Something to think carefully about

[STC]

Wired journalist Mat Honan, got his digital life (literally) served up to him on a plate. Scary stuff.

http://www.wired.com/gadgetlab/2012/08/ ... n-hacking/

If you're a little lapse in this area, now is a good time to beef up your practices.

[STC]

i stole this from opendns.com

What can you do to protect yourself from similar attacks?

For one, you can disable iCloud services on your Mac and iOS devices. But what’s the point of having a device with cloud features if you can’t use them without constantly worrying? There is a risk with everything in life, but you take the proper measures to lessen the risks by securing your cloud security with these seven useful tips:

Use strong, alphanumeric passwords and change them frequently.
Never use the same password for more than one service.
Use two-factor authentication wherever possible. Two-factor authentication is a process in which a user provides two forms of identification to prove who they are. Common forms of identification used include security codes, bank cards, or phone numbers. Using two-factor authentication significantly reduces the probability that someone could gain access to your information.
Create individual accounts for each family member instead of sharing access to prevent multiple accounts from being compromised and exposed.
Always choose security questions in which the answers aren’t easily guessed or researched through public records.
Always keep a local backup of your data in addition to cloud backups.
Disable services such as “Find my Mac” unless you are traveling or are in a situation in which your laptop might be lost or stolen (which is unlikely if it is always kept at home).

[Venom51]

This entire thing makes me laugh. People get all wrapped up in the latest buzz word and start trusting their entire computing life to a third party, don't back anything up and then are terribly shocked when it all goes wrong.

Here's some tips for you. Never store credit card information with ny of the online retailer services. Don't link every damn service together and allow them all to cross authenticate. Hell..even though I have gmail account not a single email or contact is stored in that account.

People want dumbed down, lowest common denominator usability and have sacrificed security to get there. Sad really that someone who writes for tech blogs could be so stupid.

[STC]

I agree, but it's because of that, I posted here. How many more are like him?

[staknhalo]

Also when I watched this guy talk about it on TWiT a few weeks ago, he said he had just one password iirc. I might be going a bit overboard; but I have a seperate password for warez/torrent/possible spam sites, one password for my regular forums/sites I frequent, one password for services (like Steam and Netflix), a password for my e-mail accounts, and a password for banking.

[barnabas1969]

Glad I don't have an i-anything.

[staknhalo]

Glad I don't have an i-anything.

That's not really the problem. You can take part in all of this and still be secure and his biggest problem is lost photos he said which is a user error because he admitted he wasn't doing local backups of any kind (HDD or optical media). I do cloud based backups but also have everything on my main rig's seconday HDD and I burn everything to DL-DVDs every 6 months. Redundancy is the key. Yes, this event exposed a flaw in Apple's system, and probably made other companies aware of similar flaws they have as well; but this guy wouldn't have been so screwed is he a) used a more secure, and more than one password (for multiple accounts mind you) b) didn't link all his accounts and services c) and this is the most important - did a local or secondary backup of some kind. He admitted to all of this in the TWiT interview from 2 weeks ago or so I believe, you should check it out. While Apple is very much partly at fault; a majority of this was based on user error/ignorance.

[barnabas1969]

Well, the real scary thing is that Amazon allows pretty much anyone to add a fictitious credit card to your account... and then you can use that credit card number to reset the password! That shows how easy it would be to buy stuff with someone else's Amazon account and use their REAL cards to pay! Obviously, if someone made purchases on my Amazon account, it would only cause me temporary grief... my bank would happily refund all the money instantly when I disputed the transactions.

But in the case of Apple, once they have your other card numbers, they can get into your i-account and wipe your devices!

And that's why I'm glad I don't have an i-anything.

[mcewinter]

Well, the real scary thing is that Amazon allows pretty much anyone to add a fictitious credit card to your account... and then you can use that credit card number to reset the password! That shows how easy it would be to buy stuff with someone else's Amazon account and use their REAL cards to pay! Obviously, if someone made purchases on my Amazon account, it would only cause me temporary grief... my bank would happily refund all the money instantly when I disputed the transactions.

But in the case of Apple, once they have your other card numbers, they can get into your i-account and wipe your devices!

And that's why I'm glad I don't have an i-anything.

They used a feature that requires 'opt-in' to exploit him. You don't have to use said feature; it is off by default.

[staknhalo]

Well, the real scary thing is that Amazon allows pretty much anyone to add a fictitious credit card to your account... and then you can use that credit card number to reset the password! That shows how easy it would be to buy stuff with someone else's Amazon account and use their REAL cards to pay! Obviously, if someone made purchases on my Amazon account, it would only cause me temporary grief... my bank would happily refund all the money instantly when I disputed the transactions.

But in the case of Apple, once they have your other card numbers, they can get into your i-account and wipe your devices!

And that's why I'm glad I don't have an i-anything.

I'd have to read up on it again or watch the video again but iirc, they didn't add credit card info to his Amazon account. They can't. There was a flaw that allowed them to see only the last four digits of his registered credit card; not the whole number. Like if you have a credit card registered on Newegg, it will show you the last 4 digits, but not the whole card. They then used this info to fool Apple into thinking they were him (along with personal info they found of him just by Googling). One of Apple's security procedures is to ask for the last 4 digits of the card you have on file with them, but this is not the only procedure and they aren't supposed to go on just this alone; they are supposed to check other things ALONG with or other than just the credit card numbers. In this case, the Apple worker took the guy at is word; broke procedure and did no other verification than the credit card number and Google supplied information. Apple even admitted to this mistake on their behalf.

I'm not trying to argue or anything if it comes off that way btw; just wanted to let you know it's not so horrible as you seem to believe it is.

[barnabas1969]

I'd have to read up on it again or watch the video again but iirc, they didn't add credit card info to his Amazon account. They can't. There was a flaw that allowed them to see only the last four digits of his registered credit card; not the whole number. Like if you have a credit card registered on Newegg, it will show you the last 4 digits, but not the whole card. They then used this info to fool Apple into thinking they were him (along with personal info they found of him just by Googling). One of Apple's security procedures is to ask for the last 4 digits of the card you have on file with them, but this is not the only procedure and they aren't supposed to go on just this alone; they are supposed to check other things ALONG with or other than just the credit card numbers. In this case the Apple worker took the guy at is word, broke procedure and did no other verification than the credit card number. Apple even admitted to this. I'm not trying to argue or anything if it comes off that way btw; just wanted to let you know it's not so horrible as you seem to believe it is.

Yes, you need to read the article again. See below:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account.

EDIT: And, Wired was able to duplicate the hacker's methods multiple times, with different Apple rep's answering the phone each time... so it is apparent that several of Apple's employees are violating their internal policy.

[staknhalo]

I'd have to read up on it again or watch the video again but iirc, they didn't add credit card info to his Amazon account. They can't. There was a flaw that allowed them to see only the last four digits of his registered credit card; not the whole number. Like if you have a credit card registered on Newegg, it will show you the last 4 digits, but not the whole card. They then used this info to fool Apple into thinking they were him (along with personal info they found of him just by Googling). One of Apple's security procedures is to ask for the last 4 digits of the card you have on file with them, but this is not the only procedure and they aren't supposed to go on just this alone; they are supposed to check other things ALONG with or other than just the credit card numbers. In this case the Apple worker took the guy at is word, broke procedure and did no other verification than the credit card number. Apple even admitted to this. I'm not trying to argue or anything if it comes off that way btw; just wanted to let you know it's not so horrible as you seem to believe it is.

Yes, you need to read the article again. See below:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account.

EDIT: And, Wired was able to duplicate the hacker's methods multiple times, with different Apple rep's answering the phone each time... so it is apparent that several of Apple's employees are violating their internal policy.

Well I stand corrected on that part

EDIT: And, Wired was able to duplicate the hacker's methods multiple times, with different Apple rep's answering the phone each time... so it is apparent that several of Apple's employees are violating their internal policy.

Then Apple def needs to do something about that ASAP. Again though, I wouldn't hold that ENTIRELY against Apple as it's employees not following the rules they are supposed to.

[barnabas1969]

And, that "self-check algorithm" that was mentioned in the article is a formula to calculate the last digit of your credit card number. That last digit is known as a "check digit". I work in the financial information technology industry. It's a pretty simple formula, and is public information. The purpose of the check digit is to verify that the 16-digit number was not entered incorrectly.

Apparently, Amazon does not check the validity of the account (by sending an authorization request to your bank) when you add a new card. They seem to only do this when you actually make a purchase with the card.

[barnabas1969]

EDIT: And, Wired was able to duplicate the hacker's methods multiple times, with different Apple rep's answering the phone each time... so it is apparent that several of Apple's employees are violating their internal policy.

Then Apple def needs to do something about that ASAP. Again though, I wouldn't hold that ENTIRELY against Apple as it's employees not following the rules they are supposed to.

The way I read this, is that Apple was lying when they said that their employee violated their policy. I doubt very seriously that multiple rep's are simply ignoring a security protocol.

[staknhalo]

EDIT: And, Wired was able to duplicate the hacker's methods multiple times, with different Apple rep's answering the phone each time... so it is apparent that several of Apple's employees are violating their internal policy.

Then Apple def needs to do something about that ASAP. Again though, I wouldn't hold that ENTIRELY against Apple as it's employees not following the rules they are supposed to.

The way I read this, is that Apple was lying when they said that their employee violated their policy. I doubt very seriously that multiple rep's are simply ignoring a security protocol.

I used to work as phone tech support for Best Buy years ago through a third party company called TAG. We handled everything from tech support to service plans to virus removals and billing of diff services and so forth. You would be surprised how many people were fired MONTHLY for simply not following company procedure, even if it was something for the actual benefit of the customer (also for stealing credit card info a lot :/). From being on the other side of the fence, I can assure you they most likely are just going against policy.

I hope though that what the common folk take away from this story is DO BACKUPS ONTO ACTUAL MEDIA AND USE MORE THAN ONE SECURE PASSWORD Oh, and linking accounts is bad, mmkay?