Macworld Forums: Apple temporarily suspends phone password resets - Macworld Forums

Post your comments for Apple temporarily suspends phone password resets here

It might help if Apple makes it harder to reset passwords but the fundamental problem that this journalist had is that he didn't have any backups of his data. This is a professional tech journalist but he didn't back up for more than a year. I don't even know what to think about that.

You have to assume that bad things are going to happen to your data. I can see this same journalist crying online about Apple if his notebook had simply failed. Have at least one known good backup. A Time Capsule is $299 and is probably the most expensive way to get onsite backups but also very convenient if you use Macs. You can get a 1 TB external drive for under $100. Plug it in and Time Machine is almost automatic. There is just no excuse not to have backups if you have a Mac.

jdb8167, on 08 August 2012 - 08:03 AM, said:

No, that is an incidental problem, not the fundamental one in this case. Losing his personal data because he didn't have backups was the result of poor security practices from Apple and Amazon (and some lesser ones of his own as well), but it did not ultimately make the hacks possible the way the corporate security loopholes did.

That it was the worst thing that happened to him was due pretty much solely to the hacker's disinterest in taking further advantage of their access. They could have done much greater harm to him than they did with access to his saved credit card numbers in his Amazon account, for example. It could have been much, much worse than only losing personal data.

It might help if Apple stopped catering to its uneducated user base by making things so simply to crack.

himbo, on 08 August 2012 - 08:32 AM, said:

They may have been just proving a point of how lax Apple is with security. How many warnings does Apple need? Stop this ideal that things need to be so simple for users to do that they make it easy for hackers too.

jescott418, on 08 August 2012 - 08:39 AM, said:

If you believe what they are reported to have told Honan about it in their conversation afterward, the whole escapade was engineered solely to get access to his Twitter account. Whatever the case may be, if the publicity from it causes Apple and Amazon (and others as well, because let's face it, there's no way these are the only two companies where stuff like this is possible) to improve some seriously lax security policies, I'm all for it.

Re: "... either have a password reset sent to an alternate email address already on record or challenge the customer to answer security questions they had previously set up."

Bingo. Same as it ever was. And if the caller says "Ummm, I don't have access to a computer right now..." Apple can reply "Then why are you trying to reset your password? Who you tryin' ta fool, trick?"

The headline ("Apple temporarily suspends phone password resets") does not agree with the content. Your Apple ID password, the password to your iCloud account, is not the same as the passcode (if any) on an iPhone (if any.) You can still change the passcode on an iPhone

jdb8167, on 08 August 2012 - 08:03 AM, said:

Sorry jdb8167, but it looks like the majority of responders here don't think that Honan's lack of backups caused his accounts to be compromised in the first place, which is the "fundamental problem".

This post has been edited by kosh: 08 August 2012 - 11:27 AM

jescott418, on 08 August 2012 - 08:37 AM, said:

Uneducated, phooey on you sir!
Now lazy, yeah I'd agree on that!!
This is not an Apple problem, it is not about the user being educated or not, it is though, about too many users being accustomed to having companies cater to them, and are unwilling to take charge of their own security, not that Apple, Amazon et al get off the hook either.
Yes the user name/password system needs fixed, and just because it is deeply entrenched, to quote the author, does not mean changes should not be put in place. Something as simple a phone number to verify authenticity when logging in from a new location or machine. Such a system is in place with FB, and while I use FB very sparingly any more that system does work.
It would be a good place to start for Apple.

himbo, on 08 August 2012 - 09:16 AM, said:

According to Honan, in those conversations afterwards, they held no malice towards him. THIS was a friendly attack just for his Twitter account.

If you have a desktop Mac, he suggested turning off Find My Mac. Could help if your house was robbed but otherwise allows this sort of thing to happen to you. I've used Find My iPhone too often to consider losing that functionality.

There was a post I read this morning giving tips for better personal security... http://www.macworld....macweek_h_crawl

A good read, also, good info in the comments. But the main flaw taken advantage of is human involvement. Besides that, I'm not ready to lay blame to Apple, Amazon or any other entity. The system itself is broken. This was inevitable. It bothers me that it matters now since a journalist was hit instead of lowly students, office workers, gamers, grandparents. Honan's high profile brings it to the light but I'm sure he's not the first taken down by simplicity instead of a hard hack.

The way I see it, based on the article at:

http://www.wired.com...an-hacking/all/

The responsibility sits squarely on Apple's shoulders for the single reason that all of these devices can be wiped clean by the intruder. Simply put, there has GOT TO BE far better security measures put into practice so that the "keys to the kingdom" cannot be given out to the wrong party.

This goes WAY BEYOND backing up pics of our loved ones, and/or Pages and Numbers documents etc. I know of no realistic way of backing up EVERYTHING in such a way that would truly resemble entering the PIN that would be needed to restore a wiped device (remember, the wrong party had the PIN in this case). If there is, then somebody please tell us.

When there is such a powerful, and potentially devastating, singular feature offered to the masses, there MUST be equally as powerful safe guards in place to prevent this story from ever happening. What they would need to be? I'm no expert. But it must be WAY MORE then the commonly available info that's described in the article I sited above.

MacWorld... PLEASE do an in-depth, step by step, how to article in your next issue on how we, the common user, can help prevent this kind of thing. If I may ask... Please go into extreme and clear detail of what users can do, and not just jargon that assumes the reader has a certain level of knowledge. I say this because many of your articles are kept brief at the expense of clarity. There are times when this works well enough. This one article, that I'm hoping you publish, cannot afford to be brief by ANY measure whatsoever.

Thanx for listening... :-)

Jasonmwa, on 08 August 2012 - 01:00 PM, said:

He's not, not even remotely. This is what is referred to as "social engineering," and it's been a practice for getting around security systems for as long as there have been security systems.

It's why a discussion about ultra-complex password protection is nearly pointless, because once you get away from easily-guessable "1234" and "password" passwords, it is only very slightly more likely that someone will brute-force guess "thisismypassword" than "t#1sI5myP@55w0rd", because brute-force password hacking is something that happens rarely at best. When hackers acquire access to secured accounts, it is nearly always through alternate channels like exploitation of software bugs or human error. Whenever they are willing to go on the record about it, their stories are all very much like the one relayed to Honan by the guy who had taken over his Twitter account. There is no point in spending countless time and computing power trying to break through a massively secure front gate when there are almost always easier ways to get around it.

kosh, on 08 August 2012 - 11:26 AM, said:

Go read it again. What they were after was his twitter account. That would be bad but you can resolve it fairly quickly once you regain control of your accounts. The long term affect was that all his data was deleted with no recovery possible. That has a simple solution. Backups.