There's a lot of verification steps that are bunk.
Full name? Home address? Available from the electoral roll in Australia. Phone number? Look it up. Date of birth? Check with the Registrar of Births, Deaths and Marriages. Mother's maiden name? Ditto.
Too many of these verification questions rely on shared secrets that ... aren't secrets.
...and it's getting worse with all the extra 'security questions' random sites now ask. Why do I have to drop all these obscure-but-not-really-secret details into all these databases? Are they all guarding them as well as a salted-hased password? Do I now have to give them all unique fake answers lest it become another path-of-least-resistance for compromise?
They really are horrible. When I'm given a small list of questions to choose from, they generally fall into three buckets:
- Completely non-applicable (I'm not married and don't have any kids or pets)
- Transitory and inane (I don't really have a favorite meal or movie, and if I did, who is to say it will be the same forever?)
- Rely on information that is relatively easily to figure out (birthplace, high school mascot, mother's maiden name, etc)
Security questions alone should never be sufficient to reset a password or gain access to an account, and I'm not really sure they add a whole lot in other contexts either.
I find them horrible as well. That's why when I'm given the opportunity to write my own questions I always do so. Then in this security theater I hopefully am a little bit safer than most people that just pick a question from a list.
On a side note, one of these days I've got really scared when a reputable credit card company asked me for one of these security questions. WTF?!
My bank does something that at first I thought was weird but I get a bit more, they ask me to confirm a specific purchase on a specific date. Or to who a payment of X amount was.
At first I thought it was completely pointless, someone gets my bank statement then I'm done, but they only ask about the purchases since my last statement. Not saying that Apple should be asking 'what app did you buy on the 1st August?', but a small confirmation outside of the data you provide would probably be useful.
So true. Speculation in the original comment thread (http://news.ycombinator.com/item?id=4337938) included MITM attacks, keyloggers, sleeper programs left over from an earlier (known) breakin, brute force, etc.
Most of the ideas batted around were technical in nature and somewhat advanced.
And also easy to forget that the level of verification required by most alternative authentication schemes is significantly weaker than the original login mechanism.
"Wow. Okay. So I've confirmed with both the hacker and Apple how this happened. Was via a phone call to Apple tech support."
There should be enough of a trail to track down the hacker and have him charged, right? The call to Apple would be logged by at least the telephone company, wouldn't it?
You subpoena the phone company for that kind of information when terrorism is involved. This is more like having your bicycle stolen. There is not going to be a CSI team, fingerprinting, detectives, interrogations or high-speed car chases.
Apple's call center probably has the CLID of the caller logged, but equally probably that person called from a prepaid cell phone.
There is not going to be a CSI team, fingerprinting, detectives, interrogations or high-speed car chases.
Sure, probably not from the police. But I will put down the rest of my year's salary that Apple will be investigating like all hell how this happened and taking all kinds of steps to make sure this never happens again. Whether or not it actually will is a different story.
In my country police put out unlocked "bait bikes", walk away, and then arrest anyone who takes it. Then they show the footage on the news. Sometimes the plain clothes police officer hasn't even left the camera frame and someone is already on the bike riding off. If they'll spend resources doing that (which I think is good) then they should spend resources catching someone that maliciously destroyed a year's worth of laptop data. If he was a developer and his code was on that laptop, at $150 per hour, 8 hours a day, 5 days a week, for 52 weeks the financial cost is much more than a bike. Sure the victim should have a backup, but an eggshell skull is no defense.
So question is now, what are Apple doing about it given the impact. Think they said it would take alot of forensic work to restore the iMac as well, I've got the popcorn ready to follow this one.
The remote wipe would be equivalent to a format so you may be able to get some data back but most of it would be unusable. I don't think Apple can do much about not having a backup. What Apple probably needs to do is have a popup to remind people to backup when they switch on the Find My Mac feature. But I doubt they can do more than that.
Even if Apple could recover the data by doing so they would be admitting their remote wipe feature is worthless.
I rather doubt they will add a "I see you have enabled Find My Mac--you better back up your system because we will give any random idiot who calls in access to wipe your hard drive. Thanks for choosing Apple!" popup, though.
On the iphone, the file system is always encrypted, and the encryption keys are stored on the device, themselves being encrypted with your PIN/passphrase. To perform a remote wipe, it only needs to zero out this single block containing the FS keys, making the whole FS unrecoverable since the keys are gone.
I wonder if the same thing happens on Filevault2. In that case, Apple's only choice would be to rent some serious GPU time at NSA or something...
Suppose a Mac has multiple drives. Say, two internal drives and an external drive. Does remote wipe just wipe the boot drive, just the internal drives, or all the drives?
I'm totally lost now.. look at the last line on the screenshot of Mat's Gmail inbox. Seems like they reset the password through iforgot.apple.com since instructions were emailed? Or was that just an attempt?
Wait a bloody minute... if you are calling about iCloud password, wouldn't Apple's tech support automatically suspect why the caller isn't going to iforgot.apple.com instead? I mean it doesn't make sense if the person calling says "Oh I badly need the iCloud password, but I don't have access to a browser".
On the other hand, if the person said "yes yes I tried iforgot.apple.com but I can't seem to remember any of my security answers/email address used", then that should naturally raise suspicion in the mind of the Apple tech support person, right??
The really annoying thing about this is that it's going to be that much more difficult now to persuade Apple support to intervene in legitimate cases now that they've been burned this badly in public.
Hackers (in the pejorative sense of the term) and software pirates really are the scum of the earth.
People abusing the information networks are disproportionately damaging because they empower those that are just looking for excuses to turn the whole internet into one big surveillance machine.
Full name? Home address? Available from the electoral roll in Australia. Phone number? Look it up. Date of birth? Check with the Registrar of Births, Deaths and Marriages. Mother's maiden name? Ditto.
Too many of these verification questions rely on shared secrets that ... aren't secrets.