back to article NUDE SELFIE CLOUD PERV menace: Apple 2FA? Sweet FA, more like

Apple’s two-factor authentication doesn't actually protect iCloud backups or photo streams, contrary to what many iPhone and iPad fondlers might wish to believe. Scores of (mostly female) celebrities, including Oscar winner Jennifer Lawrence, had their iCloud hacked before miscreants siphoned off private nude snaps which …

  1. Anonymous Coward
    Joke

    Ah but they didn't used Password

    ....no no no...they used Oscars

    1. ItsNotMe
      FAIL

      Re: Ah but they didn't used Password

      Or any good sense.

      Seriously? Storing nude photos of yourself on a server/computer...for which you have absolutely NO CONTROL...is probably the dumbest thing anyone could do.

      Why on earth should anyone feel sorry for them. Stupid is as stupid does folks.

      1. Richard 12 Silver badge

        Re: Ah but they didn't used Password

        No, they simply believed what Apple et al told them about iCloud etc.

        "The cloud is the safest place for your data"

        They didn't tell them that Cloud services are like storing your private stuff in a cloakroom shared by everyone in the world.

        1. RobTub

          Re: Ah but they didn't used Password

          The cloud is safe because of the measures in place. Users have to follow the instructions given to take advantage of the safety measures. Users also have to know that if a so-called friend were to use your mobile device, your photos can be easily copied out. Then your friend can post it by declaring they hacked into iCloud instead of admitting to stealing data from a friend. As an IT person since the early eighties, I don't put important stuff in remote servers. Think about it: those servers are set up by someone, and obviously those people can have unfettered access to anything in the servers. You trust them? Snowden?

      2. Potemkine Silver badge

        Re: Ah but they didn't used Password

        Did they even know their data on their iPhone was synchronized with iCloud and what it meant ? Was that a deliberate action, or a side-effect of a default choice imposed by Apple?

      3. Julian Taylor

        Re: Ah but they didn't used Password

        But do you actually think they didn't know that? 99 times out of 100 those photos have been created by studio/agent publicity and the 'leak' has been arranged.

    2. Anonymoist Cowyard

      Re: So apple WERE hacked then

      but in true Apple spin, they use lots of long words to disguise that, enough to fool the target Apple audience into believing all cloud services are at risk, and only Apple got hacked, because that's what everyone that matters uses.

      How easy it is to fool a fool....

      1. Anonymous Coward
        Anonymous Coward

        Re: So apple WERE hacked then

        Seem to recall similar events where naked photos were stolen off of peoples local computers. So it makes little difference where you put the nudie pics.

      2. t.est

        Re: So apple WERE hacked then

        Lol, nope they didn't say that, and the fool called out fool.

        Secondly they said that they didn't get hacked, but the users. Well that is true, or half true depending on your point of view.

  2. Wilco

    An important point not mentioned in the article: The main reason for enabling 2 step authentication is that it disables the security questions, so your account can no longer be compromised that way. Once it is enabled you can only reset your account credentials using a recovery code generated when you turn on 2 step auth. You need to keep this safe, because if you forget your password and don't have the recovery code all your iTunes purchases are gone, forever

    1. Pascal Monett Silver badge

      Re: "if you forget your password [..] all your iTunes purchases are gone, forever

      Well that's everything settled then, right ?

      I mean, what could possibly go wrong ?

      1. Mike Bell

        Re: "if you forget your password [..] all your iTunes purchases are gone, forever

        That's why they go to the trouble of giving you a thumping great recovery key. If a user is too stupid to remember his password, and he's too dumb to print out his recovery key and put it in a safe place, he deserves a lot more than losing his iTunes purchases.

        1. Anonymous Coward
          Anonymous Coward

          Re: "if you forget your password [..] all your iTunes purchases are gone, forever

          Yeah, users huh? Pah. They come here, throwing their money at me and then expect me to do stuff for them too... Outrageous! How very dare they...

        2. Van

          Re: "if you forget your password [..] all your iTunes purchases are gone, forever

          It's not just people who lack intelligence or sense who can forget a password.

    2. Raoul Miller

      Two factor auth is a good thing - Apple's is not

      Apple's implementation of two factor auth is shockingly shit. And I say that as a fully-fledged fanboi, currently using 6 apple products and having recently been through the nightmare of AppleID.

      While traveling earlier in the year someone tried to access my account from overseas (Apple would never tell me where, but Russia, China or Nigeria seem likely) and Apple therefore disabled my password. No problem, I thought, I have two factor auth and as a ten year plus customer I can prove who I am. The trouble is nobody cares about that proof - If you don't have that reset code your AppleID is toast forever. No matter whether you can establish that you live at the address they have for that account or have the credit card in your possession linked to the account or anything else. Because they have the ability to disable your password, it is really three factor auth - you need the password, the device and the reset code.

      Other things I learned:

      . You cannot reuse any email associated with any former AppleID with a new one

      . You lose ability to update pas from the old account, but not the apps themselves

      . Music is fine as long as you had updated to non-drm versions

      . Not sure about movies or TV shows as I don't download them from iTunes

      . Audiobooks were OK

      . After getting another appleID your devices are now still locked to the old one (using find my iPhone, iPad, etc) and it's another fucking nightmare to get Apple to unlock them. You have to send them receipts for all devices (including work owned) and then badger them for weeks

      . Apple support do not know what to do after that - you have to install each device as new (not from backup) attach to new AppleID and then reconfigure everything manually.

      . Apple support is useless during this entire process

      . The apple store is even less useful

      The whole process really made me question my commitment to a single vendor, but Google are even worse than apple in this regard (and less responsive, if that is possible) and Windows is so shockingly crap at this point its not even an option.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: Two factor auth is a good thing - Apple's is not

        Why not just go to a genius bar where you get served?

        1. Anonymous Coward
          Anonymous Coward

          Re: Two factor auth is a good thing - Apple's is not

          Why not just go to a genius bar where you get served?

          Because those, err, "geniuses" have no better access to the backend system than you have via phone, they just queue less - they too are enthusiastically uninterested in client loyalty or the intelligent use of all that data they gather on you.

          To put it bluntly, Apple's client recovery processes suck. If that single Sign-on goes wrong, you're screwed proper.

          If you want to have a "lite" version of that suckiness, try moving country or living in more than one country. Apple's store will only accept a credit card from the country your store is set to (ditto for value vouchers that you would like to give someone) - there is no way AT ALL to give Apple any money from another country than your iTunes account is set to. You are thus forced to choose between risking your investment in Apps (and let's not forget, that includes all you have on OSX which can be quite a large amount) or, at a minimum accepting that they will no longer upgrade, or somehow keeping a credit card alive in the country you just left. It's as if like they've never heard of the fact that quite a lot of people who can afford their gear move around - almost like the MPAA who divided the world into regions so you were forced to choose between sponsoring the child molesting drug peddling terrorists of this world (I'm paraphrasing here slightly) by buying a pirated but otherwise good quality copy of a movie or the original which would only play until you got home.

          It's a strong testament to the quality of the computing environment Apple create that they still sell IMHO. If you've ever been exposed to their Apple ID support you'd be forgiven for rethinking your decision to use Apple gear. I'd call it the RyanAir of IT support, but that would be insulting O'Leary, admittedly a hard thing to do...

      2. Dan 55 Silver badge
        Facepalm

        Re: Two factor auth is a good thing - Apple's is not

        I can't believe that (it's so crap), if Apple have gone to the trouble of getting your address, credit card, and phone number then they might as well put them to some use - if all else fails they could send you a postcard with a code, charge a small random amount to the credit card and get you to confirm the value before refunding it, and/or ring your landline and get a robot to speak a code down it.

    3. t.est

      Nope, they would still exist locally.

  3. Pen-y-gors

    Security questions?

    There have been suggestions that some accounts were accessed because the hackers had access to personal details (Facebook profile?) and so they could answer the security questions.

    What kind of peabrain gives real answers when setting up 'security' questions?

    Much better to have fun:

    "Mother's Maiden Name' - Hitler

    "First School" Dotheboys Hall

    "First pet" Godzilla

    etc.

    1. jay_bea

      Re: Security questions?

      @Pen-y-gors - Exactly. I have taken to generating random strings in response to these questions. I look forward to the day when I have to answer security questions over the phone when my mother's maiden name is entered as "iyRdiaaEjH", for example.

      1. Adrian Harvey
        Alert

        Re: Security questions?

        Caution: Apple do ask these questions is circumstances other than password recovery. I was asked for them at some point after getting my phone replaced under warrantee, though I can't remember now what action triggered the questioning. Make sure you print out your answers and put them somewhere otherwise you may be stuck at a critical time.

        1. Tim Bates

          Re: Security questions?

          "Caution: Apple do ask these questions is circumstances other than password recovery."

          Australia's my.gov.au website, now compulsory for individuals wanting to deal with tax online, does this too. I created my account with random gibberish for the "security" questions, then got locked out when I next went to use it.

          So next I switched to idiot mode to ensure I would be able to actually log in next time. Whoops. As it turns out, to reset the password, all one has to do is guess 2 of the 3 insecurity questions, then enter a new password. No confirmation email. No SMS.

          I expect the Australian government believe this is called Two Factor Authentication too.

    2. Anonymous Coward
      Anonymous Coward

      Re: Security questions?

      Forgot the site now, but the security questions had to be typed in by yourself and so had the answers. This meant you could think up any question you liked and put in any answer you liked. Think this was much better as the hackers would have a lot more work to do, to break in. Imagine putting in a question like "Color of first room in rented accommodation"? With an answer of something like "Magic" (think Terry Prachett).

      1. davemcwish

        Re: Security questions?

        @TheCostElc

        Octarine.

    3. Anonymous Coward
      Anonymous Coward

      Re: Security questions?

      The trouble is that companies do not tell their customers what the "security questions" will be used for, and in some cases there are T&Cs that threaten the customer with dire consequences if they give any false information.

    4. Anonymous Coward
      Anonymous Coward

      Re: Security questions?

      They're supposed to be memorable. It's no use if you can't remember them.

      1. lotus49

        Re: Security questions?

        What you do is you write them down and store them in a secure location. They call it "memorable information" but what matters is whether you can recover the information. It doesn't matter whether you can remember it.

    5. Potemkine Silver badge
      Joke

      Re: Security questions?

      Feck! How did you guess my answers? :doh:

  4. Anonymous Coward
    Anonymous Coward

    Perhaps some of the photos

    were part of the packaging and promotional materials from earlier points in the stars' careers.

    1. HandleMe

      or were used during the producers 'screen test' wink wink

      to evoke a genuine sensuality to the actors initial self image and imagined prospects for employment.

  5. Yet Another Anonymous coward Silver badge

    Photos are meant to be seen

    Presumably the photos were meant for the consumption of the celeb's special friend

    Which means they have to be transmitted to, and viewable on, another device.

    So you can have 97FA, require retina scans from all 3 eyes and a DNA sample - it doesn't really matter if you email them to somebody else.

    Of course you could lock them to a single phone - but then having to go to your pet celeb's bedroom for her to unlock the phone and authorize it to display photos of her naked. While she is standing there - does seem to be a little counterproductive.

  6. Anonymous Coward
    Anonymous Coward

    2FA

    can also be done by sending the token to an email account. Chances are a person has access to a computer with internet access and iTunes if they're performing a restore. Moreover, if you had to obtain a new device to replace a lost one, you'll either be buying it from a store or visiting a store to replace your lost sim card. An inability to do multi-factor authentication in this situation is simply a lack of imagination.

  7. Destroy All Monsters Silver badge
    Trollface

    After more than 40 hours of investigation

    41 hours, then. 5 support dudes for one day?

    None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.

    The breach is not a breach!

    We are continuing to work with law enforcement to help identify the criminals involved.

    You could ask the NSA. Come to think of it, they probably have those nudeselfies on file and hanging off the index tree.

  8. Anonymous Coward
    Anonymous Coward

    "Security questions" aren't for security, they're to reduce support costs

    Companies were tired of having people say "I forgot my password" and not having a way to establish their identity, so these security questions were invented. Only problem is that they act like passwords that are simpler to hack. If you're a public figure, or someone targets you, answering them honestly leaves you wide open.

    When you only have to answer one or two of them correctly, and get multiple chances (probably unlimited) it is going to be a lot easier for guessing attacks to succeed as well. Which is easier, to brute force a complex password, or guess the name of the high school someone went to? Even if you don't know where they grew up, you can guess names like "City High" or "North High" and have you'll snag a lot of people. Ditto with a childhood pet, there are probably a few dozen names that cover half the pets people had as kids!

    These security questions have spread like a plague of bad security practice, just as dumb as the policies that force you to use ever longer and more complex passwords, and still change them every 90 days - all but guaranteeing that they'll be written down somewhere.

    1. adam 40
      Big Brother

      Re: "Security questions" aren't for security, they're to reduce support costs

      The longest "memory" for passwords I have come across so far in a server, is 8. So you can spend a few minutes each 90 days updating your password 9 times, and on the 9th time set it back to what it was in the first place. Job done.

      1. Andy Taylor

        Re: "Security questions" aren't for security, they're to reduce support costs

        That doesn't work if there's a timer set to prevent re-use within a certain time frame. For example, in my previous job I couldn't re-use the same password within 12 months.

        I believe the same may be true for AppleIDs.

        1. Darryl

          Re: "Security questions" aren't for security, they're to reduce support costs

          When I first started here, there was no minimum time and last five passwords remembered, so whenever someone got the 'change your password' notice, they just changed it five times, then changed it back to the original.

      2. Anonymous Coward
        Anonymous Coward

        Re: "Security questions" aren't for security, they're to reduce support costs

        I've seen multiple cases where you can only change your password twice within a certain time frame (a few days I think) to prevent just this.

        I suppose you could get back your old password over the course of a couple weeks, but it hardly seems worth the bother.

        Better to figure out how much needs to be changed, and varying it like:

        password1234

        password2345

        password3456

        ...

        And yes, this is exactly why forcing people to change passwords regularly is a very poor excuse for a security policy, that unfortunately nearly every mindless twit security consultant considers gospel without even thinking about it, because "best practices".

        Sure, force everyone to change their passwords if you have been (or suspect you've been) compromised. But making it happen as a normal course of business only makes people get creative in finding ways around it, or surrendering and keeping them written down on a sticky note, a card in their wallet, or saved in a "note" in their smartphone.

    2. Anonymous Coward
      Headmaster

      Re: "Security questions" aren't for security, they're to reduce support costs

      If they know your password they are doing "security" wrong. :)

      1. John G Imrie

        If they know your password they are doing "security" wrong. :)

        No, they just keep the last 4 hashed versions plus the current hashed version then check the the hash of your new password is not the same as any of those stored.

  9. phuzz Silver badge
    Megaphone

    "Law enforcement officials would be able to get ahold of this token from a suspect's PC while hackers might be able to obtain it through more nefarious means, either malware or phishing."

    The difference between hackers and law enforcement breaking into your phone only differs in viewpoint, not in the methods they use. (Although it's probably cheaper to hire some skiddy to install a RAT rather than pay some security company to rent the software to do exactly the same)

  10. Version 1.0 Silver badge

    Troy

    We, the builders of the walls around Troy, would like to point out that Troy remains uncompromised - anyone who believes otherwise is full of horse manure.

    1. Anonymous Coward
      Facepalm

      Re: Troy

      In matter of fact, both the walls and the doors are secure. Look, we even managed to bring in this nice big statue of a horse while completely unhindered by our enemies...

  11. Anonymous Coward
    Anonymous Coward

    It's always a balance between security and accessibility.

    Ideally you'd get a security token app or hardware key, but people would lose them or forget to take it with them.

    1. adam 40
      Angel

      What like a SIM card...

      oh... wait a minute...

  12. Anonymous Coward
    Anonymous Coward

    "Apple 2FA is more like Sweet FA"???? Sweet Factor Authentication? Don't get it...this is why English news media should not rely on localized idioms.

    1. Fred Flintstone Gold badge

      "Apple 2FA is more like Sweet FA"???? Sweet Factor Authentication? Don't get it...this is why English news media should not rely on localized idioms.

      This link at Urban Dictionary may help. Helpful for other such expressions too.

      Having said that, yours sounded like "Sweet Factory Authentication", which made me think of Willy Wonka :)

    2. lotus49

      Why not? It's an English site and, being English, I understood it perfectly.

      I am sure non-English speakers (e.g. those from the US) are very welcome here, but don't complain if you don't get all the jokes.

    3. Mike Smith

      British site, British idioms. Whch are localiSed, cheers ears.

  13. Anonymous Coward
    Unhappy

    Of course

    the suits have though this through, except for people like me,

    no land line, bugger all mobile signal (have to run up the lane get code

    run back down again,enter code into computer before timeout)

    Nightmare

  14. Joerg

    Competitors behind all of this...

    The only question is who exactly? Microsoft? Samsung? Sony? Blackberry? Or did some of them join forces to attack Apple ?

    Anyone who really thinks that just some little kids "computer wizards" geniuses are behind all of this must be really really naive.

  15. Anonymous Coward
    Anonymous Coward

    Who needs proper 2 factor authentication, please need it to just work...

  16. Mark 65

    Collectors

    "It appears that the images have been stolen over a number of years by several people and then traded or sold between collectors,"

    Collector1: Kate Uptons' kebab?

    Collector2: Got

    Collector1: Jennifer Lawrence's twinkle cave?

    Collector2: Swap.

  17. Potemkine Silver badge
    FAIL

    Deleted data stolen?

    Ok for once with Apple, users should be more responsible when choosing passwords and secret questions, but data deleted by users being stolen.... WTF!?

    Anyway, Apple's spin doctors are really efficient, because when the story was related in most mainstream media in France, journalists mentioned data stolen 'from the Cloud', not from iCloud.... and I'm not sure it's only because they know zeronada on IT.

    Paranoid? Yes, and? ^^

    1. Deimos

      Re: Deleted data stolen?

      Let Me translate.

      Picture taken on Phone A.

      Deleted on iPad B.

      still in photo stream.

  18. Deimos

    so it's finally arrived

    The Internet of Thingies.

    Sorry, couldn't resist it. going now.

  19. b166er

    Seems to me there are a lot of celebrities out there who get the wrong advice from their security services. Perhaps celebrity security services are all about muscle and have no understanding of protecting them from media and technology.

    I fail to understand why this still happens. Pammy's tape, whilst not pilferred off the internet (but widely distributed there) leaked in 1998. 16 years ago!

    Do celebrities have short memories? If you're going to create nude images of yourself, you need to make sure you look after those EXTREMELY well. Unless you want them to leak of course.

    Given that there have been many leaks of celebrity nudes, and yet they still take nude images of themselves and put them in insecure places, I can only assume they want them to be seen.

    Or it's negligence. Either way, no tears.

    1. Lamont Cranston

      Quite.

      There's no such thing as bad publicity.

      I'm sure that, out of all the affected individuals, some are genuinely upset about their private photos getting out, but you'd think that, on the whole, people who make their living from their image, and who are constantly snapped by the press, would take some measures to ensure they could keep the genuinely private private.

      1. HandleMe

        Re: Quite. in agreeance...

        when they make extra cash when doing nude scenes, then there's not much else for them to whine about. one fur patch is as good as another....

  20. HandleMe

    Meh,

    scene 1: with naked females and males with various compromised exposures

    script suggests they all chime in with :

    "security badges? we don't need no stinking security badges !!!!"

    follow with endless audio of

    scene 2:

    pans to courtroom scene with same actors speaking words being used to shoot down the proprietors of the security concept

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like