Apple Support Allowed Hackers Access To User's iCloud Account

Robadob writes "Yesterday a hacker gained access to Mat Honan's (An editor at Gizmodo) Apple iCloud account allowing the attacker to reset his iPhone, iPad, and Macbook. The attacker was also able to gain access to Google and Twitter accounts by sending password recovery emails. At the time this was believed to be down to a brute-force attack, however today it has come out that the hacker used social engineering to convince Apple customer support to allow him to bypass the security questions on the account."

Easy to demand more security

[west]

But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.

The trouble is that the security appropriate for someone's professional e-mail accounts and security appropriate to the occasional elderly e-mail user are so far apart that having a single policy is guaranteed to serve one of the two market segments very badly.

Re:Easy to demand more security

[ilsaloving]

Actually, it's entirely possible she could, because Apple's iCloud makes it that easy.

Re:Easy to demand more security

[cshbell]

But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.

This is a problem that bites both ends. Consider this real-world scenario that happened to me last week:

I work for a senior care organization. One of our resident, a cheerful 92-year-old woman, uses her AT&T email frequently to communicate with family and friends; she's fairly savvy, actually. However, she is starting to suffer from cognitive problems, which have caused her to forget her password. When we tried to reset her password and walked through security questions, she's also having trouble remembering the answers to those questions. We called AT&T and explained the situation, but they understandably (and rightfully) treated our request as a hostile attempt to access the account and would not help us.

She's the legitimate owner of her account -- how can she be helped? This may seem like an extreme situation, but these problems will only increase as we all continue our digital lives and begin to age.

Password and account verification is a difficult problem to solve. If there's a silver bullet, I haven't heard of it yet.

Re:Weak security questions

[sabri]

This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

"What was the name of your first pet?" Hell you can find that with Google.

"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.

Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".

Perhaps you should go back and read the article (just the summary will do): the "hacker" socially engineered an Apple support "engineer" to bypass the security questions. So he did not even need to google them.

Too much stuff in one place.

[icebike]

Had the user set up Two Factor authentication, his Google stuff probably would have been safe"

As for 2 factor authentication preventing this, it would have kept my google account from being deleted, and probably kept them off of my Twitter feed, but it wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud. Nonetheless, I’m setting it up on my Google account once I have access to it again.

As for all his devices being wiped by one single hack, relying on a single point of security, makes for a single point of failure.
I'm not sure I would have chosen this route even if I was a total Apple fan joined at the hip to iCloud.

Apple support has some serious 'splaining to do. But this is likely to happen again, probably not for a while, but any time you are tied so closely
to one single point of security.

And what would he have done if he was just Joe Corporate Drone?

He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting.

Seriously? contacts at Google and Twitter?
1) very few people have that kind of contacts.
2) didn't those two companies just violate their own security standards by helping this guy kill accounts he couldn't prove were his??

Re:Weak security questions

[MacGyver2210]

This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

"What was the name of your first pet?" Hell you can find that with Google.

If it's so easy, kindly tell me my first pet's name, my date of birth, the city I was born in, the make of the first car I drove, my first school's name, my mother's maiden name, and the answer (or even question) to my 'other' security question? Keep in mind these need to be formatted exactly as I have entered them, and not as you may have copied them from a public record.

Security questions are plenty secure, as long as you don't have a path to just avoid them entirely, as Apple so kindly provided here.

Oh for the love of... EDITORS, please EDIT!

[wonkey_monkey]

Yesterday a hacker gained access to Mat Honans...

Let me introduce to you to Mr Apostrophe.

(An editor at gizmodo)

(an editor at Gizmodo)

allowing him... He was also able...

No. Use "the hacker," firstly because it's otherwise ambiguous with respect to Honan's name, secondly because the hacker's gender is unknown (yes, "he" is the gender non-specific pronoun, but this works better.)

apple iCloud account... google and twitter accounts... apple customer support

Apple, Google and Twitter (and Gizmodo, above) should all be capitalised.

down to a brute force attack, however today it has come out

A semi-colon would be preferable to a comma, but I'll admit this is a pretty minor one compared to the rest.

Seriously, what the hell? I know we all have a good joke about the editors' incompetence, but this is a new low.

Such resets SHOULD be possible, but HARD

[davidwr]

My bank will mail me a new temporary computer login if I ask. Yes, I have to wait for it to arrive through the post office.

Apple could have said "Okay, we'll snail-mail you a temporary password to an address we can verify against information we already have on file, such as a credit card number, product-warranty-registraiton-information, etc.," or,

"Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."

That would've at least made sure the crook would have to commit more crimes along the way, likely intimidating him. It would've also made it much more likely that the police would be able to put a face to one of the crooks.

Re:They Know Best

[GNious]

I prefer the solution at webex - I have a weblink, that opens to a page showing my current password in cleartext.... ...others should really implement this, seeing how userfriendly it is!