toggle

AAPL Stock: 96.47 ( -0.73 )

Printed from http://www.macnn.com

Apple responds to Honan iCloud hacking incident

updated 11:06 am EDT, Tue August 7, 2012

'Internal policies were not followed'

Apple has issued an official response to reports about Wired writer Mat Honan having his iCloud account broken into via AppleCare. "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password," the company tells Wired. "In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected."

Wired adds, though, that on Monday it successfully tried the same scheme on a different iCloud account. "This means, ultimately, all you need in addition to someone's e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file," the magazine explains. The person who cracked Honan's account did so by simply calling AppleCare and convincing a staffer to bypass security questions and ultimately reset Honan's iCloud login.

Honan notes that the hacker destroyed a tremendous amount of his digital existence, although he takes some of the blame. "First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

"In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it's possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc." He also notes that because he hadn't been regularly backing up his MacBook, he lost a year of photos -- including all the photos of his daughter -- as well as documents and emails that weren't saved anywhere else.

Honan points out that Amazon is also partly at fault, since it was that site that let the hacker see a partial credit card number of Honan's that was then used to trick Apple. Other people have stepped forward as well, claiming to have been victimized in a similar way.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. hayesk

    Professional Poster

    Joined: 09-17-99

    Honan says it's partially his fault, but really, no, it isn't.

    You can get the last four digits from someone's credit card anywhere. As pointed out, Amazon, or a store, restautant. Just think, anyone who works in IT for an online store can mine the orders for name, billing address, last four digits of credit card, and an email that ends in mac, me, or icloud.com. They can then call Apple and have the password reset.

    Apple should have stuck to their guns and required answers to the security questions, but it's clear that at least some of their employees do not. Let's hope this point is hammered into their staff's heads over the next few days.

  1. Grendelmon

    Dedicated MacNNer

    Joined: 12-26-07

    Originally Posted by hayeskView Post

    Honan says it's partially his fault, but really, no, it isn't.
    You can get the last four digits from someone's credit card anywhere. As pointed out, Amazon, or a store, restautant. Just think, anyone who works in IT for an online store can mine the orders for name, billing address, last four digits of credit card, and an email that ends in mac, me, or icloud.com. They can then call Apple and have the password reset.
    Apple should have stuck to their guns and required answers to the security questions, but it's clear that at least some of their employees do not. Let's hope this point is hammered into their staff's heads over the next few days.



    More than anything, Apple needs to CEASE using the last four digits of your credit card as a form of verification. Ridiculous, honestly.

  1. testudo

    Forum Regular

    Joined: 08-06-01

    This also shows the stupidity of the normal 'safety' questions, most of which are pre-selected and of stupid nature that can be figured out via facebook or the like. "Best friend in school". "Street you lived on" "First pet's name" or "First car". Heck, most of those allow anyone you know to hack you. Just let me come up with my own, like "What did you have for dinner on the night of April 30th, 1986?" Easy for me, hard for others!

  1. ebeyer

    Fresh-Faced Recruit

    Joined: 06-09-04

    I have a technical question for this group.

    Find my iPhone is used to nuke a laptop remotely. Is this data erased securely, with lots of 1s and 0s written over the hard drive? Is it possible that some of this precious data might still be recovered?

    If so, yay for this guy, but I question if a remote wipe ought not then be made more secure so that it can't be recovered by thieves, spies or other bad actors.
    EB

  1. anonspec

    Fresh-Faced Recruit

    Joined: 03-10-11

    Testudo nails it. The security questions need to be improved. Account credentials are the number one sticking point at Personal Setup.

    Answers to these questions need to be highly personalized, immediately recallable fact-based things, but for questions that the customer can decide. Favorite color or favorite food will change over time and the typical customer we assist in Setup will never remember what they wrote... not to mention letter case originally used.

    There are a number of good solutions, like Google's 2-step verification (which I wish Apple would implement - they certainly have the devices and infrastructure in place), but it's going to take a lot of personal education of consumers. We have to drill Backup into their heads, along with the myriad of accounts and credentials to remember. It's easy for the typical audience here, but not so easy for our many technophobic customers.

    I just take it one customer at a time and do what I can in the available time.

  1. testudo

    Forum Regular

    Joined: 08-06-01

    Originally Posted by ebeyerView Post

    I have a technical question for this group.
    Find my iPhone is used to nuke a laptop remotely. Is this data erased securely, with lots of 1s and 0s written over the hard drive? Is it possible that some of this precious data might still be recovered?
    If so, yay for this guy, but I question if a remote wipe ought not then be made more secure so that it can't be recovered by thieves, spies or other bad actors.
    EB



    Well, if you used File Vault 2, you're screwed. Don't know about the other, but if someone wants your computer to steal data, they're going to be smart enough to know to pull the drive or boot into firewire disk mode.

    Maybe that's why Apple wants to make it harder for people to change out the hard drive. It's all about security!!!

  1. blahblahbber

    Banned

    Joined: 02-01-05

    looks like everyone one is right on this thread.... Apple screwed up BIG TIME.... Imagine, losing all your data on all devices, all over redundant info they call "privacy"... Stupid, stale, old, smelly fruit company.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Originally Posted by testudoView Post

    This also shows the stupidity of the normal 'safety' questions, most of which are pre-selected and of stupid nature that can be figured out via facebook or the like. "Best friend in school". "Street you lived on" "First pet's name" or "First car". Heck, most of those allow anyone you know to hack you. Just let me come up with my own, like "What did you have for dinner on the night of April 30th, 1986?" Easy for me, hard for others!



    This shows NOTHING about security questions.

    As per the MacNN summary above:

    The security questions were actually bypassed in this case. They weren't even asked.

  1. blahblahbber

    Banned

    Joined: 02-01-05

    Originally Posted by Spheric HarlotView Post


    This shows NOTHING about security questions.
    As per the MacNN summary above:
    The security questions were actually bypassed in this case. They weren't even asked.

    Testudo nor anyone needs to know that the security questions were bypassed. Most already know they can easily be bypassed because if you know how the Apple privacy questions go, they are simple, common, and researchable. To have a cloud system that syncs to all your devices, the security protocols need to be changed effectively.

    Harlot, lots of companies think they can get away with common security, but they don't change until duki hits the fan.... or they implement a half-butt solution until they really figure it out, which is totally unacceptable when it comes to security and data at stake. Accept it or not. Excuse my PG rating response

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Originally Posted by blahblahbberView Post

    Testudo nor anyone needs to know that the security questions were bypassed. Most already know they can easily be bypassed because if you know how the Apple privacy questions go, they are simple, common, and researchable.



    I know how the Apple privacy questions go. You, apparently, do not.

    The Apple privacy question, when you set up a new Apple ID, is an empty text box prompting you to enter a specific question, followed by its answer in the next text box.

    There is no pre-fabricated selection to be made. It is completely up to you.

    My apologies for once again having to show you up as a person who has absolutely no idea of which you speak.


    Aside:
    Since you and testudo appear to share your ignorance, and testudo has already pretty much admitted that you're just a sock-puppet, isn't it time you gave up the charade? You're pretty much on your own here, and it's little use pretending that two clueless trolls might be more convincing than one....

  1. anonspec

    Fresh-Faced Recruit

    Joined: 03-10-11

    Originally Posted by Spheric HarlotView Post


    I know how the Apple privacy questions go. You, apparently, do not.
    The Apple privacy question, when you set up a new Apple ID, is an empty text box prompting you to enter a specific question, followed by its answer in the next text box.
    There is no pre-fabricated selection to be made. It is completely up to you.



    It depends how and where the Apple ID is set up, and how recently any existing security questions were created (if any). Some avenues allow (or allowed) a single security question (either prefab or custom), but lately they are asking three questions among unique groups of rather unsuitable options, with no ability to create your own. That is mostly when this is done directly on iOS.

    Apple needs to standardize the process, because it can be very different depending on the origin.

    Source: I am a Red Zone Specialist.

  1. blahblahbber

    Banned

    Joined: 02-01-05

    Originally Posted by Spheric HarlotView Post


    I know how the Apple privacy questions go. You, apparently, do not.
    The Apple privacy question, when you set up a new Apple ID, is an empty text box prompting you to enter a specific question, followed by its answer in the next text box.
    There is no pre-fabricated selection to be made. It is completely up to you.
    My apologies for once again having to show you up as a person who has absolutely no idea of which you speak.
    Aside:
    Since you and testudo appear to share your ignorance, and testudo has already pretty much admitted that you're just a sock-puppet, isn't it time you gave up the charade? You're pretty much on your own here, and it's little use pretending that two clueless trolls might be more convincing than one....

    How does it feel to sit on the shocker? Knew u'd like that... Again, know what you are talking about before you claim your stake. Ur silly; you keep showing your limitations the more you type.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Originally Posted by anonspecView Post

    [QUOTE=Spheric Harlot;4182346]
    I know how the Apple privacy questions go. You, apparently, do not.
    The Apple privacy question, when you set up a new Apple ID, is an empty text box prompting you to enter a specific question, followed by its answer in the next text box.
    There is no pre-fabricated selection to be made. It is completely up to you.



    It depends how and where the Apple ID is set up, and how recently any existing security questions were created (if any). Some avenues allow (or allowed) a single security question (either prefab or custom), but lately they are asking three questions among unique groups of rather unsuitable options, with no ability to create your own. That is mostly when this is done directly on iOS.

    Apple needs to standardize the process, because it can be very different depending on the origin.

    Source: I am a Red Zone Specialist.[/quote]

    Creating a new Apple ID in iTunes on a Mac gives a blank text field for a custom security question.

    Creating a new Apple ID on an iPad gives a blank text field for a custom security question.

    Creating a new Apple ID on an iPhone gives a blank text field for a custom security question.

    Apple USED TO give a selection of security questions.


    Source: empirical testing.

  1. testudo

    Forum Regular

    Joined: 08-06-01

    Originally Posted by Spheric HarlotView Post


    This shows NOTHING about security questions.
    As per the MacNN summary above:
    The security questions were actually bypassed in this case. They weren't even asked.



    I never said they were bypassed. I said it also showed the stupidity of most security questions, because they're so stupid a little knowledge or investigation into someone can garner answers, esp. using "social media". As the above article even states, "the customer's data was compromised by a person who had acquired personal information about the customer.". In this case it was part of a card number. In other cases, it's just knowing the person (for example, this is how Sarah Palin's email was hacked, the questions were stupid).

    I also never said Apple was at fault because of the security questions. In fact, never mentioned apple at all.

    But why let little things like a grander discussion ruin your pre-conceived notions, right.

    Although in this whole series, Apple's security was the biggest issue. And that was mostly because the bone-head didn't insist on the answer to the security question.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Originally Posted by testudoView Post

    [QUOTE=Spheric Harlot;4182336]
    This shows NOTHING about security questions.
    As per the MacNN summary above:
    The security questions were actually bypassed in this case. They weren't even asked.



    I never said they were bypassed. I said it also showed the stupidity of most security questions, because they're so stupid a little knowledge or investigation into someone can garner answers, esp. using "social media". [/quote]
    It doesn’t show the stupidity of most security questions, because security questions weren’t involved here.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

D-Link Wi-Fi Smart Plug

Home automation fans have been getting their fair share of gadgets and accessories in the last few years. Starting with light bulbs, a ...

Razer Kraken Pro headset

Gaming headphones are a challenge to get right, for a long list of reasons that are unique to the consumer buying them. Some shoppers ...

Patriot Aero Wireless Mobile Drive

Regardless of how large a tablet you buy, you always want more space. There's always one more movie or another album you'd cram on, ...

toggle

Most Commented