How Apple and Amazon Security Flaws Led to My Epic Hacking

[Top Shelf]

A long read, but very worthwhile, especially with all the techy geeks on here

http://www.wired.com/gadgetlab/2012/...honan-hacking/

Quote:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

[Bobblehead]

This whole story has gone viral. Amazon has changed their procedures, and while Apple said they won't change, apparently internally they have done something.

Just for the sake of it, I turned on 2-step authentication for my Google account last night. If it become onerous I can turn it off again.

[FlameOn]

2-step authentication isn't too bad for a little peace of mind. It's kind of cool too with the app your phone just becomes an RSA fob that you can use to confirm things. Might be a bit of a hassle, but better than having everything remotely wiped like the wired reporter.

[ComixZone]

I've been using 2-step authentication for some time now. After Kotaku was hacked, then the PSN being compromised...I'll take every precaution I can in protecting my information/passwords/etc.

[sclitheroe]

Quote:

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

And he writes for Wired. I'm not sure if this says more about how big a moron he is, or how far Wired has fallen.

[Russic]

If you're reading this and you have photos of your kids in 1 single place, please fix that.

[FanIn80]

Quote:

Originally Posted by Bobblehead

This whole story has gone viral. Amazon has changed their procedures, and while Apple said they won't change, apparently internally they have done something.

Just for the sake of it, I turned on 2-step authentication for my Google account last night. If it become onerous I can turn it off again.

Quote:

“We’ve temporarily suspended the ability to reset Apple ID passwords over the phone,” Apple spokesperson Natalie Kerris told Wired via email. “We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com).

“This system can reset a password in one of two ways – either have a password reset sent to an alternate email address already on record or challenge the customer to answer security questions they had previously set up. When we resume over-the-phone password resets, customers will be required to provide even stronger identify verification to reset their password.”

http://www.wired.com/gadgetlab/2012/...ssword-resets/

[chemgear]

Heh, xbox live has had that problem for a while now mainly thanks to FIFA 12.

[OldDutch]

Quote:

Originally Posted by sclitheroe

And he writes for Wired. I'm not sure if this says more about how big a moron he is, or how far Wired has fallen.

Couldn't agree more. 500GB external hard drives can be had for $50. I have a NAS ($400), backing up online for $100/year. So you have a large range of solutions that can cover this issue.

People are cheap and/or lazy though, that is something that will never change.

[photon]

Been using the 2 step verification for Gmail for a while (before they had the authenticator app, wish I would have known that before when I only had Internet and no SMS/Phone coverage), I think it's very important for your primary email (i.e. the one for online banking, etc).

For the OP, it always seemed like even the "what's your address, what's your birth date" type verification questions were a very poor way to do that sort of thing.

Eventually it'll just be "what's your public crypto-key".

[Bobblehead]

Quote:

Originally Posted by FanIn80

http://www.wired.com/gadgetlab/2012/...ssword-resets/

Yeah, that is as of today. Yesterday it was someone internal who had not done something correct.

Quote:

We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”

On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. We were successful.

Last night some Apple employees were saying they were no long able to do password resets, but nothing official had been released.

It looks like now the air is being cleared a bit, which is good.

Anything to clear up this scenario:

Quote:

If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.

And so, with my name, address, and the last four digits of my credit card number in hand, Phobia called AppleCare, and my digital life was laid waste.

[Regular_John]

Quote:

Originally Posted by Russic

If you're reading this and you have photos of your kids in 1 single place, please fix that.

I assure you, I have photos of your kids in more than one place.