Started by Liz , Started by henghui , Official Started by houxinff , Started by astron51 , Retro , Last Jump to page:. Forum Information and Options. Thread Display Options. Show threads from the Order threads in Ascending Order Descending Order Note: when sorting by date, 'descending order' will show the newest results first.
Icon Legend. Contains unread posts Contains no unread posts Hot thread with unread posts Hot thread with no unread posts Thread is closed You have posted in this thread. Posting Permissions. All times are GMT The time now is PM. Resources saved on this page: MySQL Apple says the caller reported that he couldn't get into his Me.
In response, Apple issued a temporary password. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash.
They then were able to follow the link in that e-mail to permanently reset my AppleID password. Two minutes later, another e-mail arrived notifying me that my Google account password had changed. At they remotely wiped my iPad. At they remotely wiped my MacBook.
Around this same time, they deleted my Google account. At , I placed the call to AppleCare. At the attackers posted a message to my account on Twitter taking credit for the hack. By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access.
Nor were the eight years of messages in my Gmail account. The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in. I spent an hour and a half talking to AppleCare. One of the reasons it took me so long to get anything resolved with Apple during my initial phone call was because I couldn't answer the security questions it had on file for me.
Herman, I Apple had been looking at the wrong account all along. And because of that, it asked me an alternate set of questions that it said would let tech support let me into my me.
Of course, when I gave them those, it was no use, because tech support had misheard my last name. It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account.
Once supplied, Apple will issue a temporary password, and that password grants access to iCloud. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password.
In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected. On Monday, Wired tried to verify the hackers' access technique by performing it on a different account.
We were successful. By exploiting the customer service procedures employed by Apple and Amazon, hackers were able to get into iCloud and take over all of Mat Honan's digital devices — and data. On the night of the hack, I tried to make sense of the ruin that was my digital life. My Google account was nuked, my Twitter account was suspended, my phone was in a useless state of restore, and for obvious reasons I was highly paranoid about using my Apple email account for communication.
I decided to set up a new Twitter account until my old one could be restored, just to let people know what was happening. I logged into Tumblr and posted an account of how I thought the takedown occurred. At this point, I was assuming that my seven-digit alphanumeric AppleID password had been hacked by brute force. In the comments and, oh, the comments others guessed that hackers had used some sort of keystroke logger.
At the end of the post, I linked to my new Twitter account. And then, one of my hackers messaged me. He would later identify himself as Phobia. I followed him. He followed me back.
We started a dialogue via Twitter direct messaging that later continued via e-mail and AIM. Phobia was able to reveal enough detail about the hack and my compromised accounts that it became clear he was, at the very least, a party to how it went down. I agreed not to press charges, and in return he laid out exactly how the hack worked. But first, he wanted to clear something up:. I asked him why. Was I targeted specifically? He said the hack was simply a grab for my three-character Twitter handle.
They just wanted to take it, and fuck shit up, and watch it burn. After coming across my account, the hackers did some background research.
My Twitter account linked to my personal website, where they found my Gmail address. This was just a recon mission. This was how the hack progressed. If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here.
But using that Apple-run me. Be careful with your Amazon account — or someone might buy merchandise on your credit card, but send it to their home. And while it's work, that seems to be largely true. Since he already had the e-mail, all he needed was my billing address and the last four digits of my credit card number to have Apple's tech support issue him the keys to my account.
So how did he get this vital information? He began with the easy one. He got the billing address by doing a whois search on my personal web domain. Phobia says that a partner performed this part of the hack, but described the technique to us, which we were able to verify via our own tech support phone calls.
First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.
Then you hang up. Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits.
But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.
0コメント