Apple Support Allowed Hackers Access To User's iCloud Account

Robadob writes "Yesterday a hacker gained access to Mat Honan's (An editor at Gizmodo) Apple iCloud account allowing the attacker to reset his iPhone, iPad, and Macbook. The attacker was also able to gain access to Google and Twitter accounts by sending password recovery emails. At the time this was believed to be down to a brute-force attack, however today it has come out that the hacker used social engineering to convince Apple customer support to allow him to bypass the security questions on the account."

Easy to demand more security

[west]

But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.

The trouble is that the security appropriate for someone's professional e-mail accounts and security appropriate to the occasional elderly e-mail user are so far apart that having a single policy is guaranteed to serve one of the two market segments very badly.

Re:Easy to demand more security

[tomhath]

True, but Gramma wouldn't link all her devices like that. One account compromised shouldn't get you remote root access to every other device

Re:Easy to demand more security

[ilsaloving]

Actually, it's entirely possible she could, because Apple's iCloud makes it that easy.

Re:Easy to demand more security

[TheRaven64]

So you post a password reset code to her house. Or you charge her $1 on the credit card that she used to pay for the phone for the reset. Or you send it to another email address that she entered when she created it.

Re:Easy to demand more security

[fm6]

Yeah, because people blaming others for their own mistakes was invented in 1963.

Re:Easy to demand more security

[cshbell]

But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.

This is a problem that bites both ends. Consider this real-world scenario that happened to me last week:

I work for a senior care organization. One of our resident, a cheerful 92-year-old woman, uses her AT&T email frequently to communicate with family and friends; she's fairly savvy, actually. However, she is starting to suffer from cognitive problems, which have caused her to forget her password. When we tried to reset her password and walked through security questions, she's also having trouble remembering the answers to those questions. We called AT&T and explained the situation, but they understandably (and rightfully) treated our request as a hostile attempt to access the account and would not help us.

She's the legitimate owner of her account -- how can she be helped? This may seem like an extreme situation, but these problems will only increase as we all continue our digital lives and begin to age.

Password and account verification is a difficult problem to solve. If there's a silver bullet, I haven't heard of it yet.

Re:Easy to demand more security

[west]

Funny, I just read a story about how HSBC had basically locked a young women's college fund (~$10K) away until she personally visits their offices in Great Britian along with appropriate documentation. (They closed the branches in her country...) It will cost her half the money (and a week's wages) to go and collect it.

So, not *everybody* is happy with a bank making absolutely sure that they don't give it to the wrong people :-).

Re:Easy to demand more security

[Havenwar]

I'd say a modified version of it covers MOST scenarios. I mean they already use locationbased patterning to discover illicit use of your credit card... If you've made purchases in NY on a wednesday morning, it's unlikely you're suddenly trying to empty your accounts in Singapore a few hours later. These people have use-logs already, so it would be trivial to throw up an automated red flag if a password reset request comes from a strange place.

As for covering the rest of the cases, well... the red flag has been thrown up. Now the rep is alerted, and will be much more cautious in how the conversation proceeds. Questions can be asked about usage, about contents perhaps as far as privacy allows it, about many behavioural things... Is it a service they pay for? Get part of their credit card number for verification. You don't need all of it, so no security risk, just ask for the third group of four digits for instance. Or the exact name on the card. Or something. Or if you have their information, do a callback. Call them on an alternate number.

It's really not hard dealing with the "other 50%" as you frame it if a red flag has already been raised. The important thing is that social engineering is specifically designed so that no red flags should pop up. The moment one does the social engineer has an uphill battle against an alert and security-minded employee... of course ideally this should ALWAYS be the case, but there is no patch for human stupidity. A red flag system would deal with that.

Weak security questions

[ZorinLynx]

This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

"What was the name of your first pet?" Hell you can find that with Google.

"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.

Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".

Re:Weak security questions

[sabri]

This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

"What was the name of your first pet?" Hell you can find that with Google.

"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.

Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".

Perhaps you should go back and read the article (just the summary will do): the "hacker" socially engineered an Apple support "engineer" to bypass the security questions. So he did not even need to google them.

Re:Weak security questions

[FrostDust]

What, do you think they verify if your answer is factually correct?

A person could find out what school you went to, while no one but you is going to know you put in "The Napoleonic Wars" as the acceptable response.

Re:Weak security questions

[tkprit]

True that, but some sites let you define questions. "Street your best friend lived on when she was twelve plus last name of her then-crush." My sister can't guess these. (Ofc her memory's shot to shit from opiates but w/e).

Re:Weak security questions

[Telvin_3d]

So far the quote "They got in via Apple tech support and some clever social engineering that let them bypass security questions." is the only bit of information. It's hard to say what is covered under "clever social engineering" or "bypass" without more details. Did the hacker just do an incredible job of fast talking or is this a case where "clever social engineering" means they dug up security question answers that the author (and tech support) figured were un-discoverable?

Re:Weak security questions

[ccguy]

This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

I'm more pissed by the fact that the questions *can't be changed* and everyone asks the same ones. Seriously, how is it possible that both my bank and a torrent site make me tell them the name of the first school?

Questions must be user defined (a fucking string) instead of coming from a list of the same 5 or 6 questions that everyone asks.

Plus some of them just don't apply worldwide. The 'maiden name' of a mother may be something not trivial in the US, but in many countries the wife never changes her last name and in fact it's passed along to children.

I'm currently writing (in a physical notebook) the fake answers I provide to each site to those questions, since I just don't feel like telling anyone information that can easily be used to gain access to important stuff.

Re:Weak security questions

[Macrat]

And this report is coming from someone associated with Gizmodo.

This whole report could be staged.

Re:Weak security questions

[MacGyver2210]

This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

"What was the name of your first pet?" Hell you can find that with Google.

If it's so easy, kindly tell me my first pet's name, my date of birth, the city I was born in, the make of the first car I drove, my first school's name, my mother's maiden name, and the answer (or even question) to my 'other' security question? Keep in mind these need to be formatted exactly as I have entered them, and not as you may have copied them from a public record.

Security questions are plenty secure, as long as you don't have a path to just avoid them entirely, as Apple so kindly provided here.

Re:Weak security questions

[Shetan]

Why do you have to answer the questions with the correct answers? As long as you remember how you answered them, it doesn't matter if the answers are actually correct. Your first pet could be George W. Bush. Your elementary school could be Starfleet Academy.

Re:Weak security questions

[Lisias]

It's hard to say what is covered under "clever social engineering" or "bypass" without more details

But you can do some educated guess. 99% of the time, the victim of the scam claims the intellectual superiority of the scam to disguise the intellectual inferiority of themselves.

Paint the perpetrator as a genius, and perhaps people will not figure out how actually stupid you were.

Re:Weak security questions

[Kalriath]

I did that on my online banking once, and then they changed their banking systems to randomly challenge you with those questions when attempting a transaction. I ended up locked out of my accounts in no time flat.

Is it too hard to read the summary?

[MrEricSir]

Reading the article is hard, I know. But come on, at LEAST read to the end of the summary.

Re:Is it too hard to read the summary?

[Fnord666]

I actually did (well, yesterday). I seem to remember him saying the only thing that would have survived the attack was his Google account ... if he'd enabled 2 factor. Of course, if his phone was wiped, he still would have been in trouble.

With Google's two factor authentication you also have the option of printing a set of verification codes for when you do not have or have lost access to your phone.

Re:Is it too hard to read the summary?

[ozmanjusri]

In addition. the walled garden approach means a single point of failure (in this case, social engineering) will cost you everything. Apple should have recognised that and provided better internal security.

Would Apple be liable for the damages?

[sabri]

Now here is the question: would Apple be liable for the damages? Of course, they will have an EULA waiving all liabilities, but in a case like this where it is clearly Apple's failure to adhere to their own security framework, one could argue that Apple would be liable for all damages, plus a bit extra for all the inconvenience. Not to mention the bad press...

Re:Would Apple be liable for the damages?

[arbiter1]

I think even though they do waive all liabilities in the EULA when they don't even adhere to their own policy itself I think that removes the waiving of liabilities on their end to allow them to be sued. Kinda Like if a site did that for their EULA but stored all PW and CC info as plain txt. since they didn't do anything to protect data they shouldn't be allowed to say you waive liability when they get hacked.

Too much stuff in one place.

[icebike]

Had the user set up Two Factor authentication, his Google stuff probably would have been safe"

As for 2 factor authentication preventing this, it would have kept my google account from being deleted, and probably kept them off of my Twitter feed, but it wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud. Nonetheless, I’m setting it up on my Google account once I have access to it again.

As for all his devices being wiped by one single hack, relying on a single point of security, makes for a single point of failure.
I'm not sure I would have chosen this route even if I was a total Apple fan joined at the hip to iCloud.

Apple support has some serious 'splaining to do. But this is likely to happen again, probably not for a while, but any time you are tied so closely
to one single point of security.

And what would he have done if he was just Joe Corporate Drone?

He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting.

Seriously? contacts at Google and Twitter?
1) very few people have that kind of contacts.
2) didn't those two companies just violate their own security standards by helping this guy kill accounts he couldn't prove were his??

My answers..

[Ryanrule]

Mothers maiden name: sdfioufjhisej8()U*(yu980H(u*&a&*(ay

First pets name: sfjgksrl8kjdgjoijOIU*(U*&^&Tiuhkjlmkjniuhi8hiuh

City born in: KJNBJKNJKN(&*(&*Y*(njklKNLNLKJ8IJOkijYJ Nkj nTFe44esijaiojT^&*%*&*T(&

Re:My answers..

[icebike]

Quick, now, without cut and paste could you please enter those again?

No.

Though not.
Fail.

Re:My answers..

[icebike]

Sure, just read that string over a the phone to a tech support operator in India some time, moron.

Re:My answers..

[gmhowell]

Mothers maiden name: sdfioufjhisej8()U*(yu980H(u*&a&*(ay

First pets name: sfjgksrl8kjdgjoijOIU*(U*&^&Tiuhkjlmkjniuhi8hiuh

City born in: KJNBJKNJKN(&*(&*Y*(njklKNLNLKJ8IJOkijYJ Nkj nTFe44esijaiojT^&*%*&*T(&

I see you are Welsh.

Re:Why believe the hacker?

[Entropius]

That's a password with somewhere around ~20 bits of entropy. Let's be generous to weak passwords and consider one with 16 bits of entropy, meaning that a dictionary attack has to make (around half of) 60000 attempts to crack it.

If you've got the hashed password, this is trivial to do. But if you're trying to break a remote login and the computer on the other side lets you make 60000 attempts, then there are far bigger issues at work than a weak password.

Re:Yeah but....

[Nerdfest]

This is really unrelated to any specific company. It *is* an excellent lesson in relying only on online backups.

Re:Careful with this one...

[icebike]

The poster says he was contacted by someone who says he is the hacker. Nothing was confirmed about AppleCare involvement, though it is a possibility - especially if the hacker knows his victim.

Wrong. Read all the way to the end of the article: Apple already fessed up.

Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.

Re:Can happen in many different scenarios

[flimflammer]

Did she try suing the bank? I can't imagine what judge would seriously allow the bank to get away with that if it were through no fault of her own.

Re:Why believe the hacker?

[93+Escort+Wagon]

Because if you RTFA, Apple confirmed that this occurred. Probably via the notes in the call log.

I did RTFA. Everything we're currently aware of comes from this guy's point of view. I'm not saying it's incorrect - but it's usually smart to wait for corroboration before drawing conclusions on anything.

Re:They Know Best

[Anrego]

The absolute problem is that no matter how many authentication factors you add, recovery will always be the weakest link.

People will always lose their tokens, and they will always need a way of getting access to their account.. and that way is usually someone making minimum wage with 3 weeks of training.

Personally I wish there was a way to opt out of recovery. Basically a "I accept the risk, if I ever lose my token and forget my recovery questions / password.. I'm shit out of luck" option. This option would have to make it literally impossible for a support person to greant access to the account.. because if they technically can, someone will social engineer one to do so...

Oh for the love of... EDITORS, please EDIT!

[wonkey_monkey]

Yesterday a hacker gained access to Mat Honans...

Let me introduce to you to Mr Apostrophe.

(An editor at gizmodo)

(an editor at Gizmodo)

allowing him... He was also able...

No. Use "the hacker," firstly because it's otherwise ambiguous with respect to Honan's name, secondly because the hacker's gender is unknown (yes, "he" is the gender non-specific pronoun, but this works better.)

apple iCloud account... google and twitter accounts... apple customer support

Apple, Google and Twitter (and Gizmodo, above) should all be capitalised.

down to a brute force attack, however today it has come out

A semi-colon would be preferable to a comma, but I'll admit this is a pretty minor one compared to the rest.

Seriously, what the hell? I know we all have a good joke about the editors' incompetence, but this is a new low.

Re:Oh for the love of... EDITORS, please EDIT!

[gmhowell]

I may not be one of the editors, but I find myself making some of the same mistakes the editor made.

Which is fine, since your job title probably doesn't include the word 'editor'.

Such resets SHOULD be possible, but HARD

[davidwr]

My bank will mail me a new temporary computer login if I ask. Yes, I have to wait for it to arrive through the post office.

Apple could have said "Okay, we'll snail-mail you a temporary password to an address we can verify against information we already have on file, such as a credit card number, product-warranty-registraiton-information, etc.," or,

"Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."

That would've at least made sure the crook would have to commit more crimes along the way, likely intimidating him. It would've also made it much more likely that the police would be able to put a face to one of the crooks.

Re:Such resets SHOULD be possible, but HARD

[stephanruby]

"Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."

"Listen I'm in Istanbul (or where ever), I've just been robbed. They took everything, including my wallet!!! I don't know if there is an Apple Store around here. Please help me mitigate the damage before they get access to my emails and my bank accounts through my iPad (I was in the middle of using my iPad so the screen wasn't locked). "

Now, I'm not saying this is the script they used, most likely not. I'm sure the hacker used a much better one, probably one that's based on the hard-earned experience and real world testing of thousands of other hackers and scam artists that came before him.

I'm just saying that it takes excellent ongoing training to make sure none of your staff gets bamboozled by this kind of scenario. Hard coded corporate rules and security manuals are all well and good for 99% of the scenarios that come up during the normal course of business hours. But what happens if someone tells you a very plausible story and tells you they could very well die if you don't give them access to their account. Most likely that scenario is not listed in your security manual, and the manual prevents you from disclosing their account information, but it's not the first time, nor the last time, that a customer service representative will ignore the poorly written manual that came from above, and use their own personal judgement to make a quick decision on the spot for the perceived welfare of the caller.

Re:They Know Best

[dsavitsk]

This is how SpiderOak does it. https://spideroak.com/faq/questions/13/what_if_i_forget_my_spideroak_password/

Apple's revenge

[WingCmdr]

Take that gizmodo!

Re:They Know Best

[GNious]

I prefer the solution at webex - I have a weblink, that opens to a page showing my current password in cleartext.... ...others should really implement this, seeing how userfriendly it is!

Re:Careful with this one...

[icebike]

Seriously?

After calling out Tim Cook personally, getting Gawker Media involved, Gizmodo also carrying the story written by a different editor, Cnet carrying the story, and Mat posting under his own name, you are still going with the denial angle?

Re:They Know Best

[Anrego]

Sure, but getting the data wasn't a goal here. Infact, they appear to specifically wiped out the data. It's the accounts that are valuable, not what is in them.

Re:Yeah but....

[Anrego]

It's also a lesson in not putting all your eggs in one basket.

That one _is_ apple specific. Tight integration has it's price. If someone gets into my email, I won't lose access to every damn piece of technology I own. I actually find it pretty damn impressive how much damage they managed to pull off.

Re:They Know Best

[drinkypoo]

XBox live was getting hit by this a couple of years ago too

You know how Xbox Live "solved" the problem? You have security questions. And if you can't remember them, and paid with paypal, they tell you they "can't" terminate your membership, and will therefore steal your money. Well, they don't admit that it's stealing, of course. They will let you sign up for Xbox Live with just your Xbox, but you can't terminate it from there, and you have to use Internet Explorer to access their site. Then they will keep trying to charge your paypal account for months (sending you email about how your Xbox Live account may be suspended soon every so often) before they will finally cancel your membership.

...and a correction about Mat's employment.

[cshbell]

(an editor at Gizmodo)

And furthermore, Mat Honan works for Wired, not Gizmodo.

Re:They Know Best

[Kalriath]

I'd prefer Microsoft and Apple not evolve towards banks, actually. In fact, I'd rather my bank evolve towards Blizzard Entertainment and offer me some real security.

It never ceases to amaze me that my Diablo III loot is better protected than my salary.

Re:They Know Best

[Anrego]

Totally.

I can't even find a bank that will offer me two factor authentication here in Atlantic Canada. RBC will do it for _corproate_ customers.. which is even more maddening because it means they have the infrastruction in place, they just won't let us peons down here use it..

Paypal offers better security than my bank. If I'd said that not to long ago people would look at me funny.. kinda sad!

Re:Yeah but....

[Havenwar]

Uhm... no? Gmail has no function in it to remotely wipe an android phone.