trust gmail, which is why I don't use it for anything important or personal. I certainly would not put my child's photos onto a cloud service and expect them to be safe. And from what I understand, these people put, not only their data on iCloud, but their ACTUAL DEVICES are administrable from iCloud. That seems insane to me. It seems that this is the inevitable result of any such system.

I guess I am just a bit surprised at the surprise being expressed here. USB drives are not THAT horrible are they? They seem, to me, far more reliable backup methods.

The "funny" thing here is that the guy didn't host his photos on the cloud, he hosted them on his Mac. It was a command to the cloud to remote wipe his Mac that caused his photos to disappear. If he had hosted them on the cloud somewhere, they would have likely been backed up at some point.

I use GMail. The convenience is worth the risk, and I think Google have a pretty good understanding of security - much better than Apple has shown here, for instance. Remote wiping sounds like a step too far, but I back up to an external hard drive, so a remote wipe wouldn't be disastrous.

Just me but I've had a lot of external hardrives fail, and zero files lost on dropbox, google drive, and iCloud over the years. So... YMMV

I choose to just double up on cloud services as a "backup"

Seems like Tahoe-LAFS deserves mention here. I haven't gotten around to trying it myself, but as I understand, it stores encrypted shards of your data on multiple cloud providers, so your data can't be compromised and no one provider can cause it to be lost.

EDITED to add link: https://tahoe-lafs.org/trac/tahoe-lafs

Tarsnap? Yes.

... That's about it.

I use gmail, but I don't trust it, and have been looking for an excuse to get away from it for a while.

I use Blackblaze for Desktop backup and Rsync.net for important data. I have reasonable confidence in these two services, as my data is encrypted at rest, and I have at least some control over the keys.

I'm not very comfortable with other cloud services.

>does anyone actually feel safe using cloud services for personal data storage?

For me, it's a balancing act. I find it hard to manage backups. I don't want to run a RAID setup at home. I really like the convenience of Dropbox and S3.

What do you trust for email? I sleep a lot better knowing it's Google and Time Warner or Comcast. Collocation? I wonder how hard it is to talk a colo facility into access to an arbitrary rack.

You need to have your stuff backed up to the cloud (in case your house burns down) and to a USB drive (in case your account is compromised). Neither is adequate by itself.

I hear the "if your house burns down" line often and I can't tell if it's meant literally in this context. I'd think that at least for most regular folks, if their house and everything in it was turned to ashes, the last thing they'd cry over would be their, say, iTunes collection or mostly useless email archives hoarded over the last ten years.

It's more likely they'd be upset over losing photos of their child growing up, for instance. Or if they've digitized, say, financial records.

I mean, yeah, obviously the primary concern would be "oh my god my house burnt down." But if you can minimize the repercussions by putting digital stuff which is important to you offsite, maybe that's something to be relieved about.

It's one of several things that could happen (fire, flood, burglary, other natural disasters depending on where you live etc., lots of ways to lose all data at a location).

But yes, I mean it literally. Insurance may pay to replace your house. But a portfolio of a few years of work, the text of your half-finished novel, photographs of your children growing up, the final e-mails you exchanged with your uncle who died of cancer? No insurance money will ever replace those.

I use Mozy for full backup and Google Drive + Picasa for photos and videos. Hopefully both of them wouldn't fail me at once.

I do store some sensitive stuff on Dropbox, but inside an encrypted disk image (I'm on a Mac).

Tarsnap and Spideroak, that's about it right now.

It's also interesting that for Amex cards, that part of the card number is very structured. The middle two of the last four are almost always 00 or 01 since it is just incremented for reissued cards.

Nothing is 100% guaranteed secure. Let's start there.

As far as password recovery, I would like to see something more "physical", if you will. For example, Apple charges a small random amount to the CC on file and you have to come back and give them the amount.

A fingerprint scanner on every iPhone could be interesting.

I think the reality is that nearly all but the most safety conscious/paranoid hackers reuse easy-to-remember passwords across a multiplicity of sites. Some might have two or three passwords to fence-off, say, financially related logins from non-financial stuff. Still, the vast majority of Internet users are probably in the first group with a simple password across every single login they have. That's the problem. And, with such tools as Facebook logins you also have a situation where discovering on login gets you in to all manner of sites.

How do you protect Mom, Dad and Uncle Fester from this? You are not going to turn them into computer scientists or security experts. No, they are not going to create and remember fifteen different thirty-two character passwords with a mixture of alphanumerics and symbols. That's just not going to happen.

Not sure what the solution might be at this point. The Internet, due to the nature of its organic evolution does not have an underlying security construct that is, for lack of a better word, bulletproof.

I can't think of a time when I didn't see the last four digits of my credit card on a receipt. This is a totally boneheaded move on Apple's part

Sadly, I can :)

Just a few years ago I looked at my receipt from a local Dairy Queen and it had all but the last four digits printed on it. I complained to the guy behind the counter, who didn't see the problem.

I assume most new POS systems nowadays don't even have the option to print anything but the last four, but there are still some out there in the wild which do. Which is why I still shred all my receipts.

It really shouldn't be a problem. In my teenage years I could memorize a 16-digit number from seeing it once; I can't be the only one. If credit card security depends on keeping the big number printed on the front secret then it's doomed to failure.

In this case it's not as much about keeping it secret (since anyone who sees/handles it might have the number memorized or recorded) as it is reducing the attack surface. If the full number is on a discarded receipt (or on any combination of two receipts) along with my signature, anyone with access to my trash now has a big chunk of the info they need for identity theft.

I'm not saying that obfuscating the first 12 digits on a receipt solves the problem; just that it's a very minor adjustment that makes things more difficult for the attacker. But some organizations are still failing at even these most rudimentary steps.

I would actually love to be assigned a secure credit card. Remove the number on the front, and remove the magstripe (the countries I visit all use chip-and-pin now)

Compared to the other things we're talking about, fraud on credit cards is largely a solved problem. (Yes, there are issues, and I'm sure people actively working on the problem don't consider it solved.) Credit card fraud puts out the consumer $50 at most.

But someone got the bright idea to attach other things to your credit card information, like your entire MacBook.

We need to burn down the entire concept of "security questions" and start over from scratch.

Did anyone ever show you his credit card "okay but just once"? I doubt so. The big number is indeed supposed to remain as secret as possible to avoid trouble.

Ever use a credit card? You are almost always handing them over to other people; often times they even leave the room with it for several minutes.

In the UK at least you should never have to hand it over. You insert them into the chip and pin device yourself. A lot of places will do this for you but only in plain sight.

Well, in the US it is common to hand your card to servers after your meal who will then carry it off to the register (wherever that may be, usually not visible) and bring it back to you with a receipt.

The UK may have a better protocol, but that doesn't change the fact that for a significant population, the number on the card is really anything but private. Certainly Apple should know this, being based in the US...

This is usually ok since credit card companies have the whole fraud thing figured out for the most part. It only becomes "not ok" when companies like Apple make them into something that absolutely needs to be secret.

RE: "At the bare minimum, for this level of recovery that bypasses security questions, they should require confirmation of the entire credit-card number and verification code."

That's still a fail because if your wallet probably contains credit cards, which have your name and credit card number, obviously. And driver's licenses in the US, as far as I know, include an address. So it's all there. You're screwed.

What is necessary is 2-factor authentication, which is what a lot of us have been saying for a long time (I wrote this blog post in 2009, after another Twitter-related hacking: "Why The Twitter Breach Is Bullish for Two-Factor Authentication": http://chrisco.wordpress.com/2009/07/16/why-the-twitter-brea...). If not 2-factor, at least don't make recover possible with things so easily obtained, such as information from items typically contained in a person's wallet.

My thought is that they should additionally charge a fee for this, using a card that passed name, zip code, and CVC checks. Now you have a higher bar to fake your way over, and in addition whatever laws were broken by the perpetrator, he would have credit card fraud as well, and that's something that prosecutors, courts and juries can understand a lot more easily.

Why is this at the top of HN? Just because its from marco? There is nothing new in the article. Can a moderator please change the title to the actual tile of the post "Apple and Amazon Security Flaws Led to Mat Honan’s Hacking"? The current title is just linkbait for people that thought it was a general discussion about apple's weaknesses from marco.

Does "remote wipe" also wipe attached drives, or just the system disk? It would really suck to also lose your Time Machine backups that way. I alternate my TM backups between several disks, leaving one of them off-site in case of catastrophe, but I'd still lose a good chunk of data if remote wipe targets attached volumes.

Instead of a remote wipe, what they should do is a remote encryption. Generate a pair of public/private keys, use the public one to encrypt the data, and destroy the private one after a month or so. Encrypted data is indistinguishable from random data, but at the same time, the user can get it back.

When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed. But here’s the thing: If someone else performs that wipe — someone who gained access to your iCloud account through malicious means — there’s no way for you to enter that PIN.

From: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-hona...

But ultimately, if the attacker has the ability to remote wipe/encrypt your device he/she is probably in control of any keys required to undo it.

The way I would do it, if I were apple, I would keep the keys myself and require the customer to go to the store, personally, with their wiped/encrypted device, and present some proper form of id, for the sales rep to undo the wipe.

I have one question as I'm not aware of any - has anybody had there blackberry hacked and remotely wiped.

What proportion of share price is effected by security, as that is all a company realy care about.

Now maybe the whole credit card system that we have is at fault - one number to rule them all to pay for things. Maybe is we had a system were we could give each transaction a unique number you could was unique to each vendor you used. Then if that number is leaked it woud be clear were it leaked from and only effect the people who leaked it. Until then there are disposable credit cards.

If Apple only accepted Apple credit cards and if Amazon only accepted Amazon credit cards, then this would not of happened. Can see what the outcome of this will be and people will still complain.

AFAIK almost every bank in India has now been ordered by the government to use 2 factor authentication. What's more, a specific bank I use has also included an interesting approach against phishing attacks.

You are basically assigned an access phrase and access image. They ask you to look at these two things and know what they are. Then, when you visit the site you enter ONLY your username. Once you click submit you're shown your access phrase and access image. If this were a phishing site, there is a high chance that your access phrase and image wouldn't match so you'd know to GTFO.

This is followed with a 2 factor authentication. Pretty solid IMHO :)

Bank of America has been doing this for over 3 years. It's called SiteKey.

But iirc certain banks in India have a alphabet board behind the card with letter-number pairs, right? Something like A-14 B-65 and so on. Then they just ask you to enter random 3 boxes.

The title of this article is completely misleading. It really is astonishing how the author is primarily targeting Apple to be at fault here. While protecting customer information is a top priority for reputable companies such as Apple, you cannot equate one non-diligent AppleCare employee to the entire organization. Clearly, the AppleCare employee that was easily socially-engineered did not follow standard operating procedures. For the record, the "hackers" who destroyed Honan's digital life should be prosecuted. Its sad that Honan is letting these young punks get away with their malicious and unethical acts.

"Astonishing how the author is primarily targeting Apple"? Do you even know who Marco is? He's constantly accused of being an Apple fanboy. If anything he's biased for Apple.

The idea that "one non-diligent AppleCare employee" did this is reality-averse. Wired managed to duplicate what happened to Mat after-the-fact using other people's details. Even if you were correct, "one non-diligent AppleCare employee" should not be able to do what this employee did (apparently in accordance with policy, FWIW). A company that cared about security would not allow it.

So you can put down that water you're carrying (boy, does it look heavy!) any time you'd like.

Obviously. And yet, you have to admire the sneakiness of the hacker to even think of something so simple. If nothing else, this whole fiasco called attention to a terrible system that's probably already been changed by Apple.

It's not "creative" to think of this. Sarah Palin's email was "hacked" by someone who looked up her security questions in Google.

And Paris Hilton's phone was hacked because her security question was the name of her dog.


That's what the last three paragraphs of the post are: suggestions for solutions to the problem.

What if Apple provided some sort of 2-factor auth that you had verify with the phone rep? Like they'll send you an email or sms and you verify the code back to the rep?

I think this will result in Apple selling less apps: People will set a way better password on their Apple account, and since you need the same password to buy $1 apps (every time!) as you do for remote wipe, people will buy less apps. They should probably have several levels: one simple PIN code for less intrusive stuff, and a lot of checks for the remote wipe (or expensive purchases).

I don't know how this whole affair reflect on Apple as a company, but this seems like Apple's best opportunity to let users know whether it should be taken seriously as a cloud service and specifically e-mail provider.

The EU has data protection law which means companies that store personal data are legally obliged to protect it. I wonder if Apple are in breech of the law here? Will someone affected make a complaint?

The last four digits are the ones on almost any receipt from a payment done with credit card which is not censored. And all the other info is in the phonebook or other places on the net.

Oh wonderful. Replace one set of weaknesses with something much, much worse - allowing any customer service rep access to your entire credit card (including CCV)!

I do like his second idea though.

Weakest link is having a chain of events that prevent you from doing a backup. Two phrases that spring to mind "back don't fudge up" and "trust nobody".

Remember time beats all security.

Name, Address and last 4 digits of your credit card... Seems like one would be screwed if you lost your wallet with you DL in it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact