I had this experience a couple of weeks ago at an authorised repairer. They asked for my password, and I refused, but I was curious. So I said, "I'm surprised you're allowed to ask" and the guy said, "We're allowed to ask, but we're not allowed to insist".
A few years ago my bank would ring me up every couple of weeks and say "Hi, I am calling from your bank, we want to talk to Doctor Eval(), can you please verify your date of birth and we can get started?". They would get so pissed off when I wouldn't tell them. I was like, "how do I know you're from my bank?". (Banks seem to have stopped doing this now).
For companies which should be putting security at the centre of their business, they apparently have no idea that they're normalising phishing.
> For companies which should be putting security at the centre of their business, they apparently have no idea that they're normalising phishing.
Yeah, this appears to have stopped, but was somewhat common a few years ago. My standard response was 'you called me, tell me who you are and I will call back on the official line'. They couldn't object to that. It was obviously some plan to 'ensure user privacy' that once it became known to one or two people with the authority to do something about it and the knowledge to know better it was quashed.
Now if only they would allow you to enable 2FA options that aren't SMS and also disable SMS. They don't understand that SMS is a terrible 2FA system isn't mitigated by 'but you can enable other things' if you cannot remove SMS as an option.
Now if only they gave me a real 2FA option that doesn't actually decrease security. So they made a fancy app where I need to confirm PC logins with a 5 digit pin. But the same app is also their official banking app and lets me do everything with my account, all with the same 5 digit pin. I don't even need to enter the credentials necessary on the PC. This is what you get when the government tries to mandate security.
Don't blame the government -- they outlined an ideal way to do it on many levels of need. Blame the specific people who implemented that specific system.
"SMS-transmitted OTPs are susceptible to a variety of attacks. One is by obtaining control of a target’s cell phone number, often by calling the cellular provider or going into a retail store of the provider and impersonating the subscriber. In 2016, the chief technology officer of the US Federal Trade Commission had her number hijacked this way. In other cases, the interception is the result of compromising the mobile account because it’s protected by a password the subscriber used on a different site that was breached. Still other interceptions are the result of exploiting decade-old weaknesses in the SS7 routing protocol that carriers around the world use to ensure their networks interoperate. OTPs are also vulnerable to phishing and social engineering attacks, as long as the attackers enter the codes quickly after obtaining them."
For one thing, there are a lot of security holes that let people reset passwords by getting a code via SMS
For another, what's the point in having 2FA if one of the factors is completely insecure? It's just an annoyance at that point, and a good way to ... tie your account to your phone number, which just coincidentally happens to be the primary key for most advertising tracking services. What a coincidence
Having the possibility/capability of intercepting the SMS is only effective if the ID and PIN are already known, and while surely there are "other" ways to get them, the attacker needs all three.
From what I have read/seen, most if not all successful attempts to access someone else's bank account online go through some form of phishing.
Not only phishing, but too many people have the terrible habit of using the same password everywhere. So with public breach data, it's not a stretch to think bad actors would try, and probably be successful way too often, to use said credentials on bank sites.
Assume for all these attacks that the user has been first thoroughly keylogged via malware or had all static credentials stolen first via leak or phishing.
The SIMjacking is the last barrier to access.
In most cases people reuse passwords and their login/password are known via any number of a million dumps of large websites whose dbs have been breached.
You build a fake website. The victim enters their ID and password. The fake website asks for the SMS TAN. The victim gets an SMS from the actual bank and enters the TAN. Profit.
It doesn't have any security benefit for phishing like this, it's just one additional password input field.
Sure, but in this case, like in many "phishing" schemes, there is no interception of the SMS, this same approach applies to all other authentication tokens, as it is the victim that enters the OTP on the (fake) site or communicates it to the phisher who calls impersonating a bank employee.
> this same approach applies to all other authentication tokens
Not true. FIDO and prevents this. The key is bound to the site you authorized it on, so inputting the key while connected to a phishing site will do nothing.
Yes, I meant those (I believe much more common) various hardware token generators and those "in-app" ones (issued by the bank), that end up as a 6 or 8 digits that you have to type on the site.
how easy it is to sim swap, you can go to any phone store and unless the manager at the location is competent, you can get a new line in a persons name or a new phone with an old number. Its incredibly easy and you can read a lot of them happening in krebs website
Banks in the UK used to get you to enter a PIN on your phone keypad to authorise them (different PIN from your ATM cards!). I pointed out to the call handler one day that when I entered my PIN I could still hear background noise from his open mike, and did that mean he could hear what I typed?
"Yes, I hear you typing in the PIN"
Oho, but that's a bit of security hole, isn't it?
"It's just beeps though, I can't tell what you typed"
Yeah but someone suitably skilled *could*, is my point!
"Yeah but it's just beeps, like this <beep beep beep beep>"
Okay and you typed 1 3 5 8.
"Uhhh... oh. Yes, I did. Uh, how did you do that?"
I've got an ear for it. This is absolutely not a criticism of you in any way and thanks for helping me demonstrate it, but could you get your supervisor to play this call to their manager and get back to me, once we're done with the call?
"Yes, I'll do that"
Awesome! Now these bank transfers...
They didn't call me back, but now call handlers transfer you to a totally different service to put a PIN in.
It probably depends. There is no official Apple repair shops here, but some partners. Some years ago I had to replace a battery on my mothers' Apple laptop and one of them refused to replace battery if I don't give them admin password. I had to make full backup, erase all data and restore it after battery replacement. I haven't had such experience with other Apple repair shop here.
I've had two macs repaired - once at an apple retail shop, and once at an "authorized repair" place. I either wasn't asked for a password, or they asked but made it clear they didn't need it. Of course I would never give it. Maybe that's not the norm.
In my experience, They’ve always asked, but I’ve always refused and they say OK actually we can boot a test image another way (like their diagnostics thing that they boot from the network to run tests while you’re there).
When I worked there back in the day, it was mostly a pro-active thing, especially for any repairs that weren't obvious hardware faults so that when/if something was fixed, we could validate that it was fixed for the actual user too. Customers for some reason I can't fathom (/s) absolutely hate it when they drop a machine off for repair, we "fix it" (by which I mean, do whatever or nothing and find that it works in a clean test image) and then when they take it home / turn it on at the store the problem remains because the issue was either software to begin with or a combination of hardware/software.
They equally hate the "we told you your computer would be ready in 3-5 days, but we haven't been able to reach you for the last 5 days to get your password since we determined it was a software issue and we couldn't go any further so it's still going to be another few days" experience.
So the default was to ask to make the experience as smooth as possible. But we were never instructed to pressure someone into giving up their password, just that we inform them upfront that without it all we can do is boot a test image to validate and that there's always the possibility software may play a part and still be a problem and we would want them to boot and confirm before leaving when they come to pick it up. Guest accounts were fine too. As was the customer giving us a formatted machine if they wanted. That was usually the best of the options because if the issue was present in a freshly formatted machine, we already rule out most / all of the software and we didn't have to deal with data loss issues (more than one customer signed the "I know I will likely lose data in this hard drive repair and I have a backup" line and then still pitched a fit when they did indeed lose data).
Apple had very strong rules about customer data privacy and snooping around was a good way to get fired (and I knew one person who did get fired for it). In fact, I've worked in health care and frankly Apple's rules for data privacy and secrecy (both theirs and their customers) was far more stringent than the health care job. HIPAA says protected info is any combination of identifying information AND medical information[1]. So your address and phone number, not PHI. A list of all your medications with nothing that identifies you, also not PHI. Technically your list of medications with your "patient number" could also be "not PHI" if the only thing there is no reasonable way for the patient number to be tied to identifying information without having access to the other protected data. At Apple, all data was considered private and confidential and anything that wasn't required to be kept for record keeping was to be shredded when it was no longer needed, regardless of whether that data could have ever been connected back to a customer.
Not to say that people don't abuse their access (again I knew someone who got fired for that), but at least in my time there they were very serious about only using the least access you needed and never told us to give anyone a hard time about wanting to keep their data private.
They shop can only be as serious about privacy as the local manager of that location is. Sounds like your manager was a mensch, but I would imagine (and the study indicates) most are not.
Agreed that (especially at scale) you're only as good as your local management is. But there's something to be said about company culture too, and Apple's infamous secrecy permeated all parts of the culture to apply to all data, not just Apple proprietary data. A manager that allowed employees to get away with snooping would have at the time found themselves just as fired as the snooping employees if/when word of that made it to the regional managers.
Whether it's still like that I couldn't say. From the outside, it certainly seems like some of that infamous secrecy has been toned dow. Though whether that's culture/company change or the nature of being so big that even the smallest parts of your supply chain make noise I couldn't say. At the size and rate they've grown the retail business, there's also the possibility of just hiring so many "warm bodies" that embedding that culture is more difficult too.
And being fair to this study's subjects, I'm not sure you can even say much about the managers themselves. This sort of thing would be exceptionally easy for any half way competent tech to do without tipping off their manager. Apple might have the power and clout to heavily restrict what devices you bring into the back rooms, but I suspect your average local tech shop isn't doing bag checks and device checks on their employees. Who's really going to question the local tech carrying one more thumb drive than normal? And since these are customer machines, it's not like you have corporate MDM software installed that can report when an external storage device is plugged in.
Yep, except this one 3rd party repair shop insisted on my password to my drive just for a screen clamshell assembly (MacBook) and keyboard replacement.
I let him watched me type it in (on a cracked screen with a broken A key) and the proceeded to erasing all partitions before I left it with him.
Apparently you are a very advanced user. 99% time users want, explicitly or implicitly (more often, and they get sad or mad if their implication is failed) you to return their devices with all their files intact. So the technician needs access to dump their files and put them back in after re-installing the OS. Advanced users just backup and wipe their data themselves before they handle the computer to the service.
Don't understand the downvotes.. you gotta vote with your wallet. Anyone asking for a password immediately loses all credibility in my eyes.
And besides, Apple churns out a lot of hype around their good privacy policies; it is good to know that not everything is gold dust when it comes to them.
They are trained to make you feel like you have something to hide.