The only convincing case the author makes, actually, is: kill the motherfucking password reset systems. And yes, I realize you can’t have passwords without some kind of password reset, but the problem here lies with the implementation more than anything else:
Apple: Can you answer a question from the account? Name of your best friend?
Hacker: I think that is “Kevin” or “Austin” or “Max.”
Apple: None of those answers are correct. Do you think you may have entered last names with the answer?
Hacker: I might have, but I don’t think so. I’ve provided the last 4, is that not enough?
Apple: The last four of the card are incorrect. Do you have another card?
Hacker: Can you check again? I’m looking at my Visa here, the last 4 is “5555.”
Apple: Yes, I have checked again. 5555 is not what is on the account. Did you try to reset online and choose email authentication?
Hacker: Yes, but my email has been hacked. I think the hacker added a credit card to the account, as many of my accounts had the same thing happen to them.
Apple: You want to try the first and last name for the best friend question?
Hacker: Be right back. The chicken is burning, sorry. One second.
Apple: OK.
Hacker: Here, I’m back. I think the answer might be Chris?
He’s a good friend.
Apple: I am sorry, Brian, but that answer is incorrect.
Hacker: Christopher Aylsworth is the full name.
Another possibility is Raymond McAlister.
Apple: Both of those are incorrect as well.
Hacker: I’m just gonna list off some friends that might be haha. Brian Coca. Bryan Yount. Steven May.
Apple: How about this. Give me the name of one of your custom mail folders.
Hacker: “Google” “Gmail” “Apple” I think. I’m a programmer at Google.
Apple: OK, “Apple” is correct. Can I have an alternate email address for you?
Hacker: The alternate email I used when I made the account?
Apple: I will need an email address to send you the password reset.
Hacker: Can you send it to “toe@aol.com”?
Apple: The email has been sent.
“Why, yes, this Apple e-mail account does have a folder named ‘Apple’. Nobody could have guessed that, and our conversation has given me every reason to think you are who you say you are.” Jesus.
Vous voulez savoir quand je poste du contenu sur mon blog ? Il suffit de vous inscrire gratuitement à un agrégateur RSS (Feedly, NewsBlur, Inoreader, …) et d'ajouter www.ff00aa.com à vos flux (ou www.garoo.net pour vous abonner à tous les sujets). On n'a pas besoin de newsletters, pas besoin de Twitter, le RSS existe toujours.
Mentions légales : ce blog est hébergé par OVH, 2 rue Kellermann, 59100 Roubaix, France, www.ovhcloud.com.
Les données des visiteurs de ce blog ne sont pas utilisées ni transmises à des tiers. Les posteurs de commentaires peuvent demander leur suppression par e-mail.
Tous contenus © de l'auteur ou couverts par le droit de citation.
