from Hacker News

I got hacked, lost crypto and what it says about Apple’s security. Part 1

by omnifischer on 10/25/20, 10:38 AM with 52 comments

by caymanjim on 10/25/20, 11:02 AM
So, what does this say about Apple security? There's a lot of speculation and insinuation that all the security lapses started with the purchase of a refurbished MacBook, but there's zero evidence other than some coincidental timing. The author clearly wasn't using many security precautions prior to being compromised. They had many interconnected accounts; reused passwords; limited use of 2FA; phone/SMS-based 2FA in the few places they had it; no separate password for Chrome browser sync's DB; no secure password management app; and kept the keys to their crypto accounts in the cloud. The list of compounded failures is long. There's no reason to think this has anything to do with Apple at all.
They haven't learned any lesson, either. Their advice after this? Turn your laptop off when you're not using it (useless) and use Google Voice for 2FA. This is worse than useless; this is actively bad advice and you should not follow it.
The average user should install 1Password and use a TOTP application. Anyone can learn to do that, and it's really all you need. More advanced users, those with particularly extreme security needs, and pedantic nerds can use YubiKeys, hardware wallets, self-hosted password vaults, PGP-encrypted backup codes, and other measures that are worth considering, but aren't as approachable for everyone.
by arboghast on 10/25/20, 11:56 AM
That article doesn’t say anything at all about Apple’s security.
by pontifier on 10/25/20, 3:30 PM
Inevitable torrent of "It was your fault for X, Y or Z reason".
Nobody is perfect.
Every system has known or unknown vulnerabilities.
We need to be building systems that are forgiving of errors, and store important data redundantly.
I've been wondering a lot about how to truly secure an identity. Is there a way to have a meaningful and secure digital life if all your devices could be compromised and your memory is not perfect? I wouldn't want to trust my entire economic life to any single point of failure.
by teknologist on 10/25/20, 12:20 PM
I've noticed that he has an app called "Whoscall" installed providing Caller ID in the Phone app. I wonder if this has access to Messages on the phone and is able to read/upload SMS?
A quick search online suggests that this is a Chinese app.
by jb1991 on 10/25/20, 11:49 AM
> Do not save passwords in your Chrome. Or, if you do, make sure your Google account has multiple levels of 2FA. SMS is not one of them.
I stopped using Chrome but now realize I never thought to check into what it has saved for me. I’ll have to check into that and erase it all if I can.
by simonh on 10/25/20, 11:57 AM
Setting up a new device is a very vulnerable time. You’re downloading and installing new software and signing into all your accounts. It’s very easy to do the wrong thing, like click through the wrong dialog while you’re blasting through it all.
by ksaitor on 10/26/20, 2:33 AM
Hi HN, the author of the article here.
Can someone explain how Telegram 2FA, Yahoo 2FA and Apple 2FA were bypassed?
Especially Apple 2FA - I received a 2FA call from Apple, picked it up, and the attacker logged in right after.
Please note, this was not a (typical) SIM swap. I was still receiving SMS and calls during the attack.
p.s. thanks for all the comments!
by kmbfjr on 10/25/20, 11:52 AM
Why would you store cryto wallets in iCloud unencrypted? OS X makes it easy to create AES-256 encrypted sparsebundle disk images.
by hacker_newz on 10/25/20, 11:51 AM
How was 2FA bypassed here?
by foepys on 10/25/20, 11:59 AM
Well, not you key, not your money. Isn't that what crypto currency advocates always tell us? Being your own bank carries high risks and in this case the risk got to the author.
by fmajid on 10/25/20, 12:13 PM
The fact Apple uses SMS for 2FA tells you everything you need to know: it's pure security theater.