dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7
share rss forum feed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to antdude

Re: Secret Security Questions Are a Joke

This is what really happened in Mat's own words and I think it is stupid all these other writers out there on the net and their blogs just post crap they think is important..but not really relevant..working on the heals of the tragedy he faced.

At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me e-mail — which, of course was my .Me e-mail.

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.

I spent an hour and a half talking to AppleCare. One of the reasons it took me so long to get anything resolved with Apple during my initial phone call was because I couldn’t answer the security questions it had on file for me. It turned out there’s a good reason for that. Perhaps an hour or so into the call, the Apple representative on the line said “Mr. Herman, I….”

“Wait. What did you call me?”

“Mr. Herman?”

“My name is Honan.”

Apple had been looking at the wrong account all along. Because of that, I couldn’t answer my security questions. And because of that, it asked me an alternate set of questions that it said would let tech support let me into my .Me account: a billing address and the last four digits of my credit card. (Of course, when I gave them those, it was no use, because tech support had misheard my last name.)

It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.

Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. “That’s really all you have to have to verify something with us,” he said.

We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”

On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. We were successful. This means, ultimately, all you need in addition to someone’s e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of how the hackers got them.

»www.wired.com/gadgetlab/2012/08/···ing/all/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


JALevinworth

@embarqhsd.net

said by Name Game:

This is what really happened in Mat's own words and I think it is stupid all these other writers out there on the net and their blogs just post crap they think is important..but not really relevant..working on the heals of the tragedy he faced.

The article antdude posted preferences that even though Apple failed to ask the security question, even if they had - security questions are a weak link too.

A security discussion based on that notion is not valid to you?

This thread isn't about Matt, but in Matt's situation, although a bit hyperbole to call it a "tragedy", had many lessons that can be learned from - both institutionally and personally. The system is broken and all discussions related to the system should to be had, not stifled, whether related to Matt specifically and directly or not. You don't have to agree, just saying.

-Jim


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits

If they were asked, the perpetrator could not have answered them.. it would have end there...they were not weak..what gave you that opinion ? Do you know the questions he had ?

Apple is still the problem..not the questions..Apple does not have a clue how to secure accounts or how to implement security.

»news.cnet.com/8301-13579_3-57424···estions/

»support.apple.com/kb/HT5312?viewlocale=en_US

»discussions.apple.com/thread/405···tstart=0
56 min ago...
»discussions.apple.com/message/19···19221027

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


JALevinworth

@embarqhsd.net

said by Name Game:

If they were asked, the perpetrator could not have answered them.. it would have end there...they were not weak..what gave you that opinion ? Do you know the questions he had ?

I never said the questions Apple didn't ask could or couldn't have been answered. I am not talking about Apple at all.

Again, this thread isn't about Apple and Matt, this thread is an discussion about how week security questions are - Not Matt's nor Apples. Check the title (I am honestly questioning you didn't make a wrong turn to this thread from the Apple/Matt one).


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

1 recommendation

The questions are secure enough..they are not a wasted security step..if anything you should be calling them second, third and even in some cases fourth passwords. Is that what you wanted to hear ?

And this is about Apple since they just bypassed that whole process and gave up the farm for Mat. I call blogs and posting like the OP found nothing but copycat blog.

Apple, like Microsoft when they started, cared bugger all for Security and so now at this midnight hour they start to put safe guard in place and it is too late.. it is not working, it is confessing their users and owners of their products...and their is more problems with even the owners getting locked out of their own account as they play the catch up game that Apple is playing. I read the Title..it is the same stupid title used by the person who blogged the stuff and nothing to do with antdude.
It is a weak title this week for the info at the link.

_________________________________________________

Interesting to note one of the other people at the link antdude posted claimed..

by Cinder6 (894572) on Thursday August 09, @12:05PM (#40932671)
Hell I did it with Blizzard for what, $30 and I got a plush toy.

This has always bothered me. My Blizzard and SWTOR accounts have much stronger authentication (from a user perspective; not sure about the underlying technical security measures) schemes than my bank account. My bank only allows a maximum of 14 characters in a password and severely limits you on what special characters you can use. They also have no form of secondary authentication, such as Blizzard's Battle.net Authenticator. Finally, their security questions are a joke, all along the lines of those mentioned in TFS--"What is your mother's maiden name" and the like.

and Blizzard was just hacked...so it is never safe out there..no matter what steps a user takes..

»Blizzard Says Battle.Net Has Been Hacked
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


JALevinworth

@embarqhsd.net

said by Name Game:

The questions are secure enough..they are not a wasted security step..if anything you should be calling them second, third and even in some cases fourth passwords. Is that what you wanted to hear ?

Once again, I'm totally at a loss where you're coming from concerning my words and now my thoughts. But ok, I'll play along..... No, that's not what I wanted to hear. I guess if I wanted to hear anything it would have been something acknowledging that you didn't realize you weren't in the Apple/Matt thread and therefore didn't realize you were crapping antdude's thread and a decent conversation on the general topic of password questions that was in progress. I say that only because you asked.

said by Name Game:

And this is about Apple since they just bypassed that whole process and gave up the farm for Mat. I call blogs and posting like the OP found nothing but copycat blog.
[snip]
I read the Title..it is the same stupid title used by the person who blogged the stuff and nothing to do with antdude.
It is a weak title this week for the info at the link.

*Sigh* - I am editing out what I would have said to minimize my reply here in respect to the thread, the OP, and the other posters.

Honestly, Name Game. Your replies to me confused me not only here but previously (even sans edits). They attribute words and thoughts to me I don't understand how you got. I even questioned that you didn't have me confused with someone else. Adding to that the additional postings you added which are a follow up the Apple/Matt thing (google 2-step) and not about the topic here but seemed to me were intended for that topic thread. My only explanation was thinking you were making an honest mistake. I understand now your intent is clearly to be here.

I hope you'll allow the conversation about how password questions in general are weak to continue at this point.

-Jim


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Don't be silly..you can talk about what you wish..I posted about what was found in the link..don't know if you read all the comments in that link..but I will tell you..the person who started that discussion at that link..then associating it even remotely with Mat made the same mistakes others have by not reading his own account of exactly what really happened and have no understanding on Apple's security questions. Mat has even made that clear on his twitter. What they have read is other bloggers accounts of what they think happened.
»twitter.com/mat

The link contained this statement "But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers."
To that I say bullshit again.

The rest of the stuff you just posted..I have no idea what you are talking about..but it seems you do..so have a great day
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to JALevinworth

BTW this is the actual full article that blogger cut and pasted without the link posted at slashdot forum thingie...

»www.theatlantic.com/technology/a···/260835/

Rosen article not only was about Mat..she tried to spin it into something that had nothing to do with the event.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/