Posted on 09/03/2014 11:51:20 PM PDT by Swordmaker
After the nude celebrity pictures leak, two Guardian Australia journalists try to break into each other’s iCloud accounts
Accessing someone’s Apple account requires only three things: their email address, their date of birth, and the answers to two out of three security questions. This is assuming they don’t have two-step verification enabled.
If you have all these, you’re able to reset their Apple ID password to one that only you know and then access their iTunes and iCloud accounts. You don’t require access to their email. Once you have access to their Apple ID, you can access recent photos and back-ups if they have these features enabled.
While we don’t know the exact method people used to access celebrities’ accounts, Apple did release a statement which appears to confirm that a method similar to that described above was used.
The main issue with this setup is that if you’re a celebrity, or are someone who has been using social media for a long time and revealed various details about your life, then the answers to the security questions could be available online. Here are a few of the 21 security questions you can choose:
The Guardian has seen forum threads where people have allegedly used the methods above to access people’s iCloud back-ups to obtain photos.
To see how difficult it is to crack someone’s account, we’re going to try and access each other’s accounts and see how far we get.
(Excerpt) Read more at theguardian.com ...
“The application, which costs between $79.99 and $400 depending on the version, can also be used to retrieve backups from Windows Live (now OneDrive) and to unlock access to BlackBerry, BlackBerry 10 and iOS backups.”
I don’t know what you’ve been reading, but I have no problem with that. It is the Apple Troll who insists that Apple is superior to these others and did everything they could to prevent access. The facts, celeb pics on the internet, indicate that hey did not.
“In other words - the EXACT same methods that prey on idiots that are totally effective on ANY and ALL services - regardless of platform, computer, or software company.”
Exactly, so how then is Apple superior. My bank didn’t ask me if I wanted to use two-factor authentication. Did yours?
“Actually, with the two-factor system, the attacker would also have to have in his possession one of the target’s designated secure devices capable of receiving a text message to receive the unlocking PIN number. That’s a totally higher level of difficulty to overcome than just acquiring the password and security question answers. Not impossible, but extremely difficult.”
A system which Apple felt was optional because they’re the final word in security. Sure, tell me another one.
I thought that I read that it was a brute force hack using the hundred or so most favorite passwords...
I wonder if the NSA has this much trouble hacking into the cloud?
Timmi said that, “Apple will broaden its use of an enhanced security system known as “two-factor authentication,” which requires a user, or a hacker, to have two of three things to access an account: a password, a separate four-digit one-time code, or a long access key given to the user when they signed up for the service.”
Tim Cook Says Apple to Add Security Alerts for iCloud Users
http://online.wsj.com/articles/tim-cook-says-apple-to-add-security-alerts-for-icloud-users-1409880977
What a novel idea. Who would have thought of such a thing but the smartest company on the planet? Man, Apple rocks.
Oh SHILBUTT, Leonard! I have SIX banks with cash in them.
None of those banks uses two-factor authentication for online access to accounts. Not one. They all use user name and password. Most will confirm you're ID with a security question from a list of three generic questions far simpler than Apple's choices if you use a different computer. What does your bank use?
“None of those banks uses two-factor authentication for online access to accounts. Not one.”
Then you need to change banks big boy. You claim two-factor authentication is more secure than the default security Apple provides, then trust your bank accounts to the same insecure system Apple uses? I do not believe you.
I don’t believe you. . . I gave you a list, which includes two of the largest banks in the United States. They don’t even offer it as an option. Little boy.
My J.P. Morgan/Chase online (biggest bank in the U.S.?) account doesn’t use two-factor authentication. I know “LogMeIn” & “WoW” (World of Warcraft) do have 2-factor available.
“I don’t believe you. . . I gave you a list, which includes two of the largest banks in the United States. They don’t even offer it as an option. Little boy.”
You’re a digital security expert and a classically trained economist and you keep your money in a bank that’s less secure than your music collection? You’re a piece a work big guy.
When I Google the banks that you and Tommy listed, they say that they do use 2FA. Maybe you both need to call your banks customer service department.
YOU, Leonard, are still operating under the misapprehension that Apple's iCloud was compromised by password divination. It was not. Current analysis of the leaked picture set show they came from multiple services, were collected by a team effort, and investigations into that team effort have found they collected them over years by social engineering, phishing, befriending the targets, research, and thereby massaging the security questions of the targets' accounts on multiple services.
As for your nasty, drippingly snide comment about me, you were shown my list of major national and local financial institutions that don't even offer Two-Factor authentication. Two of them among the largest and most secure in the country. Drago reported on his bank, also not offering Two-factor authentication. But YOU, in your arrogance, criticize so you can continue to rag on Apple who does offer the option, yet you have not named a single bank that does. You, sir, are the "piece of work," troll.
In fact, Leonard, for the most part, Leonard, if you want Two-Factor protection in the real world, it is necessary to join a third-party service, such as Lifelock (tm), that provides a quasi-two-factor notification service that will notify you when certain events occur to your accounts or trigger notifications in your credit files.
My passwords are difficult. My banks WILL call if they observe unusual activity in my accounts. If my accounts are compromised by fraudulent activity, I merely have to notify the bank with a declaration of fraud, and the money is replaced. I'm satisfied with those protection, Leonard.
You have been telling everyone how effective 2FA is and that Apple, being a pro-choice company, didn’t want to burden the general population with their advanced security features. You, however, being a crack security expert, have activated Apple’s advanced security features on iCloud so that no one will steal your “Best of Menudo” album.
And then, without any prompting, you posted bank names and claimed that you were a customer even though you claimed that none of them had the secure features that Apple provided to protect your “Backstreet Boys Golden Hits”. How smart is that?
Google your banks, big boy, and then call customer service, because while you claim none of them use 2FA, most of them would call you a liar. Maybe you have to activate it yourself, just like you did to protect your “NSYNC Gold” collection.
Do you have a link for that? JP Morgan Chase only uses a form of user "multi-factor" authentication once...when you first sign up for the online or mobile app service. After that it is username/password only for access. See: https://mobilebanking.chase.com/Public/Docs/Faq?nodeId=1&itemId=2 and https://www.chase.com/content/dam/chasecom/en/personal-banking/documents/Guide_OnlineBanking.pdf
Most all banks/credit unions also use browser ID & IP/location checking for extra security. If you change browsers or hardware device or log in from a new network/IP# you will be asked your "security questions" for verification. This is not classic "2-factor" authentication though, which usually involves an addition e-mail exchange, SMS text exchange, or an app like Google Authenticator...or even a keychain hardware device similar to a "YubiKey": http://www.yubico.com/products/yubikey-hardware/
Look Loonard, I don’t need to Google the banks to find out how to contact customer support. . . I have them in my address book on my phone. I have checked all my banks’ account settings. It is NOT offered.
You, sir, are being a snide, insulting rude ass. As usual.
“You, sir, are being a snide, insulting rude ass.”
I appear to all bloviating self-deluded sociopaths as a snide, insulting rude ass. Another badge of honor my friend.
The fact is that some of the banks on your list claim to use 2FA. No one else around here checks your authoritative assertions but I do. Your argument is with Google and your banks.
I love these arguments.
I happen to be a T5 and it has nothing to do with anybody.
Two Factor Auth (2FA)
https://twofactorauth.org/
I assume that Tommy believes that nothing qualifies as 2FA unless it is precisely the form used by Apple. I’ll leave the definition of “classic” 2FA to you. Basic 2FA is simply something you know and something you have. While banks are under represented, that does not mean that they are not secure.
While Tommy was all 2FA for his music collection, he wasn’t interested in it for his bank.
“My passwords are difficult. My banks WILL call if they observe unusual activity in my accounts. If my accounts are compromised by fraudulent activity, I merely have to notify the bank with a declaration of fraud, and the money is replaced. I’m satisfied with those protection, Leonard.”
http://www.freerepublic.com/focus/chat/3200299/posts?page=53#53
I do not trust Tommy with Apple facts. He prefers authoritative half-truths as I have documented in the past. In matters of financial security I would never suggest that anyone trust his “facts”.
I apologize if I misstated the level of security provided to you by Chase. If your bank does not provide a level of security that you are not comfortable with, than you would be well advised to move your money.
|If your bank does not provide a level of security that you are not comfortable with, than you would be well advised to move your money.
Should read: If your bank does NOT provide a level of security that you ARE comfortable with, then you would be well advised to move your money.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.