The only convincing case the author makes, actually, is: kill the motherfucking password reset systems. And yes, I realize you can’t have passwords without some kind of password reset, but the problem here lies with the implementation more than anything else:
Apple: Can you answer a question from the account? Name of your best friend?
Hacker: I think that is “Kevin” or “Austin” or “Max.”
Apple: None of those answers are correct. Do you think you may have entered last names with the answer?
Hacker: I might have, but I don’t think so. I’ve provided the last 4, is that not enough?
Apple: The last four of the card are incorrect. Do you have another card?
Hacker: Can you check again? I’m looking at my Visa here, the last 4 is “5555.”
Apple: Yes, I have checked again. 5555 is not what is on the account. Did you try to reset online and choose email authentication?
Hacker: Yes, but my email has been hacked. I think the hacker added a credit card to the account, as many of my accounts had the same thing happen to them.
Apple: You want to try the first and last name for the best friend question?
Hacker: Be right back. The chicken is burning, sorry. One second.
Apple: OK.
Hacker: Here, I’m back. I think the answer might be Chris?
He’s a good friend.
Apple: I am sorry, Brian, but that answer is incorrect.
Hacker: Christopher Aylsworth is the full name.
Another possibility is Raymond McAlister.
Apple: Both of those are incorrect as well.
Hacker: I’m just gonna list off some friends that might be haha. Brian Coca. Bryan Yount. Steven May.
Apple: How about this. Give me the name of one of your custom mail folders.
Hacker: “Google” “Gmail” “Apple” I think. I’m a programmer at Google.
Apple: OK, “Apple” is correct. Can I have an alternate email address for you?
Hacker: The alternate email I used when I made the account?
Apple: I will need an email address to send you the password reset.
Hacker: Can you send it to “toe@aol.com”?
Apple: The email has been sent.
“Why, yes, this Apple e-mail account does have a folder named ‘Apple’. Nobody could have guessed that, and our conversation has given me every reason to think you are who you say you are.” Jesus.
Want to know when I post new content to my blog? It's a simple as registering for free to an RSS aggregator (Feedly, NewsBlur, Inoreader, …) and adding www.ff00aa.com to your feeds (or www.garoo.net if you want to subscribe to all my topics). We don't need newsletters, and we don't need Twitter; RSS still exists.
Legal information: This blog is hosted par OVH, 2 rue Kellermann, 59100 Roubaix, France, www.ovhcloud.com.
Personal data about this blog's readers are not used nor transmitted to third-parties. Comment authors can request their deletion by e-mail.
All contents © the author or quoted under fair use.
