There are plenty of things worth getting really upset about.
Racism. Climate Change. Brexit (regardless of whether you’re pro-Brexit or anti-Brexit, you’re almost certainly feeling very unhappy about how things are going.)
What you shouldn’t be getting upset about is the security that companies like Apple put in place to help prevent your accounts being hacked.
And yet, a man called Jay Brodsky is bringing a class action against Apple in California, complaining that two-factor authentication (2FA) on an iPhone or Mac takes too much time.
In his class action suit, Brodsky alleges:
- Apple enabled 2FA on his account without his explicit consent. Which seems very odd, as my experience has been that Apple only offers 2FA on an opt-in basis.
- 2FA is too inconvenient to actually set up – requiring several steps on several devices.
- 2FA is just too darn inconvenient to use… because it requires to both remember a password *and* have access to a trusted device. Umm, isn’t this exactly how 2FA is supposed to work? Helping to stop hackers simply needing your password to break into your accounts.
- Apple doesn’t let you disable 2FA after it has been enabled for two weeks straight. This appears to be true. It looks like Apple gives you 14 days’ grace to deactivate 2FA if you wish, but after that… you’re 2FA-secured. Of course, this could be argued to be a good thing security-wise.
- 2FA is required every time an Apple device is turned on. Really? Can’t say I’ve noticed.
- 2FA takes between two to five minutes to complete. Hmm. When AppleInsider got its stopwatch out, it reckoned the 2FA process took them in total about 22 seconds to complete.
Brodsky goes on to claim that “millions” of Apple users are suffering “harm” and “economic losses” because of the large amount of time that 2FA eats up.
Will someone please buy this guy an Android? Or maybe offer him some free technical support so he can log into his account a wee bit faster?
Hear more discussion on this case in the latest edition of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And he carries on. When my neighbor is at home, I find the rise in heat enables me to turn my central heating off. Unfortunately, he's frequently away for long periods in the winter.
My suggestion that he should turn up his thermostat before he goes away met with a frosty response.
My suggestion that he should turn up his thermostat before he goes away met with a frosty response.
Ah, get it?
Get it? Yeah, very good. However, we have discovered that if I shout Alexa through his letterbox, I can control his heating.
I love that so much.
Smashing Security, Episode 115: Love Nests and Is Two-FA Destroying the World? With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 115.
My name is Graham Cluley.
My name is Graham Cluley.
And I'm Carole Theriault.
Hello, Carole.
Hello, Graham.
And we are joined this week by a special returning guest. He hasn't been on for some months. It's Mr. BJ Mendelson. Hello, BJ.
Hello. Is it me you're looking for?
Yes. I'm so glad you're here. I know that when you're on the show, it's going to be a fun one.
You know, it's somehow appropriate he's quoting Lionel Richie.
I love Lionel Richie. It's my karaoke go-to.
Is it?
Yeah. Hello, is it me you're looking for?
And it's royalties, Carole. And it's also Valentine's Day.
That's right.
Yes.
So we've got a special romantic episode of Smashing Security coming up for you. And what else have we got coming up, Carole?
So we have an awesome episode this week. Graham is talking about a new class action suit someone has taken against Apple, and you won't believe what's written in the fine print.
We have our guest BJ talking about IoT Nest devices and how they can spy on you. And because it's Valentine's Day, I'm talking about romance scams and catfishing.
All this and so much more coming up on Smashing Security.
We have our guest BJ talking about IoT Nest devices and how they can spy on you. And because it's Valentine's Day, I'm talking about romance scams and catfishing.
All this and so much more coming up on Smashing Security.
Now I have bad news for you. You may have noticed millions of people are suffering. People are starving, they're clothed in rags, the economy is in ruins. It is the end of times.
What are you talking about?
I'm painting a picture of how everything is going to look in the year 2020, Carole, because the end of times are upon us.
I thought you were describing Brexit.
Yeah, it might come earlier in the UK. That's true.
Graham, what are you smoking? I don't understand.
Well, you may be wondering what is going to break down society as we know it. Will it be climate change? A meteorite strike? An outbreak of a deadly extraterrestrial microorganism?
Our listeners aren't 12 years old.
Well, I'll tell you what it's going to be, Carole. It's going to be two-factor authentication.
Ah, jeez. Yes. I'm putting down the popcorn.
It's the evil of our time.
It's so inconvenient, it's been accused of being such a nuisance that it is causing economic harm and inconvenience in millions of iPhone users around the world.
And the champion, the visionary who is leading the cause against two-factor authentication, is a chap, an American, actually, of course, of course, called Jay Brodsky, who has brought a class-action suit against Apple in California.
It's so inconvenient, it's been accused of being such a nuisance that it is causing economic harm and inconvenience in millions of iPhone users around the world.
And the champion, the visionary who is leading the cause against two-factor authentication, is a chap, an American, actually, of course, of course, called Jay Brodsky, who has brought a class-action suit against Apple in California.
Surely that must happen often. They must get class actions all the time.
I think they do things quite a lot, yes.
But this one tickled you.
Well, he is the savior. He is our savior. He's going to protect us from economic ruin.
Jesus Brodsky.
Well, I don't know if his middle name's Jesus or not, but anyway.
Well, he's American, so there's a good chance it is.
Right?
He is suing Apple because two-factor authentication on an iPhone or an iMac takes too much time.
In his class action suit, which I will link to in the show notes, he alleges the following: that Apple enabled two-factor authentication on his account without his explicit consent.
In his class action suit, which I will link to in the show notes, he alleges the following: that Apple enabled two-factor authentication on his account without his explicit consent.
Outrageous.
Which ignores the fact that Apple actually only offers 2FA on an opt-in basis. But never mind, let's not get bogged down in the details here or any truth.
He also says that 2FA is too inconvenient to actually set up, requiring several steps on several devices.
He also says that 2FA is too inconvenient to actually set up, requiring several steps on several devices.
Is he able to buy stuff on Amazon without too much difficulty?
Well, he hasn't enabled 2FA on that, I imagine, has he?
Right, right.
He says 2FA, once you've got it installed, is too darn inconvenient to use as well.
Because, get this, 2FA apparently requires him to remember not only his password, but also have access to a trusted device.
Because, get this, 2FA apparently requires him to remember not only his password, but also have access to a trusted device.
Sorry, he says too darn inconvenient in his class action suit?
Well, I don't know if that's an exact quote, but basically, yes.
Oh, right, okay, okay.
I think that's legalese.
Yeah, I was gonna say, I gotta brush up on my legal reading.
Anyway, he says that you have to have access to a trusted device if you're using 2FA, which is of course the whole point. Of how 2FA is supposed to work.
He says that Apple don't let you disable two-factor authentication after it's been enabled. So once you enable 2FA on your Apple accounts, there's a 2-week grace period.
This bit is actually true. This is the one alleged thing that he says which appears to be true because there is this grace period during which you can deactivate it.
But after that, you are permanently 2FA secured.
He says that Apple don't let you disable two-factor authentication after it's been enabled. So once you enable 2FA on your Apple accounts, there's a 2-week grace period.
This bit is actually true. This is the one alleged thing that he says which appears to be true because there is this grace period during which you can deactivate it.
But after that, you are permanently 2FA secured.
Really?
I didn't know that. Oh, so what if you turned it off on the 14th day and then turn it back on? Do you get a new grace period? Interesting.
Oh, I don't know. You know, that sounds like the kind of thing, which would be rather inconvenient in itself.
He could add it to his list.
He says, what a nuisance it is that two-factor authentication is required every time an Apple device is turned on. Now, I have an Apple device.
I just turned mine on about 5 minutes ago. I didn't need to use two-factor authentication at that point, so I'm not sure that's complete.
It seems to me like what he really needs is not a class action suit. He needs technical support because he's set something up wrong. But no, that's not the way it works in America.
He's launched a class action suit and get this, He claims that two-factor authentication takes between 2 to 5 minutes to complete.
And in the class action, he describes the multi-step process. He says, first of all, I have to enter my selected password on the device that I'm interested in logging in on.
And then I have to go and enter my password on another trusted device to log in. And then optionally, I have to select a trust or do not trust pop-up message response.
And then I have to wait for a 6-digit verification code and enter that onto the device.
He says that every time he tries to log in, it takes him between 2 and 5 minutes with two-factor authentication.
Now, I'm trusting that you two fellows have got two-factor authentication enabled on your devices. Does it take 2 to 5 minutes for you?
I just turned mine on about 5 minutes ago. I didn't need to use two-factor authentication at that point, so I'm not sure that's complete.
It seems to me like what he really needs is not a class action suit. He needs technical support because he's set something up wrong. But no, that's not the way it works in America.
He's launched a class action suit and get this, He claims that two-factor authentication takes between 2 to 5 minutes to complete.
And in the class action, he describes the multi-step process. He says, first of all, I have to enter my selected password on the device that I'm interested in logging in on.
And then I have to go and enter my password on another trusted device to log in. And then optionally, I have to select a trust or do not trust pop-up message response.
And then I have to wait for a 6-digit verification code and enter that onto the device.
He says that every time he tries to log in, it takes him between 2 and 5 minutes with two-factor authentication.
Now, I'm trusting that you two fellows have got two-factor authentication enabled on your devices. Does it take 2 to 5 minutes for you?
It takes about less than 30 seconds.
Right.
Yeah, right.
And the dudes at Apple Insider, they were slightly suspicious of this claim as well.
So they got their stopwatches out and they tried to be as lackadaisical and slow as they could and slow slowth-like, and they reckoned it took them 22 seconds to complete the process.
So according to Brodsky, he reckons millions— and by the way, Carole, this is real quotes from the class— millions of Apple users are suffering harm and economic losses because of the huge amount of time that two-factor authentication is taking up, but because of the interference with the use of their phones.
So they got their stopwatches out and they tried to be as lackadaisical and slow as they could and slow slowth-like, and they reckoned it took them 22 seconds to complete the process.
So according to Brodsky, he reckons millions— and by the way, Carole, this is real quotes from the class— millions of Apple users are suffering harm and economic losses because of the huge amount of time that two-factor authentication is taking up, but because of the interference with the use of their phones.
And presumably he has 50 case studies showing this.
Well, he's had his own experience because he hasn't been to the Genius Bar to find out how to do it.
I just think, will someone please buy this guy an Android phone or an old buzzy Nokia brick instead? Because he clearly can't cope, can he, with an iPhone? Don't knock the Nokias.
No, I like Nokias. They're cool.
I just think, will someone please buy this guy an Android phone or an old buzzy Nokia brick instead? Because he clearly can't cope, can he, with an iPhone? Don't knock the Nokias.
No, I like Nokias. They're cool.
I like Nokias, yeah.
Yeah. Good battery life and no two-factor authentication, right? Nothing built in. Snake. Well, don't snake. That's right.
You'd probably have SMS-based two-factor authentication, which of course isn't as secure as—
You'd probably have SMS-based two-factor authentication, which of course isn't as secure as—
Predictive texting.
Oh, you know what? I tried to use an old Nokia phone a year or so ago. I couldn't do predictive text. It was just what? I don't know how to do this any longer.
I didn't know what to press. Disaster.
I didn't know what to press. Disaster.
So you don't have a— my house, I have two doors and there's kind of an airlock if you don't have the keys, because in England you don't have automatic fire door unlock from the inside, outside you do in America or Canada.
Right, right. So I got locked inside this kind of portico. Right?
And I had only— I only had an old Nokia phone that someone had just given me that day because my phone was in the house. And I know what you're saying. I tried to text a friend.
I only had one phone number in my head that I remembered. And I tried to put it into the phone to text them to say, help me because you have keys of mine. And I couldn't do it.
Right, right. So I got locked inside this kind of portico. Right?
And I had only— I only had an old Nokia phone that someone had just given me that day because my phone was in the house. And I know what you're saying. I tried to text a friend.
I only had one phone number in my head that I remembered. And I tried to put it into the phone to text them to say, help me because you have keys of mine. And I couldn't do it.
And you were texting, how?
I was panicking, actually.
Open my doors, please. Sorry, Dave, can't do that.
Sorry, Carole.
I have a question. So this guy is saying there's millions of Apple users are suffering harm and economic losses. I mean, has he seen the AirPods?
So this class suit is seeking fines and penalties in accordance with the Computer Fraud and Abuse Act.
And he's saying, look, I want all funds, revenues, benefits that Apple has unjustly received.
He's also claiming that Apple is violating California's own Invasion of Privacy Act, whatever that means. I don't quite understand how that works.
And he's saying, look, I want all funds, revenues, benefits that Apple has unjustly received.
He's also claiming that Apple is violating California's own Invasion of Privacy Act, whatever that means. I don't quite understand how that works.
I think this is absolutely ridiculous. Can I make—
Yes.
Can I give you what I think is going on here?
Please do.
I think he's trying to raise a big stink so that Apple just goes, oh, just give him $10 grand so he goes away.
Oh yeah, maybe.
Yeah, I think so.
But the thing is, for the sake of the 22 seconds that he lost through his— although he's claiming it's 2 to 5 minutes— we are— the courts are going to be tied up, the lawyers are going to get rich, and everyone's wasting time.
And we right now are wasting time on our podcast talking about this buffoon.
And we right now are wasting time on our podcast talking about this buffoon.
You are wasting our time.
Who brought this object to our table today. It's ridiculous. We need a better story than this. BJ, I hope you've got one for us.
I wish I did. But mine actually deals with two-factor authentication as well.
You guys.
In short, there's been a series of incidents involving Nest devices in the United States.
So one just this week involved someone getting into the Nest and basically spying on someone's kid, which has actually happened quite a number of times before with different smart devices.
But this is the most recent occurrence.
And then last month, this is my personal favorite, someone had hacked a Nest device out in California and had told the family who owned the device that North Korea had just launched an intercontinental ballistic missile.
Oh my God. And they only had a few minutes left to live. And so you figure, all right, well, this is a serious thing, right?
This is the kind of thing that you would expect a tech company to say, all right, we're not going to let this happen.
So one just this week involved someone getting into the Nest and basically spying on someone's kid, which has actually happened quite a number of times before with different smart devices.
But this is the most recent occurrence.
And then last month, this is my personal favorite, someone had hacked a Nest device out in California and had told the family who owned the device that North Korea had just launched an intercontinental ballistic missile.
Oh my God. And they only had a few minutes left to live. And so you figure, all right, well, this is a serious thing, right?
This is the kind of thing that you would expect a tech company to say, all right, we're not going to let this happen.
Because that family were terrified, weren't they? I remember reading the reports.
Well, yeah, I mean, I'm making light of it because I'd like to think that Americans could exercise common sense and not get their news from smart devices.
But where are you supposed to get your news from? Stone tablets?
No, but in their particular case, they didn't even know that their Nest had a speaker.
They suddenly thought, you know, they were watching YouTube or something on the screen or a TV program, and suddenly this voice came out warning them of a missile attack.
They suddenly thought, you know, they were watching YouTube or something on the screen or a TV program, and suddenly this voice came out warning them of a missile attack.
And they were "Shit!" Okay, sorry, can we back up just a bit? I'm actually not sure what Nest do. I know Nest were bought by Google. Is that right?
Right. They're mostly known for the smart thermostat, but they also have Nest cameras, which is the big thing that they've been pushing.
And what's interesting about the Nest camera is that, or at least the sales pitch anyway, is that you could just leave it recording for hours and all that video gets stored over in Google servers.
And what's interesting about the Nest camera is that, or at least the sales pitch anyway, is that you could just leave it recording for hours and all that video gets stored over in Google servers.
Thanks, Google.
Yeah. But we know what the flip side to that is, right?
So the reason why I brought up the story and it was related to the one that we were just talking about is because Nest basically said, yeah, you have to do a better job of protecting yourself.
So the reason why I brought up the story and it was related to the one that we were just talking about is because Nest basically said, yeah, you have to do a better job of protecting yourself.
To the user, to the people that buy.
Ah.
And so, you know, last month they had told the Mercury News who reported on the North Korea story that they're actively introducing features that will stop compromised passwords and other credentials to be used to log into Nest devices.
But then just this week, just from the Chicago Tribune, the response was essentially, you know, they're sending an email out to users telling them what they can do to get the most out of the security features.
They're essentially just passing the buck onto the users.
And so, you know, last month they had told the Mercury News who reported on the North Korea story that they're actively introducing features that will stop compromised passwords and other credentials to be used to log into Nest devices.
But then just this week, just from the Chicago Tribune, the response was essentially, you know, they're sending an email out to users telling them what they can do to get the most out of the security features.
They're essentially just passing the buck onto the users.
Okay, I see I'm getting on my soapbox again here. BJ, if I called you up and said, oh my God, you won't believe what happened yesterday.
I left my front door open and some guy came in and stole all my stuff. Poor me, right?
You might sympathize with me on the phone, but then you'd probably call Graham and go, "Oh my God, she's so ridiculous," right?
Or if I didn't put my seatbelt on in the car, I think I would be blamed for, you know, if I died, right?
I left my front door open and some guy came in and stole all my stuff. Poor me, right?
You might sympathize with me on the phone, but then you'd probably call Graham and go, "Oh my God, she's so ridiculous," right?
Or if I didn't put my seatbelt on in the car, I think I would be blamed for, you know, if I died, right?
It's almost your car goes honk, honk, honk, honk, honk, or beep, beep, beep, doesn't it? If you don't have your seatbelt on, it warns you about that.
That's true.
Now, in these particular cases, people are setting up their Nest, and I imagine the problem is that they are using passwords that have already been compromised.
And so hackers are able to guess the password, or they know the password because those users have used them elsewhere.
And so hackers are able to guess the password, or they know the password because those users have used them elsewhere.
It's worth pointing out that Nest specifically said to the Mercury News that two-factor authentication actually would eliminate this type of security risk, which isn't entirely accurate.
Yeah, two-factor. It certainly makes it much harder for the hackers to get in. And that's why we recommend generally that people enable it.
It takes a long time though.
Gee, there are still ways.
It takes 22 seconds.
There are still ways sometimes of getting past it, but—
But finally he gets it. Jesus. I was sitting in my head, one Mississippi, two Mississippi. He's older, guys. He's older.
So actually all this story of these, you know, what should we call them? Dinguses? We're not allowed to say Alexa, are we? These sort of things that trigger people's devices.
All these dinguses.
There was a great letter in The Times, The Times of London, just last week, which I will link to in the show notes because someone also posted it up on Reddit about a guy who wrote, "Sir, the owner of the flat directly below mine would endorse your leading article, which advocated turning off voice-activated devices." And he carries on: "When my neighbour is at home, I find the rising heat enables me to turn my central heating off." You know, he's like a parasite, basically, living off his neighbour's heat.
"Unfortunately, he's frequently away for long periods in the winter. My suggestion that he should turn up his thermostat before he goes away met with a frosty response." Get it?
All these dinguses.
There was a great letter in The Times, The Times of London, just last week, which I will link to in the show notes because someone also posted it up on Reddit about a guy who wrote, "Sir, the owner of the flat directly below mine would endorse your leading article, which advocated turning off voice-activated devices." And he carries on: "When my neighbour is at home, I find the rising heat enables me to turn my central heating off." You know, he's like a parasite, basically, living off his neighbour's heat.
"Unfortunately, he's frequently away for long periods in the winter. My suggestion that he should turn up his thermostat before he goes away met with a frosty response." Get it?
Get it?
Yeah, very good. "However, we have discovered that if I shout Alexa through his letterbox I can control his heating."
I love that so much.
So finally, there's a use for these voice-activated devices. If your neighbour has them, you can use them to your benefit.
I thought they worked though. They had voice recognition in them a little bit. So what, you have to put on an accent to do that? I didn't know anyone could control them.
No, I don't think they do have voice recognition. I don't think they're tied to a particular voice. I think just about anyone.
Okay, listeners, tell us.
Well, we wouldn't know because we don't have them, do we? No, we don't. Thank goodness.
No, I don't have any of those home assistants. My husband's my home assistant. Let's see if he listens. Shush. We don't say his name.
No, not Valentine's Day.
Husband.
Don't activate him. So Carole, what's your story for us this Valentine's Day?
Graham. Yes. I want you to hark back to your single days for a moment. The pre-family time when you were a single fella.
Ah, yes.
Now don't think back to the '70s. I want you to imagine that all the internet conveniences that exist today exist in this world of yours too. So I'm going to set the scene.
Valentine's Day is fast approaching. And single Graham is perusing his online dating profiles because of course you would have. You have dating profiles online.
I mean, what else are you going to do these days?
Valentine's Day is fast approaching. And single Graham is perusing his online dating profiles because of course you would have. You have dating profiles online.
I mean, what else are you going to do these days?
Of course.
Now I'm imagining one of the contents of one of your profiles would be avid Doctor Who fan who loves a bit of chess.
That's going to attract the girls.
And seeks some fun times.
Yes.
Fun times while watching Doctor Who.
Oh, God. And BJ, you would probably have a female wrestler with a love for comedians.
Yes.
So single Graham suddenly gets a like on his dating profile.
This is weird.
And her name is Gigi. Bonjour. And Gigi's profile pic is hot.
Right.
A spitting image of a young Diana Rigg crossed with a coquettish Cher.
Okay, well, the first half was good.
And single Graham, you click on Gigi's interest and you see that chess and Doctor Who are mentioned. And Gigi even reveals that she likes eating tuna and peas for breakfast.
Just like you, you weirdo.
Just like you, you weirdo.
Just like me, yes.
So basically, single Graham is instantly gaga for Gigi. And immediately likes her profile back.
She messages you, you message her, and soon you're chatting late into the night where she flirtatiously calls you her little Ood. That's a Doctor Who monster, right?
She messages you, you message her, and soon you're chatting late into the night where she flirtatiously calls you her little Ood. That's a Doctor Who monster, right?
It is.
Ood, object of desire.
Yes. Yeah, no, it's really gross. Yes. Now, Gigi says she's desperate to meet you, but she has itsy bitsy cash flow problem and her car's in the shop.
Oh, bless her.
And she's late on her rent. And you say, ch-ch-ch-ch, don't worry. Single Graham to the rescue.
And you lend Gigi some cash and she's so grateful and she tells you how much she loves her little Udi.
Now, at some point, perhaps early in your relationship, because you're pretty savvy, or very late if you weren't, you start feeling a little uneasy because she keeps coming up with excuses when you make plans to meet.
So sorry, Single Graham, I have to get the cat groomed, or, family emergency, need to jump on a flight, or dang it, Single Graham, my colonoscopy is today.
And you lend Gigi some cash and she's so grateful and she tells you how much she loves her little Udi.
Now, at some point, perhaps early in your relationship, because you're pretty savvy, or very late if you weren't, you start feeling a little uneasy because she keeps coming up with excuses when you make plans to meet.
So sorry, Single Graham, I have to get the cat groomed, or, family emergency, need to jump on a flight, or dang it, Single Graham, my colonoscopy is today.
Which is suspicious, because normally it'd be me coming up with those sort of excuses. I just wouldn't the pressure of actually meeting a member of the opposite sex.
I'd the idea of it, but then it's oh no, no, no, let's not bother with that.
I'd the idea of it, but then it's oh no, no, no, let's not bother with that.
But you've given her so much money.
I have.
She's not answering your messages anymore. And you realize that you've been catfished.
So the reason this is news is because UK's Action Fraud has just released numbers on romance scams.
Turns out that 2018, more victims in the UK than ever before have been conned out of these so-called scams.
Collectively, £50 million has been nabbed from UK victims, says Action Fraud. That's a 27% increase over 2017.
So the reason this is news is because UK's Action Fraud has just released numbers on romance scams.
Turns out that 2018, more victims in the UK than ever before have been conned out of these so-called scams.
Collectively, £50 million has been nabbed from UK victims, says Action Fraud. That's a 27% increase over 2017.
Right.
Do you think it's surprising that women represent 63% of the victims? Are you surprised that women are more victims than men?
No, I'm not. No.
And they've lost twice as much as men on average.
Because I think women are more romantic, aren't they? Generally. I can imagine. And women have a heart, and women are more likely, I think, to dish out some money, I suspect.
We're easy to woo. You just go, hey gorgeous.
No.
Hey gorgeous, come over here. You know how to whistle, don't you? No, I just I just think, anyway, I can believe it. I can believe it.
I'm not saying that men don't fall for it as well, but—
I'm not saying that men don't fall for it as well, but—
The most costly romance catfish I saw involved a guy who swindled a 78-year-old woman out of nearly $1 million US. Yeah, right?
And we know that catfishers often target lonely hearts to effectively steal their money, but not all. Check these out. So this one guy worked for a repossession company, right?
And he says he routinely catfished people on Facebook who'd been hiding their cars from repo man.
And he'd play the sexy lady, lure them into nearby bars so he could repo their car in the parking lot.
And we know that catfishers often target lonely hearts to effectively steal their money, but not all. Check these out. So this one guy worked for a repossession company, right?
And he says he routinely catfished people on Facebook who'd been hiding their cars from repo man.
And he'd play the sexy lady, lure them into nearby bars so he could repo their car in the parking lot.
That's awesome. That's fantastic.
I've got another one. This one's pretty amazing. So this woman's aunt is worried that her niece isn't safe online, right? She wants to teach her a lesson.
So aunt creates an online male profile and manages to connect with her niece.
So aunt creates an online male profile and manages to connect with her niece.
Okay.
Unfortunately, the niece immediately gets saucy before soon asking her new suitor to kidnap her so she can get away from her aunt.
And the niece even gives the kid— this is unbelievable— the niece even gives him instructions to kill her aunt and the other people in the house, and she ends up being arrested.
And the niece even gives the kid— this is unbelievable— the niece even gives him instructions to kill her aunt and the other people in the house, and she ends up being arrested.
That's taking kinkiness to a whole new level, isn't it? I think so.
It's what— so this is what some woman says when she's flirting, say, oh, you sound really hot, by the way, can you kill my aunt and everyone else in the house?
It's what— so this is what some woman says when she's flirting, say, oh, you sound really hot, by the way, can you kill my aunt and everyone else in the house?
I suspect with that one, she knew it was the aunt. See, that's what I think. That's what I would do. I can't imagine an aunt would outwit a savvy teen.
That would be the only defense, wouldn't it?
Well, then yeah, she should have called me. So how do you avoid catfishing? There seems to be a surge. Advice includes doing reverse image searches, right, on Google.
This is a quick and dirty background check to see if the images they're presenting to you as their hot selves are actually just an underwear model from a Sears catalog or a female grandmaster playing chess or whatever it is.
This is a quick and dirty background check to see if the images they're presenting to you as their hot selves are actually just an underwear model from a Sears catalog or a female grandmaster playing chess or whatever it is.
But yes, they've grabbed a picture.
Or a Diana Rigg slash Cher combo.
Diana Rigg.
Oh, lovely. Look at their check-ins on social media to see if the holidays or locations they say they're in match what they tell you.
And when I read that, I had a weird thought because we often tell people, hey, maybe get off social media, right? But then you don't have a profile.
So maybe it seems the more internet savvy you are, the less likely you are to get a date out there. And that's a tragic thought.
And when I read that, I had a weird thought because we often tell people, hey, maybe get off social media, right? But then you don't have a profile.
So maybe it seems the more internet savvy you are, the less likely you are to get a date out there. And that's a tragic thought.
Oh, so if you're acting securely, people won't find you on social media and they'll be suspicious of you and think you must— So what you need to do is, if you're not on social media, you need to create a fake social media account purely with your real picture.
A lot of this advice, Carole, appears to me to actually be digital stalking which you're advocating. Is that right?
A lot of this advice, Carole, appears to me to actually be digital stalking which you're advocating. Is that right?
Okay, you may want to try also doing a video chat so you can interact with them in a live context.
It would be pretty hard to fake an interaction pretending you look like Claudia Schiffer.
It would be pretty hard to fake an interaction pretending you look like Claudia Schiffer.
Be careful with that one, though.
Oh, because of the deepfakes?
No, no, no. Because there have been a lot of ghastly sextortion scams and things where people think they're talking to some sexy lady.
And then they're asked to get their Bezos out, and that ends up on video, and they end up blackmailing you.
So you've got to be— So keep your trousers on if you're going to do that kind of thing, right?
And then they're asked to get their Bezos out, and that ends up on video, and they end up blackmailing you.
So you've got to be— So keep your trousers on if you're going to do that kind of thing, right?
Yeah, that's true. Just be celibate. Give up.
You know what? I don't think that's a bad idea at all.
A friend of mine was catfished. I don't think I've ever told this story anywhere before.
Exclusive!
It's going back to the primordial days of the internet, right? So it's going back to about 2001.
I was a freshman at Alfred State College and a friend of mine had been flirting with this girl for about a good 6 months.
I was a freshman at Alfred State College and a friend of mine had been flirting with this girl for about a good 6 months.
Okay.
And she'd been sending him pictures and she's like, "Oh, you know, I'm going to come up and see you." And he's all excited.
He's like, "Wow, look at these pictures." Now, clearly it looked something that had been cut out of a magazine that she had been sending him.
But he wouldn't, you know, going to Alfred State, you can be accepted just by having a pulse. So critical thinking was not, you know, a strong suit for him.
So he was all excited about this girl. And the day of the meeting comes. And so this girl drives 600 miles from the middle of New Jersey to Alfred, New York.
And there's two occupants in the car. One of them looks a model. The other does not.
He's like, "Wow, look at these pictures." Now, clearly it looked something that had been cut out of a magazine that she had been sending him.
But he wouldn't, you know, going to Alfred State, you can be accepted just by having a pulse. So critical thinking was not, you know, a strong suit for him.
So he was all excited about this girl. And the day of the meeting comes. And so this girl drives 600 miles from the middle of New Jersey to Alfred, New York.
And there's two occupants in the car. One of them looks a model. The other does not.
Okay.
Can you guess which one was catfishing my friend?
The model.
Right. So, yeah, the best part of the story, though, is that I wound up befriending the model.
So she's now my wife.
Back of the net, BJ! Back of the net!
Well, so just imagine though, this kid— I've been mocking this guy for six months saying she doesn't exist, she doesn't exist.
And then, for me to go and hook up with the model and he gets stuck with the person catfishing him, we were not friends long after that.
And then, for me to go and hook up with the model and he gets stuck with the person catfishing him, we were not friends long after that.
Holy moly!
That's what I said. BJ, you bastard! I, I did.
I told him it wasn't really his fault that his buddy got catfished, right?
What about the bro code? The bro code's been broken. You cock-blocked him.
What a wingman. What a shitty wingman.
And my crow. Yeah.
So Graham, as your longtime bud, I hope you would have told me about ChiChi because that's apparently the biggest advice of all is tell your friends about the relationship.
So BJ's story. Yeah. But I hope you tell me and then I could do a recon mission, right? I could go find out. See if anything smells fishy.
So BJ's story. Yeah. But I hope you tell me and then I could do a recon mission, right? I could go find out. See if anything smells fishy.
You're my wingman, right?
That's right. Wing lady. Wing lady.
You're not gonna let me down BJ let down his buddy, right?
No, no, definitely not.
I'd hate you to get off with Diana Rigg Crow rather than me.
So would I. I'd hate it.
Not as she is now.
Okay, well.
Goodness sake.
Is she still alive?
Oh, how do you—
Are you not running a password manager in your organization? What are you thinking? Check out LastPass Enterprise. Just go to this URL: lastpass.com/smashing.
Here you can learn all about what password managers can do for your firm, and you can learn more about LastPass Enterprise.
I mean, if you want to solve poor password hygiene, if you fancy securing every password-protected entry point in your business, slide on over to lastpass.com/smashing.
I use them, so you should check them out. Hey Graham?
Here you can learn all about what password managers can do for your firm, and you can learn more about LastPass Enterprise.
I mean, if you want to solve poor password hygiene, if you fancy securing every password-protected entry point in your business, slide on over to lastpass.com/smashing.
I use them, so you should check them out. Hey Graham?
Yes?
So I've got a problem.
Yes?
I use a cloud service, I put all my files and data up there, and I'm kind of nervous about prying eyes looking at it. Any advice?
Yeah, you've got to encrypt it.
Before I load it up?
Well, I would recommend so, because any file which you put on Dropbox or Google Drive or OneDrive or those other sort of cloud services, it could be accessed by that company or indeed law enforcement or any hacker who broke into your account.
So what I would recommend is use a piece of software like Boxcryptor.
It's what I run on my computer, and any file, before it gets uploaded to those cloud services, gets encrypted with my own keys, which I control.
So the cloud service itself can't see the contents of the files which I'm putting on the cloud drive. It's all encrypted.
So what I would recommend is use a piece of software like Boxcryptor.
It's what I run on my computer, and any file, before it gets uploaded to those cloud services, gets encrypted with my own keys, which I control.
So the cloud service itself can't see the contents of the files which I'm putting on the cloud drive. It's all encrypted.
Cool, I'll check it out.
Go to Boxcryptor.com, and thanks to Boxcryptor for supporting the show this week. And welcome back, and join us on our favorite part of the show that we call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone choose something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.
Whatever they like, it doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.
Whatever they like, it doesn't have to be security related necessarily.
Definitely should not be.
Now, my Pick of the Week this week is a website and it is a website called howlongtoreadthis.com.
Okay.
It's a great idea. I'm a very busy man. I don't drink coffee, which means I don't have a great deal of time to read books. Yeah, I was just gonna say, you don't read books either.
But if I were to ever read a book, I would use a website like howlongtoreadthis.com.
But if I were to ever read a book, I would use a website like howlongtoreadthis.com.
Why?
Because what it does is it measures, it gives you a little test and it measures how quick your reading speed is.
And then it says, oh, if you want to read Doctor Who and the Curse of Pedalodon, that will take you at your current reading speed 9 hours 33 minutes, or whatever it is.
And then it says, oh, if you want to read Doctor Who and the Curse of Pedalodon, that will take you at your current reading speed 9 hours 33 minutes, or whatever it is.
Should we do a race? Choose a book.
Oh, I don't know. What book?
I don't know.
What book is famous?
Joy of Sex.
Oh, for goodness. I think it's mostly pictures, Carole. I don't know. Oh, it is here.
It's here.
It's here. Okay. I've just looked it up. The Joy of Sex, the ultimate revised edition. So what it's done is it's given us about 150 words which we have to read.
Joy of Sex by Alex Comfort. Start reading now.
Joy of Sex by Alex Comfort. Start reading now.
Go.
Erotic.
Accelerating. Pleasurable. Sexuality. Shh, done.
No, you're not.
Okay, it got long, it got long. I got halfway through.
I got through it.
Carole, when it comes to The Joy of Sex, you shouldn't really finish that quickly. Okay, well, I've lost my place now. I'm just going to say I'm done, right?
It says it will take me 3 hours and 59 minutes to complete The Joy of Sex. I think I could probably do it in about 8 minutes. Really? At your age?
It says it will take me 3 hours and 59 minutes to complete The Joy of Sex. I think I could probably do it in about 8 minutes. Really? At your age?
It's a bit quick.
Including getting my trousers off. That can take a while. So there you go.
What do you think about this, BJ?
A lot of things, but it says it's going to take me 2 hours and 25 minutes to read it.
Are you guys looking at similar books underneath?
Oh, hang on. Oh yes, similar books.
Because mine has She Comes First.
Oh, I've read that.
Have you? Is it good?
It's very good.
I think I've got it behind me. It's The Thinking Man's Guide to Pleasuring a Woman. I think that's what I was buying.
The Thinking Man's Guide to Pleasuring a Woman.
That should have been my pick of the week. I will say this for the book. I think that every guy should read it, and that's all I'll say.
Well, there you go. BJ on Valentine's Day, how wonderful. What's your pick of the week?
Today is the one day every year where no one laughs when they hear my initials. My husband would love it.
To visit.
So I have two things. One is a quick little one. The other is the actual real one.
So I don't know if any of you have watched the Grammy Awards, but they did this thing this year where after about 60 seconds, they started playing this really long dramatic music to force people off stage.
And I really want that as a real-life superpower, particularly when someone is telling you a really long, boring story. You could just summon the music.
So I don't know if any of you have watched the Grammy Awards, but they did this thing this year where after about 60 seconds, they started playing this really long dramatic music to force people off stage.
And I really want that as a real-life superpower, particularly when someone is telling you a really long, boring story. You could just summon the music.
Oh, so you want the superpower that summons the music?
Yeah, no, it'll tell you the hurry of that.
Oh yeah, yeah, sorry.
Yeah, okay, could be handy on this show.
So the best example is, you know, I love my mom, but my mom is the world's worst storyteller.
And so sometimes she'll buy something from QVC and it'll take what really should take about 5 minutes to tell you, it takes about an hour and a half.
And so sometimes she'll buy something from QVC and it'll take what really should take about 5 minutes to tell you, it takes about an hour and a half.
Last one, pretend you're your mom.
Okay, so I was watching QVC and I ordered these shoes and I— wait, no, what time was that? Oh, it was about 8 o'clock.
And so I ordered these shoes and they were red and then they said that they were on sale for a limited— nope, but they were on sale yesterday. Nope.
So they were on sale for a limited time for $19.95.
And so I ordered these shoes and they were red and then they said that they were on sale for a limited— nope, but they were on sale yesterday. Nope.
So they were on sale for a limited time for $19.95.
Carole, play the music.
Exactly.
And so my—
Anyway, fascinating, BJ.
Thank you very much.
Did you have a proper pick of the week?
Yes, I did. So this year is the 20th anniversary of The Sopranos on HBO.
So I've decided I haven't rewatched it since it wrapped up, and I found it's just a wonderful time capsule of all things '90s.
And so I remember distinctly when I was in high school, if I had to call home, going and using a payphone.
So I've decided I haven't rewatched it since it wrapped up, and I found it's just a wonderful time capsule of all things '90s.
And so I remember distinctly when I was in high school, if I had to call home, going and using a payphone.
Yeah, yeah, yeah, me too.
And that's something that you see in one of the episodes is the kid Anthony going and using a payphone to call home. And each episode seems to be this wonderful '90s time capsule.
So even if you don't like the weird dream sequences and the dumb ending, I do recommend coming back and checking out The Sopranos just for the sheer '90s of it.
So even if you don't like the weird dream sequences and the dumb ending, I do recommend coming back and checking out The Sopranos just for the sheer '90s of it.
I think that's an excellent one. You know, my other half has never seen The Sopranos at all, and I really— it's so good.
No, it is.
It's so good.
Very cool. Carole, what's your pick of the week?
Well, staying with my Valentine's Day theme, do you guys believe in soulmates?
I do.
Do you?
I do.
Perfect. So let me introduce you to a wonderful XKCD What If analysis on the concept of soulmates.
So my actual choice, just to be clear, my pick of the week this week is XKCD's What If website.
So my actual choice, just to be clear, my pick of the week this week is XKCD's What If website.
Okay.
And I'll focus on a single entry, although there are literally dozens and dozens and dozens of them. And all of them are fairly in-depth and a little bit wacky. And I chose this one.
What if soulmates existed? So the first thing the article assumes is that your soulmate is set at birth, right?
So you know nothing about who or where they are, but as in the romantic cliché, you will recognize each other the moment your eyes meet.
So in other words, in order to spot your soulmate, you need to see them. So for starters, there's so many questions, is your soulmate still alive, right?
There's 100 billion or so humans that have ever lived on Earth, but only 7 billion are alive now. So if we're all paired at random, 90% of our soulmates are long dead.
What if soulmates existed? So the first thing the article assumes is that your soulmate is set at birth, right?
So you know nothing about who or where they are, but as in the romantic cliché, you will recognize each other the moment your eyes meet.
So in other words, in order to spot your soulmate, you need to see them. So for starters, there's so many questions, is your soulmate still alive, right?
There's 100 billion or so humans that have ever lived on Earth, but only 7 billion are alive now. So if we're all paired at random, 90% of our soulmates are long dead.
That's uplifting.
That's unfortunate.
Happy Valentine's Day, everybody.
Or, for example, you might think, well, no, no, I want someone who obviously is alive. But then there's also age restrictions, right?
It would be completely zany if my soulmate were 95. Watch it, Graham.
It would be completely zany if my soulmate were 95. Watch it, Graham.
I'm still holding out for Diana Rigg. I'm not going to let that get in the way.
So it all has to do with eye contact, right? But then think about how many times you make eye contact with people, right? Working from home, clue? What would be your estimated day?
3 people a year.
So if you need two pairs advised to meet, how do we game this? And the article comes up with eye contact could work digitally, right? So you could do it online.
So perhaps all we need is a modified version of Chat Roulette.
So they suggest that if you use a system 8 hours a day 7 days a week, theoretically this modified chat roulette system could match everyone with their exact soulmate within a few decades.
Just a few decades. Full-time job, no holidays, few decades.
So perhaps all we need is a modified version of Chat Roulette.
So they suggest that if you use a system 8 hours a day 7 days a week, theoretically this modified chat roulette system could match everyone with their exact soulmate within a few decades.
Just a few decades. Full-time job, no holidays, few decades.
A few decades.
Okay. Now there's one big problem with all this that I spotted.
Oh, the only one? I spotted one.
I spotted a big one. What if you're blind?
Yes. They don't deserve a soulmate. They're being punished by God. Sorry, sorry to our visually impaired listeners, but someone had to tell you.
Yeah, what if you're a hermit? What if a technophobe? A lot of problems with this. But anyway, it's very charming. Beautiful, beautiful, beautiful stuff.
It is, actually. I have had a chance to read this and it is absolutely charming. I really recommend— I mean, there's very little that this chap who does XKCD does wrong, is there?
He's a very, very entertaining and thought, "Oh, I'm sure he'd love to be on the show." But there's a very long list. He would love it. He'd have to get past.
Okay, well, on that Valentine's Day note, so, Carole, have you given us an uplifting message for Valentine's Day or not from that? I'm not quite clear.
He's a very, very entertaining and thought, "Oh, I'm sure he'd love to be on the show." But there's a very long list. He would love it. He'd have to get past.
Okay, well, on that Valentine's Day note, so, Carole, have you given us an uplifting message for Valentine's Day or not from that? I'm not quite clear.
Have I given you an uplifting message?
With your pick of the week, has that actually cheered us up? Has that given us hope for soulmates?
Yeah, well, look, I think if people out there are listening today and today is Valentine's Day, then I'm very touched you're spending it with us. So happy Valentine's Day to you.
There you go.
There you go.
You sad sacks. And that just about wraps it up. BJ, I'm sure a lot of our listeners would like to keep in contact with you. What's the best way for people to do that?
555.
That's right. Yeah, so my phone number is on my website, but the easiest thing is over at Twitter @BJMendelson and over at BJMendelson.com.
I have a bunch of stuff I'm working on this year, but you guys can check out my rendition of A Christmas Carole starring Donald Trump as Ebenezer Scrooge.
I have a bunch of stuff I'm working on this year, but you guys can check out my rendition of A Christmas Carole starring Donald Trump as Ebenezer Scrooge.
Is this in comic strip form or something?
No, no, this is prose. This is an ongoing prose novel that I'm publishing to bjmendelson.com.
Okay, well, we'll link to that.
Yeah, absolutely.
And folks can also follow us on Twitter at Smashing Security, no G. Twitter wouldn't let us have a G. And you can also join us in discussion on Reddit.
We have a thriving Reddit subreddit right now for Smashing Security. You can get there really quickly by going to smashingsecurity.com/reddit.
We have a thriving Reddit subreddit right now for Smashing Security. You can get there really quickly by going to smashingsecurity.com/reddit.
And thank you to our sponsors this week, LastPass and Boxcryptor. These guys help us give you these episodes for free.
If you want more fab guests on the show, help us boost our listenership. We need you guys, we need you. So send us some reviews, send us some love.
If you want more fab guests on the show, help us boost our listenership. We need you guys, we need you. So send us some reviews, send us some love.
Until next time, cheerio, bye-bye, bye-bye.
Now, why am I talking about catfishes? I'm not making a catfish molehill here, or mountain out of a catfish molehill. You— What? What? I was just gonna get rid of that.
I'll just get rid of that. I'll just— I was— I was— this is my head. I was thinking, you know, make a mountain out of catfish.
I'll just get rid of that. I'll just— I was— I was— this is my head. I was thinking, you know, make a mountain out of catfish.
Doesn't work. Doesn't work. Move on. Move on. Move on.
Further reading: The man suing Apple over two-factor authentication has ‘previous’.
Read more about two-step verification:
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security
- How to protect your Nintendo account from hackers with two-step verification (2SV)
- How to better protect your Roblox account from hackers with two-step verification (2SV)
Apple should be sued for this shit. The goal is to force anyone with an Apple device to have a second Apple device in order to use the first one.
Bull. Add another phone number
i AM A SINGLE MAN AND A DAD . I LIVE 3 HOURS FROM MY FAMILY AND I AM ENROLLED IN COLLEGE. BROKE MY PHONE AND JUST PUT A SCREEN ON IT. NOW I CAN'T USE THE PHONE AND CAN'T GET INTO MY ACCOUNT AND THERE IS NO WAY TO CHANGE THE FACTOR OR GET INTO MY ACCOUNT TO ADD OR CHANGE A NUMBER SO WHY DON'Y YOU GO STICK TO SOMETHING YOU ACTUALLY KNOW ABOUT
He’s absolutely right. If Apple really only cared about the security of your devices, they would allow 2-FA to use emails or other forms of contact (the way that every other service with 2-FA does). As it stands, if you own a single Apple device and it breaks or is lost, you are unable to access your data on iCloud or even sign in online to step up an appointment with tech support. This is purely intentional inconvenience. If they could just allow you to include an email as an alternative for 2-FA then there would be no problem, and it would be just as secure because google also has 2-FA
What a dumb comment. If you're "anti-Apple" then buy a different product, it's that simple
That’s one of the reasons why I bought a sanding phone. Apple are tech nazis.
Or you can add a second phone number and only own one product. Geez
ARE YOU ALL STUCK ON STUPID??
I agree. Two factor is an inconvenient drag. I work three to five freelance jobs a day, and use my phone for documentation. My iPad might be in a different building than my phone, but unless they are near each other, I can’t send email or messages. Ridiculous.
I agree- they connect that stupid 2-step verification and if you loose your device it is almost impossible for you to retrieve your own data and information that belongs to you and the money that you pay to have access to their iCloud- I have 2 step verification
Ridiculous. Frankly It never registered that it takes a few seconds. Never noticed it. And if he has such a problem with it why did he enable it in the first place? His own fault. And if he'd rather more insecurity then that's his choice. Let's just hope it doesn't cause other people problems.
Beyond petty. About as stupid as the woman who spilt hot coffee on herself (what kind of person would put hot coffee between their legs is beyond me) and because she's careless (and stupid?) she decided to sue for it. Funny though… Stupidity is something of a speciality of humans (and a STI though that does not mean everyone has symptoms as such) and it says volumes (of coffee?) that more people don't try and profit from their own stupidity. Whether that's because they're too uncreative to see it I do not know but I'd like to believe it's they're not that pathetic.
I agree the 2FA lawsuit is stupid but the spilled coffee lady turned out to be legit. Everyone got it wrong and dragged her name into it when she was in the right. https://www.vox.com/policy-and-politics/2016/12/16/13971482/mcdonalds-coffee-lawsuit-stella-liebeck
Guess what, I didn't choose to activate 2FA it was FORCED on my device. I was given ZERO choice.
Same here. Never asked for it, just suddenly can’t do anything. And the other trusted device is with my husband who is three hours away at the moment. Can’t contact apple support because I can’t even download their app. I regret this stupid iPhone (and the two others my family has) just about every other day.
In newer devices, Apple decided to automatically enable Two-Factor (not Two-Step) Authentication. You cannot opt out, and you cannot turn it off.
I'd say that's pretty draconian, and flies directly in the face of free choice. And it is MAJORLY a pain in the neck to keep having to enter authentication codes. I really hate them for doing this.
You know that woman won her case, right? Her story was completely misrepresented so that people could have a nice laugh at her expense. The coffee was, as it it turned out, way hotter then coffee normally should be. There was something wrong with the machine and she got seriously injured as a result. Of course though, it’s easy to make a funny article making fun of someone for “sueing coffee for being hot” or some shit, so that’s what everyone believes now. I think your connection between her story and this one is probably pretty spot on though. People don’t sue large companies in expensive legal battles without a genuinely good reason. It’s stupid to make a judgment about their case when don’t know shit about it.
Is this Marissa Mayer in disguise? She was "too busy" to even lock her phone whilst CEO of Yahoo.
Presumably if Apple disable 2FA and he gets hacked he'll sue them for that too.
Nothing surprises me any more. Just look at the quailty of the jerks people elect to public office…and nowhere on planet Earth is that more evident than in California, where this clown is bringing his lawsuit.
There is no substitute for personal responsibility. You can’t elect morons to take responsibility for your behavior, or expect the state to come to your rescue when the cost of being.a responsible user is the “inconvenience” of the time it takes to secure your systems.
It’s especially incongruous that this jerk is suing Apple, of all companies. There’s plenty Apple does that annoys me, but I can’t fault them on their efforts to streamline the process of making my devices and my account more secure. Once it’s set up, it’s actually pretty unintrusive.
Normally, I’d say that such an idiotic lawsuit is likely to get thrown out. But in California, where the state is aggressively legislating to protect people from even having to take responsibility for their own emotions, this kind of idiocy is business as usual.
Sheep like you are why we can’t have nice things that work all the time. The problems with Apple’s 2FA are legion and well documented. There’s a long Reddit thread about a poor guy who got held up at knife point and the robber took his phone and demanded he unlock it. The robber reset the password and NOTHING the victim did — including sending Apple a copy of the police report — could convince them to give him back his 10+ year account.
Then there is the inconvenience of having to have the authentication device on you at ALL TIMES. I have three iPads, an iPhone, and an Apple Watch all tied to my account. If I were stupid enough to turn on 2FA, I would have to keep my iPhone on me at all times. That is completely idiotic. Leave the phone at work? Too bad, no iPad for you tonight unless you want to go back and get your phone.
Apple 2FA is HORRIBLE and anyone cheerleading it makes the Fanboi base look even worse than they normally do.
No organisation as far as I know sets up 2-factor authentication for you as a default, you have to opt in and set it up yourself. He's probably tried to log into his Apple ID too many times with the wrong password, so he's been locked out.
This compensation culture has got out of hand. It makes you wonder how many companies have been sued and lost. I personally think some people shouldn't be allowed out!
True, but I think you can opt-out as well. If you don't like the feature after two weeks you're stuck and it gets to be pretty damned annoying. I live with it, but I'd rather turn it off at this point. Every time something gets signed off or reset or updated; password and passcode. That's not too bad on the iPhone, but it's kinda silly on the iMac, the MacBook Pro, the Apple Watch, iPad mini, iPad Pro, Apple TV. It becomes a bit much considering my passwords are already difficult enough on devices like the AppleTV where I sometimes have to use the remote and on-screen keyboard. My passwords are 15+ characters, random, letters, number, upper & lower case, special characters and changed ever 6-8 weeks. I have honestly never had an account hacked. I'd prefer two-factor authentication on my credit.
And what happens when Apple forces 2FA on you with no choice to opt out? It happened to me.
Well, they are so buck up buddy.
@coyote Again with the misconceptions. That woman got third-degree burns on her legs and genitals and needed extensive surgery to treat. https://www.vox.com/policy-and-politics/2016/12/16/13971482/mcdonalds-coffee-lawsuit-stella-liebeck
He didn't say the injury wasn't serious, he said who puts a cup of hot coffee between their legs. All it takes is something unexpected to happen, and the person squeezes their legs and coffee everywhere.
This is almost too funny, except that it gives other "smart" people the wrong ideas. I have 2FA turned on anything I can to protect my self. I stress it to my family, who unfortunately thinks the same way this cheese ball thinks. "I don't want to turn that on, it will take an extra 2 seconds Everytime, and I just don't have the time." Till their stuff gets hacked………and then I never hear the end of it…….
SMS not secure, Mobile operator can send a text message if your phone has been switched off and on immediately (throttling).
https://www.ptsecurity.com/ww-en/analytics/ss7-vulnerability-2018/
Apple should not make the opt-out period limited to 2 weeks. We should have ability to disable 2FA after 2- weeks.
Apple does not allow you to opt-out of 2FA after 2 week period, which is insane.
Is this guy for real? Why wouldn't you want 2FA. I wouldn't lose any sleep if this moron has his sensitive data stolen.
maybe because he has a disability? I have issues with something that forces you to do something against your wishes.
Android phone companies are starting to do the same thing now.
I predict Apple will do some custom work to manually opt him out as part of a settlement. Then, because of all the press, he will become a target and get hacked, and sue Apple again because they didn't adequately protect him from hackers.
Totally agree with the lawsuit. I'm sick and tired of finger print scanning that's a joke, constant entering of pass codes, 2-factor requiring a second device, Apple ID re-entry's, constant updates, constant maintenance.
If people want a stupid electronic device to control a good part of their life (uh, the above seems like a good proxy of the people I'm referring to), so be it. But I'm drawing myself away from all this nonsense. Gradually but by the time I'm done I'll be back to a flip phone. A luddite for sure.
Oh, jee, a few days ago yet another email from yet another service I use, letting me know their servers got hacked, and all my personal information got stolen. A few years ago talked to my bank's security department as my credit card had unauthorized use 6 times. Each time the card was replaced with a different number. Only 3 companies had my credit card on file. Apple was one of them. The bank fingered them as having recently been hacked. Oh, and I need to put up with Apple nonsense to make sure no one can access all my important information.
You folks are so far beyond understanding the problem you probably shouldn't be working in tech.
Yes, I came out of Tech.
No guys, this 2FA thing is causing a lot of trouble, especially for developers around the world who have multiple accounts that are decoupled from their personal icloud account.
Apple recently forced developers to use 2FA and has caused a lot of developers locked out of their accounts already. Take a look at the developer forums on reddit and macrumors.
I misplaced my IPhone one evening, and went to my PC to use find my Iphone, but couldn't log in to do it, because it was sending the 2FA code to my phone, which I was trying to find. This can be a problem
It is a major issue, I had an iPhone.. lost it.. but cannot afford a new one… I cant change the device nor can I change where the auth code goes. I have called apple and because I cannot provide all of the minute data they are requesting, access is denied EVEN THOUGH I HAVE THE GOD DAMMED PASSWORD. If on an iMac I still cannot het the damned code. they have effectively locked me out of my email. this is a major problem and BTW I worked at apple for 6 years, YES THEY PUT YOUR ACCOUNT ON TWO STEP AUTH WITH OUT CONSENT. this writer is an idiot… the complaint is a little frivolous but this is a real problem and a lawsuit needs to be started regarding hijacked information and apples security standards and denying users there data.
Wow! Once again, the sheeple have spoken. Personally, I hope he wins. I believe in security and I have 2FA enabled on everything that needs two-factor and my Apple ID is NOT one of them. Having 2FA on my personal account should be a choice, not a requirement. Apple forcing 2FA on us is their way of subsidizing to the end user their refusal to put proper security in place. At a bare minimum, I should be able to receive a code through my email which I can access from anywhere on any device and not be forced to use an Apple or SMS device which, quite often, is the same device and may not be in my possession at the time when I really need it. I've been burned by that more than once. Forget your phone? Need to log in to iCloud? Nope. Ain't happening.
I've seen a company have their entire development access locked out and scrapped because Apple forced an ex-employee to enable 2FA and when they went to recover the account there was no way to do it as the device tied to it was long gone. Apple refused to give them access even when they produced evidence that they were the rightful owner of the account. It was a stupid, useless protection that ultimately costed the company heartache and money to recover.
When my wife and I did an IOS update on our phones, my wife unknowingly activated 2FA (since it comes up as a default that you have to basically opt out of after an upgrade). I could not use our other two phones or our several computers without access to HER phone. Since we had just activated it, I managed to opt out, but doing so required changing the password on the account. This seemed sort of counter-intuitive, since the whole 2FA thing is to prevent someone from using your devices with just your password, but apparently saying you forgot your password and creating a new one just circumvents the whole 2FA thing and lets you create a new password without 2FA. This workaround seems insecure, but I did not mind since I got my password-only access back.
I still get alerts on all my devices to complete the 2FA process, so I hope it really has gone away.
2FA should be an option and it should be reversible at ANY TIME, if the user is willing to give up whatever services Apple ties to it.
I agree. There is NOTHING I hate more than two-step verification. Let me risk my stuff if I want, but don't waste my time with this irrelevant BS. I have lass pass and a password scrambler. I don't need two-step verification on ANY of my apps. That guy is a HERO. Leave US ALONE.
Cluley? More like clueless. Yes, 2FA sucks and so do you.
If you have an iphone an a Mac and for werever reason you iphone gets damage, lost, etc, and have to wait some times weeks, to regain access to your computer, then you will realize how stupid two factor authentication is. As Apple will tell you two factor authentication is not a choice for some new futures, and once they force you to sign in, is no way to cancel it. I am all in for security I just don't think two factor authentication is a good fit for everybody, and shouldn't be forced on to anyone.
Haven't seen an update on this but I really hope this guy wins. I am SO SICK of Apple. They do all this shit and require tyou to Google questions about how the fuck to log into your account. The guy trying to sue Apple is ABSOLUTELY CORRECT. The person writing this article is being a close-minded arse. It is so frustrating. Imagine being a teacher, as I am, and every time I try to open anything on Apple it asks for extra shit and half of those times it doesn't even work. And to not have an option as to whether or not to participate in this time-consuming, annoying, hair-pulling step is just peak Apple. I have a Samsung phone because I HATE Apple's evilness and sneakiness. It's amazing to me how many people just follow Apple blindly. Google too has added ways to protect its customers but at least it doesn't make it fuckin impossible to sign into an account. I HATE APPLE!!!!!
F**k apple. Now I cannot access my email in Outlook because of 2FA. F**k off Apple and all its stupid cult followers
My 1.5 year old Macbook randomly broke on me last week. Apparently, I was signed up for two-step authentication without knowing it when I first got the computer and after the first month you're barred from opting out- I was told it's literally impossible. That's a pretty strange thing to require.
I have an old Macbook from 2008 running on Yosemite that still works really well (but no other Apple products), so I decided to just link up my iCloud and I'd barely suffer an inconvenience with any lost work or time. After all, I have the password and my Samsung phone is listed as one of my devices.
When I tried signing into iCloud, I was only given the option to send it to the Apple device which is completely broken (I was quoted essentially the price of the unit to repair it). I was not given the option to send to an alternate approved device. I called tech support and the guy told me there is basically nothing they can do. He said, if I had an additional newer Apple device linked to the account, he might be able to do something, but otherwise SOL. (I don't) I asked if there wasn't anything they could do on their end for cases like this with lost or broken items and he said they have absolutely no access to assist to keep it super secure. I said, "Security's important but I'm never going to be able to get into that device again so it kind of sounds like I'm just going to permanently lose all my stuff…" and he kind of chuckled and said, "Yeah, sometimes we can help them find a way, but I'm not gonna lie, people actually get permanently locked out of their stuff pretty often." and suggested that I buy a new Apple device with AppleCare.
Guess who's not a Mac person anymore. (Points to self) Pretty obviously not actually for the customer's best interest through the fact that they completely disallow opting out and can make it easier for you if you have multiple Apple devices. Screw this company. I hope they get sued often and repeatedly.
Why does Apple not correct two factor authentication or advise how to circumvent since so many of their customers dislike it? I hate it and find it to be a great hassle. I never even enrolled and Apple cannot/will not show me confirmation that I did. After 2.5 hours on chat, the Apple expert and her supervisor answered I was stuck. Apple showed no indication or interest to look for a solution.
I need to purchase a new a new laptop, but I do not know if that will get me out of two factor authentication. I am ready to get a new Apple ID and new iCloud account and email address.
Should I cut my losses and stop using Apple devices, services et al? I have 2 Macs, 3 iPhones, 2 iPads and an Apple TV. Replacement is a hardship with a reduced income from retirement. But because I am technologically illiterate, learning all the functionality from the past 15 years is daunting. Never got the impression Apple valued seniors.
YES. Cut your losses. Apple 2FA is absolute crap. It's a shame it doesn't force them out of business.
I am a poor 88 year man without a phone, so I'm stuck with an iPad I can't use!
The os upgrade that Apple did on my iPad without my permission, put in a 2FA that locked me out of my own property as I don't have a phone.
My laptop spams me 4x a day asking me to enable 2-factor authentication. This is harassment. When I bought the product it did not have this spamware on it. Apple is a spam-producing company!
F**k you. 2FA is a thinly veiled method for extorting yet more of users' sensitive personal information (namely phone numbers). You can offer strong encouragement, but IT SHOULD BE POSSIBLE TO OPT OUT.
I didn't sign up for two-step authentication; they don't allow me to opt out.
Two-step authentication has made it impossible for me to even log into youtube without giving them my phone number. My phone number is none of their effing business, and they demand too much info.
I loathe 2FA, too. It's enabled on most of my accounts, but I've been waiting for YEARS for U2F to replace it. The authentication app's on my phone which, thanks to how much I use it, is always plugged in charging somewhere else from my computer. So with every secured account I want to access, I have to get up, walk downstairs to my phone, punch in its security code to get into the phone, open up the app, memorize the 2FA code, run back upstairs before the 2FA code expires, and if it's Google Authenticator, manually position my mouse in the entry field (unlike Authy that does this automatically), and hope there isn't some problem so that I have to repeat all the steps. Just to get into one out of 100 such "secured" accounts. I'd much rather use Authy than GA, but far too many of my accounts don't support Authy, so…
I bought a U2F device just so I could conveniently use it instead, leaving it next to my computer. But, of course, none of the sites I need to protect are compatible with U2F, so I'm stuck with 2FA. A lot of my colleagues disable 2FA when they're working because of these same issues–frustrating the security objectives of 2FA. If someone else doesn't mind these steps, OK for them. But it's time to make U2F truly universal so all the rest of us have to do is plug in our secure device to get into our accounts. We can marry security and user convenience if enough companies make the switch to U2F.
You're a veteran of the security industry? Lol. You shouldn't be let anywhere near security and you should be sued for writing something this stupid. 2FA using SMS is the dumbest thing anyone could have ever thought of.
I'm not saying SMS-based authentication is fantastic. If you read many of the articles on this site you'll see I'm an advocate for folks to use stronger methods of protecting their accounts.
But, even though SMS is one of the least secure methods of multi-factor authentication, it does makes your account a lot more secure than if it doesn't have *any* additional authentication checks in place.
SMS-based 2FA is better than no 2FA.
That is just wrong. Amazon is using SMS 2FA now. For whatever reason, amazon.com and/or my iphone will not recognize each other. Each time I log in it insists upon sending an SMS AUTHENTICATION LINK TO THE SAME iPHONE I AM LOGGING IN FROM. Open the text, click the link, click approve and I am in. It is annoying, time wasting, and adds ZERO additional security because it is coming to the same device that is trying to access the account.
2FA just plain sucks.
It's time for places to start being sued for all of this two factor authentication, captcha, "complicated" passwords, etc. bullshit. Enough is enough. Do you know I need a password to pay my property taxes? Like, seriously… you're worried somebody is going to PAY them for me?
Here is why Apple 2FA sucks.
https://www.reddit.com/r/apple/comments/8tbvtb/how_two_factor_authentication_screwed_me/
Read this guy’s story. Even with a police report Apple REFUSED to unlock his 10+ year old account. He gets locked out of every Apple device he owns and then has to start a new account with factor resets and the whole nine yards.
The only security lesson here is buy a gun.
I will never voluntarily turn on 2FA.
Tried watching an Apple TV plus tonight in my room on my tablet. Nice new big screen so didn’t want to use my iPhone 12. Logged in, 2 nd stupid verification on phone. Next, chose episode and it wanted a freaking credit card verification, so now it’s f’n 3 factor. I have it memorized so entered as requested then said you can turn on age restrictions (whatever). Closed that and it asked for card again and agin and again. Turns out it went right back to a 2 factor for that as well. By the time I figured it out, Apple locked me out on my Amazon tablet. You guys still support Apple when a paying customer can’t watch a freaking show? Btw, it’s like 4 factor at that point. Fu** Apple! F’n hate it. Also old Apple TV doesn’t work because of this, no means of doing 2 factor on original Apple TV so they suggested buying the latest. Criminal. Argue with me or support Apple still after reading this and you are a moron and part of the idiot herd mentality for sure.
Unless Apple has changed its policy on two step authentication. I thought it was optional unless you activated it and then it will not allow you to disable it. So this person must have activated it and then decided it was to frustrating. I guess another frivolous lawsuit which in my opinion Apple could have avoid by just allowing users to turn it off if they decide they don't want the extra security.
You, sir, are an idiot who has entirely too much time on his hands ….apples 2fa IS a nightmare for anyone who stores important shit on their phones and they SHOULD BE SUED. For a company that issues a new phone per year to have a system wherein it cannot let people in their accounts if something goes wrong that’s a nightmare-one I’m going thru at present. They charge an arm and a leg for these devices so I don’t think it’s asking too much to aske them to actually provide adequate solutions to problems with their software features that NOONE asked for