Feeds

back to article NUDE SELFIE CLOUD PERV menace: Apple 2FA? Sweet FA, more like

Apple’s two-factor authentication doesn't actually protect iCloud backups or photo streams, contrary to what many iPhone and iPad fondlers might wish to believe. Scores of (mostly female) celebrities, including Oscar winner Jennifer Lawrence, had their iCloud hacked before miscreants siphoned off private nude snaps which …

Silver badge
Joke

Ah but they didn't used Password

....no no no...they used Oscars

1
3
Bronze badge
FAIL

Re: Ah but they didn't used Password

Or any good sense.

Seriously? Storing nude photos of yourself on a server/computer...for which you have absolutely NO CONTROL...is probably the dumbest thing anyone could do.

Why on earth should anyone feel sorry for them. Stupid is as stupid does folks.

7
1
Silver badge

Re: Ah but they didn't used Password

No, they simply believed what Apple et al told them about iCloud etc.

"The cloud is the safest place for your data"

They didn't tell them that Cloud services are like storing your private stuff in a cloakroom shared by everyone in the world.

6
1

Re: So apple WERE hacked then

but in true Apple spin, they use lots of long words to disguise that, enough to fool the target Apple audience into believing all cloud services are at risk, and only Apple got hacked, because that's what everyone that matters uses.

How easy it is to fool a fool....

3
0
Anonymous Coward

Re: So apple WERE hacked then

Seem to recall similar events where naked photos were stolen off of peoples local computers. So it makes little difference where you put the nudie pics.

0
2

Re: Ah but they didn't used Password

The cloud is safe because of the measures in place. Users have to follow the instructions given to take advantage of the safety measures. Users also have to know that if a so-called friend were to use your mobile device, your photos can be easily copied out. Then your friend can post it by declaring they hacked into iCloud instead of admitting to stealing data from a friend. As an IT person since the early eighties, I don't put important stuff in remote servers. Think about it: those servers are set up by someone, and obviously those people can have unfettered access to anything in the servers. You trust them? Snowden?

1
0

Re: So apple WERE hacked then

Lol, nope they didn't say that, and the fool called out fool.

Secondly they said that they didn't get hacked, but the users. Well that is true, or half true depending on your point of view.

0
0

Re: Ah but they didn't used Password

Did they even know their data on their iPhone was synchronized with iCloud and what it meant ? Was that a deliberate action, or a side-effect of a default choice imposed by Apple?

3
0

Re: Ah but they didn't used Password

But do you actually think they didn't know that? 99 times out of 100 those photos have been created by studio/agent publicity and the 'leak' has been arranged.

0
0

An important point not mentioned in the article: The main reason for enabling 2 step authentication is that it disables the security questions, so your account can no longer be compromised that way. Once it is enabled you can only reset your account credentials using a recovery code generated when you turn on 2 step auth. You need to keep this safe, because if you forget your password and don't have the recovery code all your iTunes purchases are gone, forever

4
0
Silver badge

Re: "if you forget your password [..] all your iTunes purchases are gone, forever

Well that's everything settled then, right ?

I mean, what could possibly go wrong ?

8
3
Bronze badge

Re: "if you forget your password [..] all your iTunes purchases are gone, forever

That's why they go to the trouble of giving you a thumping great recovery key. If a user is too stupid to remember his password, and he's too dumb to print out his recovery key and put it in a safe place, he deserves a lot more than losing his iTunes purchases.

3
5

Two factor auth is a good thing - Apple's is not

Apple's implementation of two factor auth is shockingly shit. And I say that as a fully-fledged fanboi, currently using 6 apple products and having recently been through the nightmare of AppleID.

While traveling earlier in the year someone tried to access my account from overseas (Apple would never tell me where, but Russia, China or Nigeria seem likely) and Apple therefore disabled my password. No problem, I thought, I have two factor auth and as a ten year plus customer I can prove who I am. The trouble is nobody cares about that proof - If you don't have that reset code your AppleID is toast forever. No matter whether you can establish that you live at the address they have for that account or have the credit card in your possession linked to the account or anything else. Because they have the ability to disable your password, it is really three factor auth - you need the password, the device and the reset code.

Other things I learned:

. You cannot reuse any email associated with any former AppleID with a new one

. You lose ability to update pas from the old account, but not the apps themselves

. Music is fine as long as you had updated to non-drm versions

. Not sure about movies or TV shows as I don't download them from iTunes

. Audiobooks were OK

. After getting another appleID your devices are now still locked to the old one (using find my iPhone, iPad, etc) and it's another fucking nightmare to get Apple to unlock them. You have to send them receipts for all devices (including work owned) and then badger them for weeks

. Apple support do not know what to do after that - you have to install each device as new (not from backup) attach to new AppleID and then reconfigure everything manually.

. Apple support is useless during this entire process

. The apple store is even less useful

The whole process really made me question my commitment to a single vendor, but Google are even worse than apple in this regard (and less responsive, if that is possible) and Windows is so shockingly crap at this point its not even an option.

11
5
Silver badge
Paris Hilton

Re: Two factor auth is a good thing - Apple's is not

Why not just go to a genius bar where you get served?

3
7
Silver badge
Facepalm

Re: Two factor auth is a good thing - Apple's is not

I can't believe that (it's so crap), if Apple have gone to the trouble of getting your address, credit card, and phone number then they might as well put them to some use - if all else fails they could send you a postcard with a code, charge a small random amount to the credit card and get you to confirm the value before refunding it, and/or ring your landline and get a robot to speak a code down it.

2
0

Re: "if you forget your password [..] all your iTunes purchases are gone, forever

Yeah, users huh? Pah. They come here, throwing their money at me and then expect me to do stuff for them too... Outrageous! How very dare they...

8
1
Anonymous Coward

Re: Two factor auth is a good thing - Apple's is not

Why not just go to a genius bar where you get served?

Because those, err, "geniuses" have no better access to the backend system than you have via phone, they just queue less - they too are enthusiastically uninterested in client loyalty or the intelligent use of all that data they gather on you.

To put it bluntly, Apple's client recovery processes suck. If that single Sign-on goes wrong, you're screwed proper.

If you want to have a "lite" version of that suckiness, try moving country or living in more than one country. Apple's store will only accept a credit card from the country your store is set to (ditto for value vouchers that you would like to give someone) - there is no way AT ALL to give Apple any money from another country than your iTunes account is set to. You are thus forced to choose between risking your investment in Apps (and let's not forget, that includes all you have on OSX which can be quite a large amount) or, at a minimum accepting that they will no longer upgrade, or somehow keeping a credit card alive in the country you just left. It's as if like they've never heard of the fact that quite a lot of people who can afford their gear move around - almost like the MPAA who divided the world into regions so you were forced to choose between sponsoring the child molesting drug peddling terrorists of this world (I'm paraphrasing here slightly) by buying a pirated but otherwise good quality copy of a movie or the original which would only play until you got home.

It's a strong testament to the quality of the computing environment Apple create that they still sell IMHO. If you've ever been exposed to their Apple ID support you'd be forgiven for rethinking your decision to use Apple gear. I'd call it the RyanAir of IT support, but that would be insulting O'Leary, admittedly a hard thing to do...

10
0
Van

Re: "if you forget your password [..] all your iTunes purchases are gone, forever

It's not just people who lack intelligence or sense who can forget a password.

2
0

Nope, they would still exist locally.

0
0
Silver badge

Security questions?

There have been suggestions that some accounts were accessed because the hackers had access to personal details (Facebook profile?) and so they could answer the security questions.

What kind of peabrain gives real answers when setting up 'security' questions?

Much better to have fun:

"Mother's Maiden Name' - Hitler

"First School" Dotheboys Hall

"First pet" Godzilla

etc.

4
0

Re: Security questions?

@Pen-y-gors - Exactly. I have taken to generating random strings in response to these questions. I look forward to the day when I have to answer security questions over the phone when my mother's maiden name is entered as "iyRdiaaEjH", for example.

1
0

Re: Security questions?

Forgot the site now, but the security questions had to be typed in by yourself and so had the answers. This meant you could think up any question you liked and put in any answer you liked. Think this was much better as the hackers would have a lot more work to do, to break in. Imagine putting in a question like "Color of first room in rented accommodation"? With an answer of something like "Magic" (think Terry Prachett).

1
0
Anonymous Coward

Re: Security questions?

The trouble is that companies do not tell their customers what the "security questions" will be used for, and in some cases there are T&Cs that threaten the customer with dire consequences if they give any false information.

0
0
Anonymous Coward

Re: Security questions?

They're supposed to be memorable. It's no use if you can't remember them.

0
0

Re: Security questions?

@TheCostElc

Octarine.

1
0

Re: Security questions?

What you do is you write them down and store them in a secure location. They call it "memorable information" but what matters is whether you can recover the information. It doesn't matter whether you can remember it.

3
0
Alert

Re: Security questions?

Caution: Apple do ask these questions is circumstances other than password recovery. I was asked for them at some point after getting my phone replaced under warrantee, though I can't remember now what action triggered the questioning. Make sure you print out your answers and put them somewhere otherwise you may be stuck at a critical time.

0
0
Joke

Re: Security questions?

Feck! How did you guess my answers? :doh:

0
0
Bronze badge

Re: Security questions?

"Caution: Apple do ask these questions is circumstances other than password recovery."

Australia's my.gov.au website, now compulsory for individuals wanting to deal with tax online, does this too. I created my account with random gibberish for the "security" questions, then got locked out when I next went to use it.

So next I switched to idiot mode to ensure I would be able to actually log in next time. Whoops. As it turns out, to reset the password, all one has to do is guess 2 of the 3 insecurity questions, then enter a new password. No confirmation email. No SMS.

I expect the Australian government believe this is called Two Factor Authentication too.

0
0
Anonymous Coward

Perhaps some of the photos

were part of the packaging and promotional materials from earlier points in the stars' careers.

0
0

or were used during the producers 'screen test' wink wink

to evoke a genuine sensuality to the actors initial self image and imagined prospects for employment.

0
0
Silver badge

Photos are meant to be seen

Presumably the photos were meant for the consumption of the celeb's special friend

Which means they have to be transmitted to, and viewable on, another device.

So you can have 97FA, require retina scans from all 3 eyes and a DNA sample - it doesn't really matter if you email them to somebody else.

Of course you could lock them to a single phone - but then having to go to your pet celeb's bedroom for her to unlock the phone and authorize it to display photos of her naked. While she is standing there - does seem to be a little counterproductive.

0
0
Anonymous Coward

2FA

can also be done by sending the token to an email account. Chances are a person has access to a computer with internet access and iTunes if they're performing a restore. Moreover, if you had to obtain a new device to replace a lost one, you'll either be buying it from a store or visiting a store to replace your lost sim card. An inability to do multi-factor authentication in this situation is simply a lack of imagination.

0
0
Silver badge
Trollface

After more than 40 hours of investigation

41 hours, then. 5 support dudes for one day?

None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.

The breach is not a breach!

We are continuing to work with law enforcement to help identify the criminals involved.

You could ask the NSA. Come to think of it, they probably have those nudeselfies on file and hanging off the index tree.

4
1
Silver badge

"Security questions" aren't for security, they're to reduce support costs

Companies were tired of having people say "I forgot my password" and not having a way to establish their identity, so these security questions were invented. Only problem is that they act like passwords that are simpler to hack. If you're a public figure, or someone targets you, answering them honestly leaves you wide open.

When you only have to answer one or two of them correctly, and get multiple chances (probably unlimited) it is going to be a lot easier for guessing attacks to succeed as well. Which is easier, to brute force a complex password, or guess the name of the high school someone went to? Even if you don't know where they grew up, you can guess names like "City High" or "North High" and have you'll snag a lot of people. Ditto with a childhood pet, there are probably a few dozen names that cover half the pets people had as kids!

These security questions have spread like a plague of bad security practice, just as dumb as the policies that force you to use ever longer and more complex passwords, and still change them every 90 days - all but guaranteeing that they'll be written down somewhere.

2
1
Big Brother

Re: "Security questions" aren't for security, they're to reduce support costs

The longest "memory" for passwords I have come across so far in a server, is 8. So you can spend a few minutes each 90 days updating your password 9 times, and on the 9th time set it back to what it was in the first place. Job done.

2
0

Re: "Security questions" aren't for security, they're to reduce support costs

That doesn't work if there's a timer set to prevent re-use within a certain time frame. For example, in my previous job I couldn't re-use the same password within 12 months.

I believe the same may be true for AppleIDs.

1
0
Silver badge

Re: "Security questions" aren't for security, they're to reduce support costs

When I first started here, there was no minimum time and last five passwords remembered, so whenever someone got the 'change your password' notice, they just changed it five times, then changed it back to the original.

2
0
Bronze badge
Headmaster

Re: "Security questions" aren't for security, they're to reduce support costs

If they know your password they are doing "security" wrong. :)

1
0
Silver badge

Re: "Security questions" aren't for security, they're to reduce support costs

I've seen multiple cases where you can only change your password twice within a certain time frame (a few days I think) to prevent just this.

I suppose you could get back your old password over the course of a couple weeks, but it hardly seems worth the bother.

Better to figure out how much needs to be changed, and varying it like:

password1234

password2345

password3456

...

And yes, this is exactly why forcing people to change passwords regularly is a very poor excuse for a security policy, that unfortunately nearly every mindless twit security consultant considers gospel without even thinking about it, because "best practices".

Sure, force everyone to change their passwords if you have been (or suspect you've been) compromised. But making it happen as a normal course of business only makes people get creative in finding ways around it, or surrendering and keeping them written down on a sticky note, a card in their wallet, or saved in a "note" in their smartphone.

2
0
Silver badge

If they know your password they are doing "security" wrong. :)

No, they just keep the last 4 hashed versions plus the current hashed version then check the the hash of your new password is not the same as any of those stored.

1
0
Bronze badge
Megaphone

"Law enforcement officials would be able to get ahold of this token from a suspect's PC while hackers might be able to obtain it through more nefarious means, either malware or phishing."

The difference between hackers and law enforcement breaking into your phone only differs in viewpoint, not in the methods they use. (Although it's probably cheaper to hire some skiddy to install a RAT rather than pay some security company to rent the software to do exactly the same)

3
0
Silver badge

Troy

We, the builders of the walls around Troy, would like to point out that Troy remains uncompromised - anyone who believes otherwise is full of horse manure.

10
0
Bronze badge
Facepalm

Re: Troy

In matter of fact, both the walls and the doors are secure. Look, we even managed to bring in this nice big statue of a horse while completely unhindered by our enemies...

1
0
Anonymous Coward

It's always a balance between security and accessibility.

Ideally you'd get a security token app or hardware key, but people would lose them or forget to take it with them.

0
0
Angel

What like a SIM card...

oh... wait a minute...

1
0
Anonymous Coward

"Apple 2FA is more like Sweet FA"???? Sweet Factor Authentication? Don't get it...this is why English news media should not rely on localized idioms.

0
6
Gold badge

"Apple 2FA is more like Sweet FA"???? Sweet Factor Authentication? Don't get it...this is why English news media should not rely on localized idioms.

This link at Urban Dictionary may help. Helpful for other such expressions too.

Having said that, yours sounded like "Sweet Factory Authentication", which made me think of Willy Wonka :)

0
0

Why not? It's an English site and, being English, I understood it perfectly.

I am sure non-English speakers (e.g. those from the US) are very welcome here, but don't complain if you don't get all the jokes.

5
0
Bronze badge

British site, British idioms. Whch are localiSed, cheers ears.

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon