Sorry, not that epic. Yes, multiple steps were required but the biggest issue in security once again was the human element.
Epic would be finding the flaws in SSL/TLS that allows you to generate a valid cert for any domain (Moxie Marlinspike) or a bug in DNS that is such cause for concern that people have to upgrade their infrastructure (Dan Kaminsky) or intercepting GSM calls (Chris Paget) while making the device believe it is on a legitimate network.
This hack came down to social engineering and using flaws in two companies verification systems. That isn't epic. People have been calling companies and people on the phone for decades and having them hand over information without proper identification/verification. The guys stuff got remote erased, well damn, the system worked as it was supposed to work ... other than that the right person wasn't at the controls ... remote wipe worked as expected.
Yes, changes have to be made, and yes security and verification of identity has to be made more secure when there is a lot at stake, but this hack was by no means epic.
I think the description of it as epic refers to the amount and nature of the damage done, not the technical accomplishment. We expect that someone might be able to hack our online accounts, but that they could hack our online accounts and then use that to reach into our homes to nuke data off of our hard drives is different.
Perhaps Apple need to reword their warning message[1] to scare people away from enabling it. The only indication that user is going to enable Remote Wipe is a little "erase a lost Mac" text, which I guess most people will just ignore it.
I think the title "Epic Hack" is justified. Not epic in terms of the skills and technologies used to pull it off but epic in terms of the impact on the hackee. Whether you gain access to someone's apartment by rappelling from the roof, disabling the electronic alarm system, and picking the lock on the balcony door or merely by using social engineering on the building supervisor the result is the same.
I think that denigrating the significance of these "low sophistication" attacks is fundamentally the same error as venerating the importance of single-points of technological complexity independent of the end-to-end security of a system. It makes it easier to change the response from "oh crap, we got hacked so hard!" to "well, we just got socially engineered, ANYBODY can do that, no big deal". Social engineering is going to remain firmly in the "epic hack" category for the foreseeable future, even in a future age of quantum computers, synthetic consciousness, and ubiquitous use of one-time-pad encryption.
Would be nice if they offered the option to remote encrypt and you can only decrypt with a visit to a Apple store. But nomatter what you offer, there will always be a way to offer a little more.
Your approach does leae users open to there own hindsight and if you lost a device you might in some situations reset the password first and then thing about remotely wiping the device and in those situations you will be a bit erked. That said it would be nice to at least have that option, options are nice as they allow the user to pick the level of control they want, more options more choice. Still be nice if a device being remote wiped checked its location and went - oi hang on your at home I need to verify this first, scary but doable.
I also find it strange this isn't the case. I changed my apple password and instantly my phone started complaining that it was wrong for iMessage and other services. Why is it still fine to remote wipe the device?
Wouldn't it be much better if video calls (or Facetime) became ubiquitous (and mandated for auth)? The mere fact that the attacker needs to show his face for getting the password reset should improve things a lot because it would make detection as well as post-facto investigation much easier.
Wired mentions Apple 46 times in the article (including twice in the title)... and Amazon 3 times. In fact, most of the public and HN outrage about this incident has been directed at Apple.
That's the downside of Apple being so close to perfect. We expect perfection from them at all times. And when they make a mistake, it seems 100x more outrageous than if it were any other company.
Don't get me wrong, they made a terrible mistake in this case, but Amazon has gotten off lightly in comparison.
The bulk of the damage was done as a result of the breach in Apple's security - all the Amazon breach did was give the attacker the last 4 digits of a card, which is not super private anyway. It isn't 100% fair - and to be clear, processes at both companies were pretty poor - but I don't think people are out to get Apple here.
And, while Apple is very good, they are nowhere near perfect - especially when it comes to online services. Apple fans playing the victim card for them is just as tiring as people jumping all over them when they slip up.
> all the Amazon breach did was give the attacker the last 4 digits of a card, which is not super private anyway.
Precisely. Go to any mall, restaurant, or shopping center in the U.S. and you're bound to find at least one discarded receipt with the last four digits of the shopper's credit card number on it, possibly with their name and/or signature.
But that's the fault of the shopper for not policing their information properly, in this case it wasn't Honan's fault that his last 4 leaked. The last 4 still shouldn't be given out over the phone, ever, most companies have a policy of not confirming any card detail on their system on the phone in the UK.
No, I'm arguing that Amazon is at fault for handing out card details willy nilly, Apple is at fault for not training their CS staff to, in the word's of House, assume everybody lies.
This is crazy and creepy, but during weekends, one could possibly stalk out at malls looking for people discarding receipts. Pick it up and hurry towards them. When you accost them, mention in no unclear terms "Sir/Ma'am, with this receipt I'll be able to wipe your iDevice".
The subways I worked at in college had the full credit card number on the store duplicate that all the clerks were required to collect. We dropped a couple dropbags full of these little receipts into the safe at the end of the day.
People expect security measures to be correlated to
potential damage. Articles are focusing on Apple because
they exhibited the largest gap between expected and actual
security measures.
Using nearly-public information, the attacker was able to
convince a human to grant access to the victim's account,
and therefore to destroy the victim's data.
If the compromise of an iCloud account had merely given the
attacker access to the @me.com address, I don't think Apple
would be receiving nearly as much bad press. Email accounts
are compromised all the time, usually with no more damage
than some spam mail sent to friends.
Similarly, if the attacker had gained remote-wipe ability by
some elaborate deception, customers would be more willing to
cut Apple a break. Suppose Apple accepted passports as a
recovery mechanism, and the attacker showed up to an Apple
store in person with a forged US passport. That would sell a
lot of newspapers, sure, but Apple would be blameless.
I'm sorry I thought that you were going to link to ads where Apple touts the security of it's iCloud platforms and its over the phone support service. Claiming to be immune to viruses that ran on windows and claming to be secure against social engineering are two very different things. The first poster is correct, Amazon needed less information to do things over the phone than Apple did. All Amazon wanted was your billing address and they would let you add emails to the accounts and then who knows what you could do. Both companies are at fault here.
Don't get me wrong, I agree with your sentiment. However, I think in this case, it is about the fact that the stakes were much higher with the iCloud account.
Yes, I would be very annoyed if an account which had personal information, a history of purchases, and was linked to my credit got hacked (e.g. by social engineering). However, I would be even more annoyed if my laptop and phone got remote-wiped due to the same type of hacking.
But to be honest, I haven't been following the story that closely, so I am happy to be proven wrong on the perceived difference between the social engineering of Amazon vs Apple support .
Did you read the full article? Didn't you notice how the attacker got the last 4 digits?
### Amazon actually gave the attacker full control of the Amazon account. ###
All the attacker had to do was simply call amazon and ask to add a new credit card, the only verification was billing address. The attacker called back in 5 mins asking to change the email account on file, which required the last 4 digits of the fake card just added. The attacker then did a password reset.
Basically, most people don't realize Amazon had a HUGE GAPING wide whole in their security. Any attacker could steal any ones Amazon account! These are accounts that have thousands of dollars of affilate money, AWS servers running major web sites, credit cards on file, etc.
So yes, the fact that Amazon gave the last 4 digits out isn't a big deal, you are right. These numbers are printed on receipts. However, the fact that they gave the whole account away is a big deal.
At the very least, he system needs to raise big red flags if a CC added very recently is used for validation. A system I built a few years back would alert customer service if any of the validating data was less than a month old, and would let them use it if it was less than a week old. (So yeah, if you forgot your password in the week after you changed address, you were locked out for a week. That was a business risk deemed "acceptable" by the client.)
This is such a great point. Deceiving others to obtain certain information could have happened anywhere. The fact that Apple is recognized on such a large scale would most certainly make a situation like this get blown way out of proportion. I doubt this would make headlines to the same degree this has if it was a smaller less-known organization. These kinds of attacks on victims like Honan happen all the time, but why do we only hear about it the most when it involves a large reputable company.
Does Apple do in-store password resets? I'm thinking with their retail presence this would be a good solution. If you want your password reset come into the store with a photo-ID and the physical credit card on your account. Doesn't get much better than that. I realize not everyone has an Apple Store nearby but many do.
"I realize not everyone has an Apple Store nearby but many do."
That could be a handy additional service to offer, but they'd still have to provide a non-in-store method for all the people who don't, so it wouldn't be any more secure.
Whenever you do a password reset their is a possibility that it was performed by an attacker. However much you check their identity this will always be a risk. Therefore it makes sense for Apple to try and contact the user via several different methods. Call them on the phone, send a letter etc to inform them of the password reset. It must originate from apple, and be out of band. Having people go to the apple store does not achieve this.
> In an earlier attempt on Tuesday to change an AppleID password (which is the same password used to log into iCloud and iTunes), Apple customer service offered up a different response, saying that passwords could only be changed over the phone if we were able to supply a serial number for a device linked to the AppleID in question — for example, an iPhone, iPad or MacBook computer.
Adding (or worse, substituting) a serial number helps, but seems insecure in the event of a lost/stolen phone. A device serial number, plus all the already mentioned info: name, address, last 4 characters of a credit card, are all reasonably easy to extract from a stolen phone. Would be nice if some piece of info not usually stored on a phone were required. I suppose that a lost phone is already a security breach, but any containment would be an improvement.
On many Apple devices, the only way to access the serial is to actually log into the device and open Settings or About this Mac. If the attacker's able to do that then – in the majority of cases – they likely already have access to your mail and probably many other accounts as well. At that point, it's pretty much game over for you; containment's impossible.
(Two big loopholes on the Mac side are guest accounts and the recovery partition. Both of those offer ways to get your machine's serial number which do not require the attacker to log into your account.)
Interestingly Google will not get into this situation because they do not offer over the phone support. That is the advantage of being a free service I guess! People do not expect customer service beyond a point.
Google have their own problems with Youtube's aggressive Content ID system and pulling down of public domain NASA videos on the grounds of (wtf?) copyright infringement.
I see no reason not to use a password manager (ex: keychain on macos) to keep different usernames and passwords for each account. It is very little overhead (at least with keychain).
And yes I mean different user names even if it is required to be a valid email id. If you use gmail, you can use "yourid+RandomNumberOrAnything@gmail.com" as the email address. This is additional protection against remote hackers since guessing the account name of one account doesn't get you the names of accounts on other services.
And yes ABSOLUTELY NO reason to not have 2 factor auth for your google account.
You didn't really read the article about what happened did you? It didn't really come down to the email address especially since part of it was concealed. This came down to both companies letting you do things over the phone with minimal personal information.
This is merely things that I practice that I think may be useful to some. I did read the full article and not just this one all the others including Matt Cuts post on 2fa. The companies are to blame, yes, but the "victim" is also responsible to some extent. "Only the paranoid survive." (I think that's by Andy Grove).
Honan owned up to not backing up, for example. Would it have been an "epic hack" if he could restore up to date data because he had a time machine backup?
Sorry, not that epic. Yes, multiple steps were required but the biggest issue in security once again was the human element.
Epic would be finding the flaws in SSL/TLS that allows you to generate a valid cert for any domain (Moxie Marlinspike) or a bug in DNS that is such cause for concern that people have to upgrade their infrastructure (Dan Kaminsky) or intercepting GSM calls (Chris Paget) while making the device believe it is on a legitimate network.
This hack came down to social engineering and using flaws in two companies verification systems. That isn't epic. People have been calling companies and people on the phone for decades and having them hand over information without proper identification/verification. The guys stuff got remote erased, well damn, the system worked as it was supposed to work ... other than that the right person wasn't at the controls ... remote wipe worked as expected.
Yes, changes have to be made, and yes security and verification of identity has to be made more secure when there is a lot at stake, but this hack was by no means epic.