Why is Apple's online account security so poor?

Discussion in 'Apple, Inc and Tech Industry' started by neiltc13, Sep 16, 2011.

  1. neiltc13 macrumors 68040

    neiltc13

    Joined:
    May 27, 2006
    #1
    In a few weeks Apple is going to launch iCloud and ask users to trust it with much more personal data than it has had before. I assume that many thousands of users will willingly upload their photos and documents and many others will start using Apple's own mail service.

    However, it seems that Apple will still only allow users to protect their accounts using a basic email address and password combination. In 2011, we have seen that this is just not good enough. Passwords are vulnerable to all sorts of attacks, especially when the same ones are used across multiple services.

    To me, Google seems to be leading the way in this area. Earlier in the year it launched a quite fantastic two step authentication system that ensures that even if a hacker knows a user's password, they won't be able to log in to their account. More information in this video:



    I've been using this since it launched and I haven't had one issue getting a code or logging in to my account.

    Valve also offers a similar system, where a code is emailed to a user's registered email address when they (or a hacker) logs in on a new computer. A hacker would need a user's password AND access to their email account to be able to access their Steam account.

    Many banks also offer users free code generation devices to ensure that hackers also can't access accounts if they know the user's password.

    My question is - why is Apple not doing more in this space to develop security options that benefit users and also educate them about keeping their accounts secure?
     
  2. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #2
    Doesn't matter. Even if Apple did offer 2-factor authentication it would be used by a miniscully small percentage of the user base... just like Google.
     
  3. neiltc13 thread starter macrumors 68040

    neiltc13

    Joined:
    May 27, 2006
    #3
    It does matter, because I would use it if it was offered. As it stands, I'm not trusting Apple with my email account.
     
  4. *LTD* macrumors G4

    *LTD*

    Joined:
    Feb 5, 2009
    Location:
    Canada
    #4
    But you *do* trust Google? :confused:
     
  5. rhett7660 macrumors G4

    rhett7660

    Joined:
    Jan 9, 2008
    Location:
    Sunny, Southern California
    #5
    Come on LTD. We all know he does.

    Well let's see if Apple does offer this in the near future. I wonder how many people are using the google's one or even know about it for that fact.
     
  6. KingCrimson macrumors 65816

    Joined:
    Mar 12, 2011
    #6
    Once again, Apple behind the innovation curve. They continue to pander to the "lowest common denominator" of users. Basically whatever makes it simpler for Grandma! Maybe Grandma shouldn't be on the internet!
     
  7. neiltc13, Sep 16, 2011
    Last edited: Sep 16, 2011

    neiltc13 thread starter macrumors 68040

    neiltc13

    Joined:
    May 27, 2006
    #7
    Let me rephrase that. I'm not trusting Apple's system with my account. I am trusting Google's system, because it is better for the reasons outlined in the first post.

    I know it's not the "cool" thing to say you trust Google here, but in the six years of having my account they have given me nothing but fantastic service and I've never had a reason not to trust them.
     
  8. snberk103 macrumors 603

    Joined:
    Oct 22, 2007
    Location:
    An Island in the Salish Sea
    #8
    Two step verification codes are useless for people who don't carry cell phones. There are enough of us out there that it would be hugely inconvenient. I'm not a luddite, I just live in place that has terrible cell phone reception. So, what's the point.

    I'm not sure how often I would be accessing iCloud from a system other than my own, in any case.
     
  9. smithrh macrumors 68020

    smithrh

    Joined:
    Feb 28, 2009
    #9
    I'll be damned before I hand Google my phone number.

    "Service" my a**. Just another info grab.
     
  10. roadbloc macrumors G3

    roadbloc

    Joined:
    Aug 24, 2009
    Location:
    UK
    #10
    I do know a few who have had their Apple accounts hacked and money all spent on movies and music. So I don't see a problem with adding any extra security. There is no denying that the current system (whatever it may be) isn't working brilliantly.
     
  11. neiltc13 thread starter macrumors 68040

    neiltc13

    Joined:
    May 27, 2006
    #11
    I dont think some of you guys understand what two step authentication protects you from. This isn't going to save my account if Google's servers are compromised, but it does stop brute force and individual hackers from getting in.

    I'm just shocked that you guys are reacting so negatively to the suggestion that Apple improves its service. Apple has the resources to do a lot here and it would benefit users a lot if they did.
     
  12. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #12
    So what you're saying is that you propose that I need to receive a text message from apple before being able to log in and view my emails?

    I can see why apple has not done this as its a pain.
     
  13. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #13
    I don't think you understand the economics of implementing a relatively complicated authentication system that will not pay for itself and will probably not be used by an appreciable number of users. Google offers it as an option, Apple doesn't. This does not mean Google is "more secure" than Apple.

    Those most likely to use 2-factor authentication are the same people who are likely to have passwords that are difficult to brute force in the first place, further deflating your argument.

    2-factor authentication does not equate to an "improvement" of service. What if your account is set up to use 2-factor authentication and the SMS PIN server goes down? What if your phone doesn't work?

    ...true...

    Citation needed.
     
  14. tigres macrumors 68040

    tigres

    Joined:
    Aug 31, 2007
    Location:
    Land of the Free-Waiting for Term Limits
    #14
    Seeing as how iCloud is a backup service primarily, wouldn't it be different than just storing photos and info in plain format? In other words, isn't the iCloud backup already encrypted in a way that the device has to have the keys to decrypt the backup/restore?

    Now iWork is a different story, that seems to be the only true "storage" of iCloud.
     
  15. neiltc13 thread starter macrumors 68040

    neiltc13

    Joined:
    May 27, 2006
    #15
    I never said Google was "more secure" than Apple. I'd hope that the infrastructure behind both companies' systems would be robust enough to fend off other types of attack.

    However, as a user I want to do everything I can to make sure my accounts are secure. This is particularly important for my email account as if it was to be compromised someone would be able to reset the passwords of most of my other accounts.

    Right now, the only thing stopping people from getting into my Apple account is a password.

    This is where Apple really has the power to do some good here. They have brought a variety of technologies "to the masses" - heck, who would have thought a few years ago that so many people would be talking about high pixel density displays? All they need to do is give it a fancy marketing word (like "Retina") and advertise it to users, showing them the clear benefits of activating it.

    That is surely the challenge for Apple - can they deliver the uptime that users expect from their service in order to support a service like this, and can they deliver a system that works internationally, as Google and Facebook's do?

    They've already invested a lot in this new data centre - time to put it to use?

    Google's service offers a mobile application (for iOS, Android and BlackBerry) that generates the code without needing an SMS to be sent.

    Well since lots of users have their credit card information stored on their iTunes account, at the very least protecting this from misuse would be a clear benefit.

    http://thenextweb.com/apple/2010/07/04/appstore-hack-itunes/

    http://gizmodo.com/5580345/you-should-check-your-itunes-account

    I'm talking about the passwords used to access the storage, not someone gaining access to the account without a password. If someone has your Apple ID password then they can retrieve the data as they are authenticated as you.


    Not every time, no. Only when you sign in from a computer that you have never signed in on before.
     
  16. snberk103 macrumors 603

    Joined:
    Oct 22, 2007
    Location:
    An Island in the Salish Sea
    #16
    Until now, I've not been convinced - but I do agree that adding an option that double-checks your identity when you sign in from an "unknown" computer is a good idea. I think my bank does this. But does it have require a 2nd device (text to phone, for e.g.) to work? Why not just have a series of security questions that you need to answer instead? If I recall, I have to answer a set of 4 or 5 questions to get into my bank account if the bank's online security guard doesn't like how I'm logging in.

    Re: "Just a password"..... A good password is still your best defense. I have several similar, but distinct, passwords that I use depending on how "secure" the password needs to be. One password I use for one time use to get into a system that requires me signup, even if it's just to download something once. Another one is the one I use for only my critical/sensitive logins. And a couple of others for the those needs in between. I sometimes need to try a few in succession to get the right one - but it's not so hard. There is a pattern to them, that makes sense to me, so they aren't that difficult to remember.
     
  17. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #17
    If it's a bad password that's your own problem. Apple is not and will not be responsible for users that pick bad passwords.

    How is Apple supposed to be responsible for someone who forgets their second factor? How is Apple responsible for cellular network outages or lack of coverage?

    Not really, because fraudulent charges can be reported and it is the responsibility of the credit provider to prove customer liability. And if they chose a strong enough password in the first place, it wouldn't be an issue.
     
  18. neiltc13 thread starter macrumors 68040

    neiltc13

    Joined:
    May 27, 2006
    #18
    I'm not disputing that a good password is a good security measure - however, it shouldn't be the ONLY thing that allows someone into my account. As someone already said earlier - if you have two passwords, or secret questions required to log in on a new machine then even that would be better than Apple's current system.

    We have seen countless leaks of user information from various places in the past few months - Gawker and Sony to name a few. Many of the users who had their information leaked likely had a "good" password, but it's not much use if that password is out in the wild for anyone to see.

    This is especially bad when users choose the same passwords for multiple services. Rather than saying "it's the user's fault" why doesn't Apple use its marketing prowess to assist users in securing their own accounts?

    I don't know about you, but I haven't ever been in a location where I have needed access to my email where I don't have cellular coverage. I don't tend to fire up my laptop out in the countryside :p

    If nothing else, it would save a lot of time, hassle and money if an account wasn't compromised in the first place.
     
  19. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #19
    In terms of protecting credit card data, Apple already does something like that. When you purchase from a device that you have never purchased from before, you have to enter the card's CVV, which is printed on the back.

    I agree that it would be cool if Apple offered what you suggested, but I think that relatively few people would use it.
     
  20. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #20
    Why shouldn't it? Millions of people log into accounts of all kinds with passwords and don't get hacked. Now you're getting into the subjective. Should they really provide 2-factor authentication? Are they obligated by law? What law?

    I don't see how that's relevant. Back-end database security (or lack thereof) is not the topic of this discussion.

    Because they don't have to. Personally I don't want Apple making yet another decision for me i.e. the best way they think I should authenticate my account. Many others probably feel the same way.


    Right, because laptops are the only way to access the internet. :rolleyes:

    Then choose a good password and eliminate 99.9% of the risk of getting hacked in the first place. Very, very simple.
     
  21. KingCrimson macrumors 65816

    Joined:
    Mar 12, 2011
    #21
    What I don't understand is why doesn't Apple require strong passwords like Google? Yeah I know NM()^^^34342_342UUU will be hard for grandma to remember.
     
  22. snberk103 macrumors 603

    Joined:
    Oct 22, 2007
    Location:
    An Island in the Salish Sea
    #22
    That's because you don't live in the countryside, like some of us.... :)
     
  23. neiltc13 thread starter macrumors 68040

    neiltc13

    Joined:
    May 27, 2006
    #23
    Huh? They have done exactly that with their current system - there are no choices you can make.
     
  24. Shrink macrumors G3

    Shrink

    Joined:
    Feb 26, 2011
    Location:
    New England, USA
    #24
    Yeah, let's have an age limit for internet access. Only super smart young folks, like you, get to use it. :p

    Maybe, better yet, let's just put Grandma on an ice flow. Or maybe just cut off the hands of anybody over, say, 35. :rolleyes:

    Welcome to "Logan's Run".
     
  25. KingCrimson macrumors 65816

    Joined:
    Mar 12, 2011
    #25
    Sounds good to me! I just turned 35 so I'm safe for 11+ months until it's time for "Carousel". :p
     

Share This Page