How to Avoid a Mat Honan Style Mac & iCloud Hack

| How-To

Mat HonanWired Journalist Mat Honan (via Wired)

UPDATE: For those interested, we’ve done some investigation into what exactly happens during a remote wipe of a Mac via iCloud. You can read our findings here.

By now, the news of Wired journalist Mat Honan’s “Epic Hacking” has hit the mainstream news. Late last week, in a matter of minutes, Mr. Honan lost control of his Gmail, Twitter, Amazon, and Apple accounts to a brutal hack and saw his personal data on computers and devices in his possession wiped away in front of his eyes.

Hacking is something we’ve come to expect in our digitally connected world. It seems that not a week goes by without news of some celebrity, business, or government being hacked and personal data becoming compromised.

We provide a summary of what happened to Mr. Honan’s digital life so that you can fully understand it. We also offer some tips on how to prevent the same thing from happening to you, and if you don’t need the background, feel free to skip directly to that section.

The Hack

Step 1: Hackers targeted Mr. Honan due to his unique Twitter handle: @mat. From the information in his public Twitter profile, they found his personal website, which listed Mr. Honan’s Gmail address.

Step 2: Now in possession of Mr. Honan’s Gmail address, the hackers went to Gmail’s account recovery page. In the absence of Google’s 2-Step Verification security setup (explained below), Google offered to send a password recovery link to Mr. Honan’s alternate email address. To help users remember what their alternate email address is, Google displays it partially obscured. In Mr. Honan’s case (m****n@me.com), it was enough for the hackers to guess the address.

Now the hackers knew that Mr. Honan had an iCloud account, but they would need to get access to it in order to take over his Gmail and then Twitter accounts. According to Mr. Honan, and verified by TMO (although by the time we called, Apple was already under pressure due to the negative media coverage of this incident and was reluctant to give any information at all), Apple only requires a billing address and the last four digits of a credit card on file with them in order to gain access to an iCloud account.

Step 3: In the case of Mr. Honan, the billing address was obtained by performing a “WHOIS” (pronounced “who is”) search on his website domain. Website domains are required to have the contact information of the domain registrants (although you can use services to keep your personal information private, as discussed below). Mr. Honan used his billing address to register his domain and did not use a privacy service. His billing address information was therefore freely available to anyone with an internet connection.

Of course, as Mr. Honan points out in his Wired article, White Page listings or other address lookup tools can easily provide the billing address of anyone who uses their publicly-listed physical address as their billing address.

Step 4: Now the hackers needed the last four digits of Mr. Honan’s credit card. Assuming that Mr. Honan had an Amazon account, the hackers called the company and identified themselves as Mr. Honan by using the items they had already obtained: Mr. Honan’s name, email address, and billing address. They told the representative that they wanted to add a credit card to the account.

Using any credit card number that would pass the Credit Card industry’s self-check algorithm (meaning that, while the card will not work if something is actually charged to it, it can be entered into a company’s database without returning an error) the hackers successfully added a new credit card number to Mr. Honan’s Amazon account that only they knew. In Mr. Honan’s case, it’s not clear if the hackers used a stolen credit card or one of several credit card number generators that can be found online.

Step 5: Now that the hackers had a full credit card number on file with Amazon, they called back a minute later and spoke to a different representative. They told the Amazon representative that they had lost access to their account. Now armed with a name, email address, billing address, and full credit card number on file, the hackers were able to add their own email address to Mr. Honan’s Amazon account and send a password reset email to that new address.

Step 6: The hackers now had complete access to Mr. Honan’s Amazon account. This still didn’t give them access to his entire valid credit card number, but it did give them the last four digits, which is exactly what they needed to persuade Apple to give them access to his iCloud account.

The hackers called AppleCare, identified themselves as Mr. Honan and provided his iCloud email address, billing address, and the last four digits of the credit card. Apple in turn gave them access to Mr. Honan’s iCloud account and from there the dominos fell: they reset his Gmail password, reset his Twitter password, and now had complete control over his digital life.

Step 7: With complete access to Mr. Honan’s accounts, one of the hackers decided to go a step further and use iCloud’s “Find My iPhone/Mac” to remotely wipe Mr. Honan’s iPhone, iPad, and MacBook. The last wipe was particularly devastating, as it destroyed the only copies of many photographs Mr. Honan possessed of his young daughter and deceased relatives.

The reality is that any consumer, business, or government is vulnerable to hacking. There is no such thing as a totally secure system and we accept this slightly increased risk as a trade off for the benefits of digital commerce and communication. However, several factors combined to make Mr. Honan’s experience especially crippling. Some of these factors are the fault of companies like Amazon and Apple, others rest on Mr. Honan’s shoulders.

As consumers, we can’t directly control the policies of online companies, or the actions of those companies’ employees. We can, however, take steps to correct the mistakes that Mr. Honan made so that we don’t one day find ourselves in his shoes.

How to Protect Yourself

Limit Public Access to Your Personal Information

Mat Honan Hack Limit Public Access to Personal InformationImage via Shutterstock

Mr. Honan is a journalist, and so he needs to have a greater public profile than most individuals. However, be mindful of personal information that you provide online. Mr. Honan’s Twitter account linked to his personal webpage that contained his personal email and street address.

Some individuals, due either to the demands of their career or their personal preference, need to have all of their online and physical details linked (a Twitter account that links to a Facebook account that contains a birthday and phone number, for example). For maximum security, keep all this information separate, if possible, and don’t post a physical address, telephone number, or birthdate unless it’s necessary.

 

Use the Maximum Level of Security Offered By Your Online Services

Honan Hack Maximum SecurityImage via Shutterstock

Google launched it’s optional 2-step verification process in early 2011, and many other online services, particularly those offered by financial institutions, have followed suit with similar security measures.

In short, 2-step verification adds a second layer of protection for accessing your account. In addition to your password, Google will send a code to your cell phone that must also be entered in order to log in. This code is unique and changes with each log in, so it is very difficult to crack unless the hackers also have access to your cell phone.

Despite the increased security that 2-step verification offers, it does make logging in to Google slightly more inconvenient and, as a result, many users choose not to turn it on, as was the case with Mr. Honan. Had he activated 2-step verification, the hackers would have been stuck early on in the process and would have either given up or been forced to pursue an alternate route.

 

Use a Domain Privacy Service

Honan Hack Domain PrivacyImage via Shutterstock

While this won’t apply to everyone, those with website domains registered in their own names should use a Domain Privacy Service. This service, offered through your domain registrar or third party, acts as a representative for the WHOIS listing, providing their contact information instead of yours.

These services are not bulletproof — a formal request, cease and desist letter, or court order can require the service to release your true contact information — but they provide a screen that can stop individuals with nefarious intent from easily getting your address and phone number.

 

Don’t Link Important Accounts Together

Honan Hack Don't Link TogetherImage via Shutterstock

Some accounts allow (or require) a “secondary” email address in order to provide password recovery. Mr. Honan ran into trouble because his iCloud email address was linked to his Gmail address. With free email addresses available from a number of services, creating a separate, secure email address solely for the purpose of password recovery can limit a hacker’s ability to gain more information about you.

 

Use Strong Passwords

Honan Strong PasswordImage via Shutterstock

In Mr. Honan’s case, his password wasn’t needed as the hackers simply used other means to gain access to his accounts. Secure passwords are still important, however, and short, simple passwords should be changed to something harder to crack.

Long passwords with random alphanumeric characters and symbols are the most secure, but often difficult to remember. Password generators, such as ones built in to software like 1Password or Apple’s Keychain Password Assistant, can create secure passwords that are easier to remember by performing such tricks as replacing letters in common words with similar numbers, such as “W3LC0ME.”

Another trick is to use a common password that is easy to remember, but surround it with a large number of repeating characters. For example: “aaaaaTMO!!!!!” The “TMO” is easy to remember and it is surrounded with five “a” and “!” characters. Even though those characters repeat, from the perspective of a brute force attack, each additional character significantly increases the amount of time it takes to crack the password.

And, regardless of how you choose to improve your password, make sure to change it at least every six months. Doing so will limit your risk in the event that you inadvertently give out your password or in the event that your online service is itself hacked and user passwords are exposed.

 

Don’t Use Find My iPhone/Mac

Honan Hack Find My iPhone

The “Find My iDevice” feature of iCloud has many advantages, including the ability to help recover a lost or stolen phone. It also offers a security feature that allows you to wipe your iPhone, iPad, or Mac if you think it’s been stolen. Unfortunately, if someone other than yourself has access to your iCloud account, they can wipe your devices with just a few clicks of the mouse.

Individuals who travel frequently, are prone to lose things, or carry extremely sensitive information on their Mac might consider leaving the Find My Device feature turned on. For many other users, it has the potential to cause more problems than it solves should your account ever become hacked.

As a compromise, mentioned by Mr. Honan, users might consider leaving “Find My iPhone” turned on, but disabling the feature for their Mac. Phones and tablets are more likely to become lost or stolen than laptops and desktops.

If you don’t want to use Find My Mac, but still have sensitive data on your computer that you don’t want to become exposed should the machine be lost or stolen, consider using a method of whole disk encryption, such as FileVault 2, PGP, or TrueCrypt. This will prevent all but the most advanced hackers from accessing the data stored on your drive (although it is still only as secure as the password you use).

 

Back Up Your Data

Honan Hack Backup DataImage via Shutterstock

Perhaps the most tragic part of Mr. Honan’s experience was the loss of his digital photographs when his MacBook was remotely wiped. Had he had a sufficient backup, all would not have been lost.

Backing up your digital files is the single most important thing that every computer user should do. Files that exist in only one location may as well not exist at all, as any number of events — a hack, a drive failure, power surge, flood, fire, or theft — can cause the immediate, and permanent, loss of those files.

Users should back up their important and irreplaceable data via at least two methods: a local backup to a hard drive or optical media, and a remote backup to an online backup service or via physical media stored in a different location.

While data recovery is sometimes possible, it is extremely expensive and far from a guarantee that all your data will be restored. Therefore, and it is impossible to stress this too much: everyone should have at least three copies of their critical data (original, onsite backup, offsite backup).

 

Use Different Credit Cards for Different Services

Honan Hack Credit CardsImage via Shutterstock

Mr. Honan used the same credit card for his Apple and Amazon accounts. This allowed the hackers, once they had control of his Amazon account, to access his Apple account by providing the last four digits of the card.

While this is not possible for everyone, and we certainly don’t advise applying for a bunch of new credit cards, if you do have multiple cards, consider using separate cards for major online services, such as Amazon, Apple, and Netflix. This will prevent hackers who manage to hack into one of your accounts from using that information to gain access to your other accounts.

 

Use Different Email Prefixes for Your Various Accounts

Honan Hack Email AddressesImage via Shutterstock

The hackers in Mr. Honan’s case were able to access his iCloud account because his iCloud account email prefix was the same as his Gmail email prefix. While it is appealing to have the same prefix across all of your accounts, it also increases your exposure to hackers. “Perhaps he uses the same “xxx” prefix to log into his bank account?” a malicious hacker might suppose.

So, if possible, be sure to use different log-in and email prefixes across your various online accounts. It may not have completely prevented the hack had Mr. Honan’s iCloud email address had a different prefix, but it certainly would have made it more difficult.

 

What You Can’t Control

Honan Hack What You Can't ControlImage via Shutterstock

Mr. Honan’s situation was not entirely caused by his own lapses in proper security, of course. Ineffective policies at Apple, Amazon, and Google all contributed to the end result.

As users, we can “vote with our wallets” in an effort to persuade these companies to change their policies to prevent the kind of social engineering that occurred in Mr. Honan’s case, but we have no direct control over the way these companies establish their policies or how employees implement them. All the security in the world on the part of the user won’t help if a careless or disgruntled employee bends or breaks the rules.

And that is the reality that a digital society faces. We must acknowledge that all the benefits of electronic banking, communication, and commerce come with a price. Nothing that we allow to connect to or be transmitted by a worldwide network can ever be completely secure.

Thankfully, if we all take the time to improve our digital security and protect our irreplaceable data, our chances of being hacked decrease and the damage caused if we are hacked can be mitigated.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

37 Comments Leave Your Own

ilikeimac

Maybe I just read too fast, but did any of the suggestions protect against the Amazon hack (steps 4 and 5)? This seems like the crux of the “hack”, although there are other ways to get the last 4 digits of a credit card number, and Apple certainly isn’t off the hook.

I’ve perused Amazon’s account settings and I don’t see an option for “two factor authentication” or “security questions” and even if they had something like that, it seems like this workaround would still reset them.

geoduck

One of the most important articles on TMO in a long while. Very well done.

You should think of security as an onion. There is no one thing that will make your system secure. But different e-mail accounts, different passwords, a good antivirus, a good firewall, not linking accounts, different CC accounts on file (or no card, enter the number each time you purchase)on file, all will harden your system. A dedicated attacker will get in. All you can do is make it so slow and inconvenient that they go away and hit somewhere else that’s easier. Most of the time the bad guys will take the path of least resistance.

ilikeimac

Even if you delete your credit card info from your Amazon account, the last four digits of a credit card number are still visible in your order history.

jfbiii

I thought there was a tasty bit of schadenfreude in the fact that Gizmodo’s Twitter was victimized in part due to an Apple policy.

ilikeimac

@jfbiii Ha ha, yes!

snaab4

Some banks, Citibank in particular, offer virtual credit card numbers.  You can create a different, unique, virtual number for each and every instance you use a credit card number online, all linked to the same bankcard account.  Every Amazon purchase is with a different number, and you also have a different number for your iTunes store/AppleID.  Additionally, you can set expiration and $$ limits on these virtual numbers, to greatly reduce the risk of their use.  I’m not sure why all banks don’t offer this service to their credit card customers.

ilikeimac

@snaab4 Agreed, virtual credit card numbers should be more widely available. A friend who uses them did run into trouble though when a pizza delivery person insisted on seeing the card used to place the online order, and of course the number didn’t match, so beware, early adopters.

I’d like to know what Amazon is doing about their vulnerability. As far as I can see they don’t have any tweets or press releases on it. It just seems ludicrous that knowing someone’s email and home address is enough to hijack their account.

Glenn Connery

Maybe I just read too fast, but did any of the suggestions protect against the Amazon hack (steps 4 and 5)?

Yes actually.  The article suggests using a different credit card for Apple and Amazon accounts.  Not a bad idea actually given the security issues both seem to have.

It wouldn’t stop you from using the Amazon hack just to break into Amazon of course.  But you couldn’t leverage it to break into an iCloud or iTunes account.

Glenn Connery

Great article.  Like to see followups.

1) Keep pressure on Apple and Amazon to fix their broken practices.  Apple should require whole credit card number not just last 4 digits to verify account ownership.  Amazon shouldn’t trust new/unused credit cards to verify account ownership.

2) All of the web-based email services should be offering 2-factor authentication.  Again, mention periodically to keep the pressure on.  Right now only Google really does, though what Yahoo has is w-a-y better than hotmail/live/outlook.com.

3) Please write an article on how Remote Wipe works on the Mac.  Is it reversible (even on Flash drives)?  Whats the PIN for?  Why doesn’t Apple offer a way to stop it via a secret code or PIN you establish on the computer itself and not via website etc?  What could Apple do better?

Seems like more follow up is possible.  Accounts that are used for password recovery of other services should be kept separate from the ones you use for blog comments and such?  Such accounts should definitely use two factor authentication?  Any more?

snaab4

  ilikeimac said on August 7th, 2012 at 2:07 PM:
@snaab4 Agreed, virtual credit card numbers should be more widely available. A friend who uses them did run into trouble though when a pizza delivery person insisted on seeing the card used to place the online order, and of course the number didn?t match, so beware, early adopters.

Yes, you’ve pointed out one instance that doesn’t work with Virtual Credid Card numbers.  They don’t work everywhere, but they work great for completely online transactions.

As for Amazon, Wired has posted a follow-up:  Wired

ilikeimac

The article suggests using a different credit card for Apple and Amazon

That protects against step 6 (getting into iCloud using CC info), but I was asking about steps 4 and 5. I’ve seen no mention of any way to stop this, or of Amazon making any changes to stop it.

Amazon shouldn?t trust new/unused credit cards to verify account ownership

That would be a good start.

ilikeimac

As for Amazon, Wired has posted a follow-up:? Wired

Awesome info, thanks.

Neil Anderson

“Another trick is to use a common password that is easy to remember, but surround it with a large number of repeating characters.”

Apple won’t let you use more than two of the same character in a row.

geoduck

Apple won?t let you use more than two of the same character in a row.

What!?!?!?!?!?!?!?!?
Well@*&!?#@%&ThemAllThen;
F0rexample LOL

webjprgm

2) All of the web-based email services should be offering 2-factor authentication.? Again, mention periodically to keep the pressure on.? Right now only Google really does, though what Yahoo has is w-a-y better than hotmail/live/outlook.com.

No, please.  That’s a big pain.  Just pressure them to get rid of the stupid password reset security hole that exists in almost every internet-based account in existence.

Besides, how does 2-factor auth prevent the password reset issue?  I don’t see any info on it in Google’s help documents.  I can only guess that it means they’d do the password reset via text messaging the person’s cell phone instead of via a more easily hacked email account.  But again, it’s not the two-factor-ness that makes this better, it’s that the reset policy is a bit more secure.

ilikeimac

Apple won?t let you use more than two of the same character in a row.

Lame. Some people are working on getting rid of password-based authentication as a whole, and I look forward to seeing what they come up with, but as long as we’re stuck with it, I wish more web sites would steer people towards longer passwords instead of more complex passwords. XKCD did a great job of bringing attention to this. http://xkcd.com/936/

Bob

CAn anyone help me understand why ANY website allows hundreds, thousands or millions of signon attempts for the same user Id

ilikeimac

CAn anyone help me understand why ANY website allows hundreds, thousands or millions of signon attempts for the same user Id

Because some of the attempts are legitimate. If you lock out the account you lock out the legitimate users, and your site becomes a ghost town. If you black list IPs your blacklist becomes enormous quickly, and since the IPs in question are often unwitting drones in a botnet, or IPs shared by entire offices, you are once again blocking some legitimate users. If you block IPs on a per-account basis, you’ve squared the size of your blacklist storage requirements.

I do like what Facebook is doing now in making a per-account whitelist and requiring extra authentication the first time an account logs in from a new machine.

Bob

Because some of the attempts are legitimate. If you lock out the account you lock out the legitimate users, and your site becomes a ghost town. If you black list IPs your blacklist becomes enormous quickly, and since the IPs in question are often unwitting drones in a botnet, or IPs shared by entire offices, you are once again blocking some legitimate users. If you block IPs on a per-account basis, you?ve squared the size of your blacklist storage requirements.

I do like what Facebook is doing now in making a per-account whitelist and requiring extra authentication the first time an account logs in from a new machine.

What you say makes sense up to the first 100 hundred failed attempts in a 24 hours period from the same IP address. Being technical I know it easy to implement a blockage for a high number of attempts in a short time period. If ANy account gets 100 attempts in less than one minute or 5 even, that is an attack.
Why does this seem so obvious to me and not to webmasters worldwide? Anyone trying a hundred different passwords needs to be blocked.
I suppose you could counter with “Then hackers will force known accounts to be ‘disabled’ for a day just for fun. I think we would all take that instead of a break in.
The Captcha match is also a technique to stop brute force attacks. It or something similar should be universal.
Maybe we users need a “movement” where we refuse to register on a site without a human readable challenge in place, or a frequency limit. Best practices corporately include disabling after 3 attempts. 100 should be plenty.

Your thoughts?

ilikeimac

Then hackers will force known accounts to be ?disabled? for a day just for fun. I think we would all take that instead of a break in.

I disagree. Automated attacks have no concept of “fun” and would continuously attack because that’s all they do, and serious attackers aren’t that petty, but may well continuously lock out accounts on principle, knowing that site administrators will eventually have to loosen their policy or deal with throngs of angry locked out users. (BTW, the technical name for an attack that seeks to prevent legitimate activity is a “Denial Of Service” or DoS attack.)

The Captcha match is also a technique to stop brute force attacks. It or something similar should be universal.

True, capchas are highly effective; they aren’t perfect, but they put a huge dent in the rate at which brute force attacks can be attempted. Many users hate them though, so again, it’s a tradeoff between user friendliness and security.

I am not a defeatist, and I think the tactics you’ve described have merit and in fact are used effectively on many sites, but they have to be constantly monitored and tuned by vigilant administrators in order to balance security and user friendliness, and to respond to ever-changing attacks.

P.S. We’ve strayed a bit off-topic here, so lest we forget, the so-called “hacking” of Mat’s accounts had nothing to do with brute forcing a password and therefore does not support the argument that sites need better counter-measures against password guessing.

Lancashire-Witch

Two things amaze me.

One. How incredibly easy it seems to be for a hacker to wreak havoc in someone’s digital life.  No knowledge of programming or operating systems is required. No nefarious software bought off a Russian website. No expertise in ecnrytpoin, firewalls or breaking passwords. Didn’t need to launch Terminal or Automator!.........  Just a logical approach to problem solving (+ being acquainted with well publicised user features in popular cloud apps). In other words the perpetrator just needs the ability to figure out how to peel a geoduck onion - and then do it.

Two. How woefully unprotected Mat Honan’s Macbook was. No mention of Time Machine, Carbon Coby Cloner, Super Duper, Dropbox - nothing.
Hasn’t he listened to anything Dave or John has said on the MacGeekGab over the last few years?  If it’s any consolation Mat you would have lost it all one day. It was only a matter of time.

Finally, hat off to Jim. Great article.

Timmyboy

Unlike Mat I regularly back up to a permanently connected external drive using TimeMachine. If my mac was remotely wiped would that external drive be wiped as well? If so the safety net I think is in place has a very big hole in it!

Very thought provoking article

Bob

I disagree. Automated attacks have no concept of ?fun? and would continuously attack because that?s all they do, and serious attackers aren?t that petty, but may well continuously lock out accounts on principle, knowing that site administrators will eventually have to loosen their policy… snip…

Good points. There will always be a battle. And I know a DoS is not what this is about, I just thought to ask this group my puzzle. Maybe what I am saying is no site should allow a password DoS to even begin. Given a choice of being disabled for 24 hours or hacked by a DoS I believe serious people would take the disablement every time. I cannot imagine a web site declaring that it is losing clients because they constantly get disabled after 100 tries a day. The pressure for change has to be placed on the web site, so if there existed any new site telling me the top 1,000 web sites and whether they disable after 100 failed attempts per day I would be able to check the sites I register with and decide how to handle dealing with security.
And I know that even if the top 1,000 sites closed off that hole, another one would appear, but to do nothing about a simple DoS on a password seems lame to me. It seems defeatist. (Off Topic: The Captcha is helping digitize many old books http://www.google.com/recaptcha/learnmore   I found that fascinatingly creative and I am jealous of the brain that thought of it)

daemon

... Ya know, the easiest answer to preventing this from happening is to just not use Apple iCloud.

Bob

Ya know, the easiest answer to preventing this from happening is to just not use Apple iCloud.

... but it is so nice…...

ilikeimac

Three things:

1.

Given a choice of being disabled for 24 hours or hacked by a DoS I believe serious people would take the disablement every time.

You keep missing one point: a 24-hour block (or 1-hour, or 1-month) might as well be a permanent block, because a serious brute force attack will still be going when the block expires, and will instantly re-block the account. How much “blocking” are you willing to put up with in the name of security? One day a month, five, 15? I’m not saying this strategy is categorically foolish or ineffective, I’m just saying it’s tricky and may not be best approach for every site.

2. This article has nothing to do with a password being brute forced, and therefore…

3. Why are you so keen on this point? Do you have evidence that brute force attacks are succeeding en mass? Are you bitter about some account of yours that was compromised, or just bitter about having to use “strong” passwords? There are good reasons to use a strong password besides brute force attacks against a web form, namely an offline attack against a password hash stolen from a web site.

Bob

You keep missing one point: a 24-hour block (or 1-hour, or 1-month) might as well be a permanent block, because a serious brute force attack will still be going when the block expires, and will instantly re-block the account. How much ?blocking? are you willing to put up with in the name of security? One day a month, five, 15? I?m not saying this strategy is categorically foolish or ineffective, I?m just saying it?s tricky and may not be best approach for every site.

2. This article has nothing to do with a password being brute forced, and therefore?

3. Why are you so keen on this point? Do you have evidence that brute force attacks are succeeding en mass? Are you bitter about some account of yours that was compromised, or just bitter about having to use ?strong? passwords? There are good reasons to use a strong password besides brute force attacks against a web form, namely an offline attack against a password hash stolen from a web site.

No to all. Sorry to appear to be going on about it, I thought this was a conversation. A 2 way one where I could learn something that interested me. I guess you though I was debating, since I used poor wording. Forget about it! And thanks for the clarifications. I will look elsewhere.

ilikeimac

I thought this was a conversation.

Agreed. I hate debates. I love conversations. The questions I’m asking are sincere, even the 3rd point, which is also meant as good-natured ribbing. If it seems too pointed that’s because I feel you’re repeating the same point without actually responding to my feedback.

snaab4

Ok, on a new related thread, what I’d like to see Apple do now is loosen up their clamp on AppleIDs.  What I mean is that I’ve had an AppleID since mac.com email was a free service BEFORE mac dot com.  This one AppleID is my primary apple e-mail/iCloud address (with 5 aliases) and ALSO my iTunes account ID.  I would like to keep this ID for iCloud mail and unlink/change the ID for iTunes (linked to years of iTunes Store downloads), but Apple won’t allow that.  The only thing that’s offered is to create a new iCloud account, and then have to inform eveveryone of a new e-mail address.  It would be nice if Apple would now consider allowing this unlinking the other way around.  Just sayin’

vpndev

It ought to be (relatively) easy to lock an account. That’s because people lost things, or they’re stolen, and they probably don’t have recovery detail with them. Probably 24-hour lock is OK.

But it should be quite hard to do a password-reset.

Apple has clearly failed on this one. Serious fail.

Bob

I feel you?re repeating the same point without actually responding to my feedback.

I had replied “No to all” your questions. I am an older It professional, coding for 40+ years. When I read news reports of brute force password hacking I always wonder why any site would permit high rates and volumes of attempts on a single User ID. That’s it. Curiosity. And amazement really. I think younger, web savvy designers make these decisions and being “free and open” is more important to them than “rational, logical, realistic”. To an older person it is not realistic to allow such obvious attempts at breaking in, they should be limited and then refused after x attempts in one day. Certainly if the rate in seconds per attempt is say less than 5 seconds… that is an obvious automated attack.
So I started a conversation and so far no one reading has a concrete reason why allowing brute force attacks is good for any reason. The account may not have to be disabled for long, just refuse attempts for 5 minutes even and the brute force ends. Maybe it resumes quickly, maybe not, either way the legitimate user may not get in anyway due to traffic.  And blacklisting an IP address of an attacker seems obvious but I guess they can be spoofed as well.
So, I am ‘keen’ on the issue because it is handled so counter intuitively when they are such easy solutions like Captcha. “Counter intuitive” always captures my interest. Like, it would be counter intuitive to have the major net switches detect a high volume of attempts to the same site from the same site with a high percentage of the packets seemingly similar and stop the attack before it begins. But that would be deep packet inspection and a large task in CPU cycles…. but it would eliminate one headache. So maybe we just need faster switches with more cycles to weed out abusive traffic. If every log in attempt for every site had a common hash tag like #loginattempt in the first packets then the switches could readily know which packets are part of a brute force log in attempt and stop them. Same with DoS streams… there must be a pattern to them.
Yes, I know brute force is rare. Yes, I know DoS is rare. But either can be stopped. We’ve been to Mars and the moon, we could stop this crap if we had the desire. Just like if Microsoft had the desire, it could stop viruses. Possible but very unlikely.

ilikeimac

Thanks for the reply Bob. Here’s hoping it’s as easy and obvious as you say.

Solomon Waldbaum

Hopefully this story and all of the press about it will get more people to backup their data and protect themselves better. Most of the ways to protect yourself have to be manually done and a lot of people either don’t know or don’t know how. Some social media networks and e-mail servers have options to use SSL or TSL encryption whenever viewing the sites. These options have to be manually selected on each site (Facebook, Twitter, LinkedIn, Yahoo, etc.). Here’s instructions on how to protect yourself:
http://www.cyberstreams.com/posts/2012/august/how-to-make-e-mail,-web-browsing,-facebook,-twitter,-and-linkedin-more-secure
Great article!

Khürt Williams

So how will Amazon allow the real Mat Honan to add a legitimate credit card to his account?

Apple will no longer allow Apple ID resets over the phone.  So it seems I can only do that via the Apple ID site.  Of course if someone has access to one of my alternate email accounts they can still reset that account.

How many regular consumers will be willing to create email accounts for each and every online account they use?

Khürt Williams

I?m not sure why all banks don?t offer this service to their credit card customers.

Because the consumer thinks it’s inconvenient to use.

Khürt Williams

Great article.? Like to see followups.

1) Keep pressure on Apple and Amazon to fix their broken practices.? Apple should require whole credit card number not just last 4 digits to verify account ownership.? Amazon shouldn?t trust new/unused credit cards to verify account ownership.

2) All of the web-based email services should be offering 2-factor authentication.? Again, mention periodically to keep the pressure on.? Right now only Google really does, though what Yahoo has is w-a-y better than hotmail/live/outlook.com.

3) Please write an article on how Remote Wipe works on the Mac.? Is it reversible (even on Flash drives)?? Whats the PIN for?? Why doesn?t Apple offer a way to stop it via a secret code or PIN you establish on the computer itself and not via website etc?? What could Apple do better?

Seems like more follow up is possible.? Accounts that are used for password recovery of other services should be kept separate from the ones you use for blog comments and such?? Such accounts should definitely use two factor authentication?? Any more?

I’ll address these one at a time.

1. Requiring the user to provide a full CC number means the low paying customer support rep now has your full CC number.  If Amazon doesn’t trust new CC numbers how will I add a new CC to my account when I switch banks and have already cancelled the old card account?  How will a new Amazon.com customer establish an account?

2. Google two-factor authentication break non-browser apps.  Yes, the user can generate application specific codes for use with these apps but try explaining how that works (or trouble-shooting problems) to the average consumer.

3. If Apple offered a way to prevent remote-wipe then enterprise customers would be screaming bloody murder.  I’ve just fired John Smith who has access to company email and other systems and may have company documents on his personal iPad/iPhone. Corporate IT sends a remote-wipe after John is sacked but John blocks it with his remote code.  Corporate IT fails internal audit.

Convenience is the enemy of security.  Security is the enemy of productivity.

Khürt Williams

Yes actually.? The article suggests using a different credit card for Apple and Amazon accounts.? Not a bad idea actually given the security issues both seem to have.

I only have so many credit cards and email accounts.  At some point I’ll have online accounts where the accounts used overlap. So ... using different credit card and email accounts isn’t really a general remedy.

Log-in to comment