At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me e-mail — which, of course was my .Me e-mail.
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account.
If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life.
I should have been regularly backing up my MacBook. Because I wasn’t doing that, if all the photos from the first year and a half of my daughter’s life are ultimately lost, I will have only myself to blame. I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together. I shouldn’t have used the same e-mail prefix across multiple accounts — [email protected], [email protected], and [email protected]. And I should have had a recovery address that’s only used for recovery without being tied to core services.
But, mostly, I shouldn’t have used Find My Mac. Find My iPhone has been a brilliant Apple service. If you lose your iPhone, or have it stolen, the service lets you see where it is on a map. The New York Times’ David Pogue recovered his lost iPhone just last week thanks to the service. And so, when Apple introduced Find My Mac in the update to its Lion operating system last year, I added that to my iCloud options too.
After all, as a reporter, often on the go, my laptop is my most important tool.
But as a friend pointed out to me, while that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers. You are almost certainly more likely to have your computer accessed remotely than physically. And even worse is the way Find My Mac is implemented.
Apple would not comment as to whether stronger authentification is being considered.
I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can’t put a price on.
Terry, that sucks mate. I did something similar just after my wedding. Thought I'd lost all the photos. Fortunately before I was about to break the news to my wife my I remembered my father in law had asked for a copy of them all. Divorce avoided.
davidc wrote:I've found standing on my head to be particularly useful
