Software, technology, sysadmin war stories, and more. Feed
Wednesday, August 8, 2012

Why phone authentication matters

In the news this week, there's a story about a journalist who had his digital life cracked wide open. It ultimately came down to someone who had called up Apple and socially engineered their way past one of their phone firewalls. Once they had gained access to this person's iCloud account, it wasn't much trouble to reset many other accounts and poke through them as well.

Does this sound familiar? If you were reading here about a month ago, it should. I wrote about exploiting humans during phone authentication back on July 15th. Given that it's now happened in a highly visible way, I want to know more about their process. Did the social engineer get straight through the first time, or did they bounce around a bit playing "customer service rep" roulette?

Unless their training is full of holes, I would think it took several attempts at poking through Apple's phone firewall before it actually worked. If that's the case, then a system like I proposed which logs all access attempts, flags anomalies, and actually does something about excessive failed attempts might have helped.

Why would you have it any other way?