Through binding mailbox to break into the mobile phone Hackers blackmail owner for "hard" expert advice don't install new software

Recently, guangzhou citizens liu too woke up to find that the record in his home baby growing experience of precious photos were deleted, also received the attacker "three days after the contact you unlock" extortion information, the original liu too apple use netease mail accounts, the account stolen, password is stolen, information has been deleted. Facing the catastrophe, liu too urgent measures to complain to the netease, a response to the public security departments to obtain relevant information. With the help of apple's customer service, liu too find account password, but can't recover. Liu too believe that apple has fault, on the one hand, failed to inform the user account has been modified anomalies, such as the other through the mail can change password erase mechanism of mobile phone information security risk. Apple customer service are explained, the default master account password is the owner of the iPhone.

Originally to protect the owners lose their mobile phone to prevent leak up function by the use of information. IT security experts said, the attacker can through violence, Trojan steal user account login interface, suggest user up account password not gm and other sites, if the phone "prison break", don't install strange software.

Article/guangzhou daily reporter Li hua

Intern/He Zhirong

Email accounts were stolen

The iPhone information been erased

Liu too early in the morning to find himself the iPhone back to the factory, address book, photographs, all gone. She opened the associated with the apple id netease mail, found at 2:30 in the morning received a few emails, mail record a series of operation process, including liu's apple account password is modified, find the iPhone program was initiated, confirmed the iPhone, the iPhone information lost are erased, etc. In addition, there is an email written contact you unlock "" three days later.

Liu too reminiscent of the recent experience friends account stolen by hackers to blackmail, couldn't think of himself "scam". Original liu's apple account binding netease mail, hackers cracked her mailbox password, the middle of the night by netease mail changed her apple account password, and then the remote delete the address book on her iPhone, photographs, and other important information.

Liu too hurry contact apple's customer service, in the help of the service back to account password and address book, but the photo on the mobile phone be erase, even upload the picture of the cloud is deleted, not back. Thanks to liu too didn't give account binding bank card, not a monetary loss. Is really outrageous fortune, wake up, record the growth course of precious photos home baby so deleted, still faces the hacker's blackmail.

Liu's alarm, while go to netease customer complaint number is stolen, hope to be able to get about hackers login information.

Netease reply but let liu too disappointed, "netease admitted that they can monitor abnormal ID, but they tell me specifically, even if there are abnormal login information, they have no obligation to provide to me, let me find public security department to obtain relevant information." But there has been no echo of the public security department. "Public security might think I just lost the photos, phone is black, just don't feel any loss, there is nothing to tube". Liu too said: "the damage was done, I can't, now wants to criminals be brought to justice."

Liu too think apple has fault, directly through the email you can change the password erase mobile information mechanism exists great potential safety hazard, "when I first open positioning mobile phone function, it should give me full hint, want me to bind a phone number, for example, if someone want to erase my cell phone information, you must fill out the verification code on the phone. But it doesn't remind me, I didn't realize that there are so big security hidden danger." Let liu too is in distress situation, tell her the hacker deleted her apple customer service information to extort money from her, too liu thinks "apple cell phone remotely delete this vulnerability is equivalent to give hackers a blackmail platform, and apple is know this situation".

A week passed, public security, netease, apple even hackers are no longer contact liu too, she is very hope that network can be brought to the attention of the various aspects, from black to safeguard consumer rights and interests.

Apple's response

Recommended related safety features

About through binding mailbox can bypass the security question of change the apple id password, explained that apple customer service modify apple id password, there are two ways, one is through the binding of mailbox retrieve password; Another is by retrieving password security problems. For the first approach, the advice of the service users to set the rescue mailbox, namely retrieving password email will be sent to a rescue email user Settings, instead of binding the main email account. So even if the main email stolen, also not be tampered with apple account password. If you are not at ease, can also open two steps, namely binding a phone number and obtain a fixed keys. Open two step after verification, the user you want to take the password must be at the same time provide their safekeeping by the user keys and apple to binding mobile phone number on the authentication code, be short of one cannot.

Apple customer service also admitted, grasps the apple id password without additional validation after operation can remote wipe out mobile phone information, because apple default master account password is the owner of the iPhone.

IT specialists

Don't share passwords don't install new software

Pavilion technology co-founder Chen Yusen explained to reporters, up to a function is to prevent personal information leakage after cell phone is lost, it has access to remote lock phone and erase all the information on the binding equipment. So the question is the key to the attacker how to obtain the user up account password (i.e., apple account password).

He explained that there are about three conditions: back, ripped out of the security problem is the earliest a login interface can login violence, is to use a lot of different password to log on to the same account, this is leading to a series of Hollywood actress before photos reveal that problem. But apple quickly to repair the hole.

The second is that many users will use some personal E-mail registered as up account, the combination of these email as the account and password, use in other sites at the same time, and has been leaked, so lead to his up to account theft. And the third is the prison break some users of the iPhone, and then the assembly may some trojans, lead to account theft.

If apple account stolen, the harm is palpable. Is there a way to protect the information on the phone? Chen Yusen that keep accounts do not stolen; Think account password may reveal that the password has not been changed, immediately change the password; Account has been stolen, the password has been changed, only for self. Because of account stolen, not only mobile phone all of the information will be deleted, mobile phones can also be remotely lock, into bricks, also suffered the hacker to blackmail.

"Apple to help the difficulty is that it is difficult to confirm (patient) is true owner." Chen Yusen says the problem of identity.

Chen Yusen also said the steal user account, password, and remote control of the iPhone has certain technical threshold. Trojan horse theft behavior for escape equipment, for example, wrote the Trojan will have higher technical level. "In general, the safety of the iPhone is ok." Chen Yusen advice, ordinary users to user security awareness, ripped account password not to gm, and other sites, if is "prison break" the user not to install new software.

In addition, apple's login password not too simple, or with regularity, as far as possible more complicated. Otherwise, the hacker may through frequent "bump library" to constantly test the user's password. Follows a user's password, because this way is stolen. Once the user mobile phone binding bank CARDS, etc, the loss would be disastrous.