-First step, they verify it's apple.
-Second step, they make sure it's rotten.
Apple is now offering two-factor authentication to Apple ID users. The move, which follows similar moves by Google, will make it far harder for hackers to steal Apple ID login credentials. These credentials are important because they are used in conjunction with iCloud to store content, and in downloading apps from the App …
Third step - they sue everyone else using it.
Let's not forget the mantra - if it's not being done by Apple, you don't need it. When they finally catch up and launch their copy, with some pointless miniscule distinguishing feature their sheep can cream themselves over (round corners etc), the whole magically now somehow becomes their invention, so they'll see everyone else in a court they bought in Texas.
The rare fourth step is when they try this in a country unswayed by their crap, and end up having to apologize in their press. Then apologize again for apologizing wrong :-)
Half baked attempt in my opinion. IMHO they should be offering security key tokens (Key FOB?) Even Blizzard offers these. I would pay a decent price for the token... they could even offer an app for mobile phones that accomplishes the same thing... although if all you have is an iphone it gets difficult, but having the physical token option would negate that.....
Come on Apple, try harder
"I would pay a decent price for the token..."
Why should you have to pay the highest valued IT business in the world for security? Is it because the highest value IT business in the world has weak security? High level security should be provided for free to the people who have made any company lots of money, let alone the highest valued IT business. In fact, maybe they should even pay you! At least it would be a gesture of customer appreciation and good faith towards keeping you a secure customer. However, it is Apple, so good luck with that.
I think you are right though. I really don't pay much attention to Apple, but apparently when it comes to security it's all half baked. And that seems odd being they are the highest valu...#1$. However, this article shows that even if it isn't an honest attempt, they are at least faking it until they make it. Any steps, even small ones, are good for their customers
hopefully you won't need that ID when your away from home.
Of course in the case of Mat Honan, the original authentication would of worked if they had used something other for authentication than the last 4 digits of his credit card address(which could be easily obtained from his amazon account) and the staff followed their own procedures in asking the authentication questions.
As long as they don't force the requirement on people, then I'm ok with it. If they do make it compulsory, then it's sayonara, iTunes. Not that it will affect me much, as I haven't bought anything from them in a very long time.
Also get P'd off with google's continual prompting for me to link a mobile number to my gmail account. If I've said NO once, I must have said it a thousand times. And don't get me started on their continual prompting to upgrade IE to Chrome, grrrrrrr....
sa called "two factor" identification will have no effect on hacking: hackers use the owners keys to install malware into the owners computer
for mobil devices this is often via an infected "app"
after the malware is into the owners computer then the owner is "pwned" and his\her computer does whatever the attacker wants it to do
using the owner's credentials
two factor authentication is like adding a second deadbolt to the Front Door while the Back Door is left flapping in the breeze. "Two Factor" -- is solving the wrong problem: hackers don't generally attack that way:
they are using infecged apps, or application program faults -- to install malware into their victimes. this has NOTHING to do with uder id's and passwords.
With this option selected, Joe Blow (anyone, in fact) is denied the opportunity of phoning Apple and duping the staff into resetting the account password. Has to be useful, since that form of attack has been used successfully in the past. Your analogy is a bit dumb, really.
SMS? Seriously? Even eBay uses proper "spoken" messages. Besides being very unpractical, and not very safe, SMS would have looked cool in the nineties. Now? It sounds like "please provide your AOL ID and we'll message you your forgotten password": unsafe, inconvenient, and stale.
> SMS? Seriously?
SMS is only used if you choose to enter the number of a non-Apple mobile device. Push notifications are used on iOS devices which require you to unlock the device to read. Spoken messages would be useless for people with an iPad or iPod touch (as they don't have cellular voice capability) or for people without a mobile phone (such as iPod owning kids).
> Spoken messages would be useless for people with an iPad or iPod touch (as they don't have cellular voice capability) or for people without a mobile phone (such as iPod owning kids).
As opposed to SMS, which are extremely useful for people without a mobe, then? Kids without a mobe may get a phone cal on daddy's home line.
SMS is an incredibly stupid choice. You specifically need a mobe, it spends several minutes -sometimes hours- wandering around the network before it reaches the end user, it is extremely easy to intercept at any step, including on the final handset before the legit user gets to read it, and it is machine readable, which means that it would be trivial to mount an automated hacking procedure just by running ~10 lines of code at any step of the transmission (including, but not limited to, the recipient's handset). Push messages on the very device from which you are trying to recover your password, erm, sure, what could possibly go wrong?
An automated phone call, on the other hand, is only delivered when you pick the call, the info spends very little time in the open before the end user gets it, and is significantly harder for a machine to automatically extract the relevant info.
> As opposed to SMS
Since the iPad and iPod touch I specifically mentioned cannot receive SMS, sending one wouldn't be applicable anyway would it? Duh! Therefore SMS is not even an option for many iOS users (the very people most likely to have an AppleID in the first place).
> SMS is an incredibly stupid choice. You specifically need a mobe, it spends several minutes -sometimes hours- wandering around the network before it reaches the end user
What? You need to change your network provider if SMSs take "several minutes -sometimes hours" to reach you, unless New Years Eve is celebrated daily on the planet you're from. Several seconds - at most - on any of the 5 networks I've ever used.
> Push messages on the very device from which you are trying to recover your password
If you don't care enough about your personal data to protect the device with a passcode then someone getting access to your AppleID probably wouldn't worry you much either.
> it would be trivial to mount an automated hacking procedure just by running ~10 lines of code at any step of the transmission (including, but not limited to, the recipient's handset)
Trivial? LOL. You have absolutely no idea what you're talking about do you? Finding and exploiting a vulnerability in Apple's systems, the mobile network providers systems, or the handset OS allowing you to run that "~10 lines of code" would not be trivial. Nor would setting up some 'man-in-the-middle' attack.
Certainly not impossible, but certainly not trivial either, and definitely not requiring just 10 lines of code to pull off.
> Since the iPad and iPod touch I specifically mentioned cannot receive SMS, sending one wouldn't be applicable anyway would it? Duh! Therefore SMS is not even an option for many iOS users (the very people most likely to have an AppleID in the first place).
Since you mentionned them out of the blue to couter an argument that had nothing to do with them, and yet you managed to be wrong, du'h you're a luser. Confirmed.
>What? You need to change your network provider if SMSs take "several minutes -sometimes hours" to reach you, unless New Years Eve is celebrated daily on the planet you're from. Several seconds - at most - on any of the 5 networks I've ever used.
Several seconds is the very very very best from send to "bip bip". A few minutes is the window for an attack, because who read their SMS right away? Often, a few hours is the attack window, because, yes the networks DO jam, and if you're gonna stage an attack, why wouldn't you choose new year's eve?
>Trivial? LOL. You have absolutely no idea what you're talking about do you? Finding and exploiting a vulnerability in Apple's systems,
YOU have absolutely no clue, my "friend". The hole is intercepting SMS messages and it IS trivial.
> the mobile network providers systems, or the handset OS allowing you to run that "~10 lines of code" would not be trivial. Nor would setting up some 'man-in-the-middle' attack.
"Man in the middle"? you're really stupid. It has nothing to do with anything like that. SMS is roughly as secure as email. A bit less for targetted attacks, actually.
And yes, it IS a matter or running 10 lines of code, to detect a "password recovery" message and forward it to a server of the hacker's choice.
I understand that you are in sweet, sweet love with Apple Inc., but that is hardly an excuse for being completely clueless.
That said, cheers, have a beer, if you are of age.
Paul Ducklin has highlighted an interesting debate - "what is two factor authentication" Or in other words, should it be three factor authentication that he is suggesting (since he suggests excluding the device on which you want to use the broken ID, so you need the broken item, something you know and something you have).
And this goes FAR beyond Apple since there are several "soft" two factor solutions out there for all sorts of access.
Good security is not about how strong something is, but about understanding its limitations and balancing the risk of that being exploited. By including a physical device (mobile) in the loop you greatly reduce the risk of solely the soft options being exploited to reset the credentials. Yes, if the hardware device is stolen or cloned then a hack is still possible - that is a limitation. But ultimately how likely is that in comparison to pure social engineering a phone call.
We could make security VERY tight. So tight it becomes unusable. Several thin layers are stronger than one thick layer.
Biting the hand that feeds IT © 1998–2019