On Thu, 23 Aug 2012, lopser wrote:
From: da...@lang.hm [mailto:da...@lang.hm]
On Thu, 23 Aug 2012, lopser wrote:
Guess what? Account seems to be compromised? Use the information
from
"Account Recovery Options." Duh. ;-)
are you aware of the trouble that Mat Honan just had to go through as a
result of people using the insecure "account recovery options" of apple?
If people give insecure verification information ("Q: Please verify your PIN." "A:
Five, Five, Five, Five.") then they can't blame the company. Garbage in, garbage out.
I'll certainly admit there are a lot of people out there who fall into
precisely this category. But at some point, people need to be held responsible
for their own lack of security.
I'll agree on the point of Apple's policy being broken. Verify the last 4
digits of your credit card? Anybody could know that.
While I agree that Apple did stupid stuff, I think you are missing the
forest for the trees.
Most of the information that's used for "account recovery" options is
finable (where were you born, your mother's maiden name, your pet's name,
etc) due to the ease of searching for what was at one point obscure data
about you.
Encouraging more use of such tactics is not a smart security move.
David Lang
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
