Tim Cook: Apple to Add Security Alerts for iCloud Users, Broaden Two-Factor Authentication

[laurim]

I choose not to use 2factor because every extra step is a PITA. To compensate for my astonishing lack of security awareness I don't take nudie pics.

It only seems to come into play when you want to access your iCloud/iTunes account from a new device. I just bought music from iTunes on the computer I set up two factor on and it didn't come up. It came up when I rented a movie with my AppleTV but it wasn't a big deal to type in the four digit number Apple sent to my phone. Probably won't come up again for that device, either. Not really a PITA in my opinion, except for the person trying to break in, so I think a little extra effort is worth a little more peace of mind.

 

[Karma*Police]

Glad that Tim Cook himself is speaking up and Apple is actually showing responsibility by making changes to security. Old Apple under Steve Jobs would stonewall for as long as possible, hoping that the story would go away.

Maybe it's not so smart to "take responsibility" when you've done nothing wrong. Many people will read headlines and think it was Apple's fault and iCloud is damaged goods when in fact, this is more about the dangers of the Internet in general and how users should be more vigilant.

Investor's business daily has a major article on Apple in their Friday paper in which they claim that iCloud was hacked. If a major financial paper gets it wrong, I fear the public perception may not be much different.

 

[2010mini]

Too bad it already fappened.

Apple, a company notorious for knowing what's best for their customers should have had 2-step verification enabled by default.

Not everyone has two or more Apple devices.

 

[realeric]

It's 100% Apple's fault. I'm a computer engineer but I didn't know how to activate the two step authentication.

 

[Sonmi451]

This celeb situation was unfortunate, but I think it's going to benefit us all in the end. I expect Apple to develop much better security features in the future. The whole industry is pretty weak with passwords, and security in general. Apple can innovate when they want to, I wish they would figure out a new way of dealing with passwords, logins, failed attempts, password changes, etc.

I know very little about this stuff, but I always wonder why my gmail got hacked, and the IP is from China, why they don't give me an option to disable any logins from outside my home country.

There are some obvious loopholes they need to fix asap - the 2 step authentication for iCloud backups (maybe encrypt by default?), and the iCloud token exploit.

 

[laurim]

Not everyone has two or more Apple devices.

That's why there's the master key you print out and put in a safe place. You only need two of the three items to verify yourself. It's up to you to keep that info away from other people.

----------

It's 100% Apple's fault. I'm a computer engineer but I didn't know how to activate the two step authentication.

seriously. I'm a motion graphics designer and I did it.

 

[iBug2]

If I had been in charge, I would have immediately drawn a huge X through that whole mess and fired the person who was stupid enough to have presented it as an option.

Aaah, that's how resetting a password through security questions is supposed to work.

How else can it work? Should it send you a confirmation email which you cannot read because you don't have the password for the email account?

Without the 2-Step or a similar thing that's how any online account system resets your password through security questions.

 

[2010mini]

Actually, they have inside people constantly testing the system for flaws. Like a security expert in another article says, Apple is trying to balance ease of use with high security. Anyone who has worked for a company who locks down their employee computers to the point of almost making them unusable for work understands this. I have one client who can't use iTunes at work to find music for shows, even though she is the company's show director. She has to do it at home on her own computer. She's also my only client who can't share files on Dropbox with me so I have to have a special Box account just for them. It's ridiculous.

I know exactly how you feel. The company I work for borders on insane with their security requirements. It causes more calls to the Helpdesk than actually working.

At one point it took 3 years and finally a personal call from upper management in corporate to bypass protocols just so I could get access I needed TO DO MY JOB.

Security is great, but if not balanced with ease of use, will be burdensome.

 

[Michael Scrip]

With all the hoopla lately... I decided to try Apple's 2-Step Verification.

But I couldn't remember the answer to one of my security questions...

 

[laurim]

Maybe it's not so smart to "take responsibility" when you've done nothing wrong. Many people will read headlines and think it was Apple's fault and iCloud is damaged goods when in fact, this is more about the dangers of the Internet in general and how users should be more vigilant.

Investor's business daily has a major article on Apple in their Friday paper in which they claim that iCloud was hacked. If a major financial paper gets it wrong, I fear the public perception may not be much different.

Hiding doesn't work nowadays, not with the speed of information on the internet. People want swift action of some sort to feel better about a bad situation and any waiting will make people, especially professional haters, make it seem like the company is hiding something.

 

[jon3543]

Aaah, that's how resetting a password through security questions is supposed to work.

How else can it work? Should it send you a confirmation email which you cannot read because you don't have the password for the email account?

Without the 2-Step or a similar thing that's how any online account system resets your password through security questions.

A good password can only be brute-forced. It cannot be guessed or derived from other information. It can't be looked up on google.

Assuming people create good passwords (yeah right), it is stupid to compromise them with straightforward questions that require people to lie in order to achieve some level of security. Many people aren't sophisticated enough to realize they need to lie and lie well in this situation, and tacitly requiring this sets them up to fail. This is especially true for celebrities. And heck, some people don't like to lie, so there's that.

Furthermore, good answers to the security questions are just like good passwords; they're random, they cannot be remembered, and so they must be recorded somewhere. Speaking for myself, if I lose my password, I will have also lost the answers I gave. So for me, the only way they could increase security is if (a) I stored them in separate places, which I don't, and (b) Apple or my bank or whoever stored them separately or encrypted them differently or whatever. I would not take (b) for granted.

 

[iBug2]

A good password can only be brute-forced. It cannot be guessed or derived from other information. It can't be looked up on google.

Assuming people create good passwords (yeah right), it is stupid to compromise them with straightforward questions that require people to lie in order to achieve some level of security. Many people aren't sophisticated enough to realize they need to lie and lie well in this situation, and tacitly requiring this sets them up to fail. This is especially true for celebrities. And heck, some people don't like to lie, so there's that.

Furthermore, good answers to the security questions are just like good passwords; they're random, they cannot be remembered, and so they must be recorded somewhere. Speaking for myself, if I lose my password, I will have also lost the answers I gave. So for me, the only way they could increase security is if (a) I stored them in separate places, which I don't, and (b) Apple or my bank or whoever stored them separately or encrypted them differently or whatever. I would not take (b) for granted.

You are absolutely right but what you are criticising is the "security questions" system in the first place, which almost every single online account I have uses. It's not Apple's invention. Security questions have existed since the dawn of online accounts and you can hack each of them the same way.

 

[ardent73]

If you somehow still think Apple's security doesn't SUCK DONKEY BALLS, see:
http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/

This person is an idiot. Gee if I pour gasoline around my house and light a match, it will burn down!

If I have remote or physical access to the computer, I don't have to hack it, I already own it!

 

[BoulderAdonis]

They did think of this before the damage was done. A year and a half ago Apple released 2-step verification. Had those celebrities enabled 2-step verification, this wouldn't be an issue.

Everyone should have 2-step verification enabled, but especially people who are in the public's eye. Those people should be very security conscious. In addition, their PR reps and agents should have ensured security steps were taken. The blame is almost entirely on the celebrities, Apple offered them the tools necessary to protect their data.

This. I love how everyone gets on the "icloud breach", "apple should have done more" bandwagon without having a clue. The security measures are there (two-factor) and have been.

Stop blaming apple / Tim Cook when you are too lazy to use the security measures that are readily available to you - and you are using easy to guess usernames and passwords.

 

[billystlyes]

Apple... Always a step behind anymore....

 

[alphaod]

And still people will continue to bash Apple, still use password123 as their password, and not set up two-factor authentication.

 

[JesusQuintana]

This person is an idiot. Gee if I pour gasoline around my house and light a match, it will burn down!

If I have remote or physical access to the computer, I don't have to hack it, I already own it!

Her point seems to be if you have someone's username and password you can do all sorts of sinister things. Not sure why she is so shocked by that.

 

[iBug2]

Her point seems to be if you have someone's username and password you can do all sorts of sinister things. Not sure why she is so shocked by that.

Well, the thing you can do is authorise every computer and if a new computer accesses your account, warn the user.

 

[realeric]

seriously. I'm a motion graphics designer and I did it.

I googled and found the method. That's the problem. You can't do two step authentication on your apple device settings but need PC/Mac/Browser and have to wait 3 days. What a hassle! I still believe the security breaches were Apple's 100% fault.

 

[jon3543]

You are absolutely right but what you are criticising is the "security questions" system in the first place, which almost every single online account I have uses. It's not Apple's invention. Security questions have existed since the dawn of online accounts and you can hack each of them the same way.

I've always thought security questions were stupid, but forget about that for the moment. Why do you think that having lost access to an Apple ID, bank account, or whatever, implies having lost access to the email account associated with it? You said earlier:

How else can it work? Should it send you a confirmation email which you cannot read because you don't have the password for the email account?

If you've lost access to the associated email account, that's a separate issue. So to get back to my original post, I stand by it completely. Doing a password reset right then and there after answering a couple of security question without some sort of independent confirmation is utterly incompetent.

Then again, I've never had to reset a password because I forgot, so I don't know how these things work IRL. Whenever it's happened, it's been because a given forum or whatever derped on me, and they emailed me reset instructions.

 

[iBug2]

I googled and found the method. That's the problem. You can't do two step authentication on your apple device settings but need PC/Mac/Browser and have to wait 3 days. What a hassle! I still believe the security breaches were Apple's 100% fault.

You don't have to wait 3 days unless you recently made changes to your account. That 3 day wait is for your own protection so a hacker can't switch you to 2 step verification after hacking your account.

----------

If you've lost access to the associated email account, that's a separate issue. So to get back to my original post, I stand by it completely. Doing a password reset right then and there after answering a couple of security question without some sort of independent confirmation is utterly incompetent.

The services I have in mind are email services to begin with. Gmail, msn, icloud, these all have their own emails. So if you lost the password to these accounts, you wouldn't be able to check your email anyway. So a confirmation email is useless.

The only solution I can think of is forcing you to enter a secondary email address which is not connected to the account as a backup. Gmail has this "backup email" but I don't know if they force this.

 

[iolinux333]

delete. awful attempt at humor

 

[thewebb]

I want to set up 2 step authorization but can't remember my security question answers. (Well, I think I remember but it's not accepting them.) Apparently I don't have an emergency email with Apple so I have to call support. Thus, I keep putting it off.

I have the exact same issue. Just haven't got around to calling support...

 

[iBug2]

But it seems like Tim Cook is not going the route of Gmail. With Gmail if you want, no other device than your trusted devices can access your gmail through web unless it confirms it with you first.

With iCloud, you can just go to any internet cafe and login to your account. It may send you an email saying some untrusted computer accessed your account but it may be too late by then.

I think Gmails 2 step security is the strongest among these at the moment so Apple should go that way.

 

[MacNut]

Ok why is iCloud not encrypted? This seems to be the first step Apple needs to take.