Blog Post

Apple ups iCloud security following celebrity hack, adding alerts and boosting two-factor authentication

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Apple is to start notifying users when someone tries to restore iCloud data to a new device, in the wake of last week’s big celebrity nude selfie hack — and it’s also going to start using two-factor authentication as a security measure for accessing iCloud accounts from its mobile devices.

[company]Apple[/company] CEO Tim Cook told the Wall Street Journal late Thursday that the company would start sending out email and push notifications for iCloud data restoration in a couple weeks’ time, and reiterated an earlier statement asserting that the hackers had correctly guessed security questions in order to change the victims’ passwords, or used standard phishing techniques to fool the targets into giving up their Apple IDs and passwords.

Email and push notifications will also alert users when someone tries to change the account password or log into the account from a new device – these activities already triggered email notifications before.

Security experts had suggested that Apple should introduce two-factor authentication for iCloud access. (They also said Apple should make it harder for people to ascertain whether a certain email address is associated with an Apple account, though there’s nothing in the WSJ piece about that.)

In Apple’s two-factor authentication system, which already protects Apple ID management and iTunes and App Store purchases when users turn it on, users have to log in with two of the following three things: a password, a short one-time code or the long key they were given at signup.

Cook said the upcoming iOS 8 operating system refresh would urge people more to use two-factor authentication – he said most customers don’t use it currently – and would also allow them to use it to keep others out of their iCloud accounts.

He also suggested that user awareness, rather than engineering, was ultimately the solution to user security – basically, people should have better passwords. This is true, but good passwords are hard to remember and not particularly easy to enter on a mobile device. I think Apple and the wider industry need to move to smarter security techniques, though of course everyone’s working on this problem.

To be frank, I’m a little shocked that Apple didn’t previously have notifications for when iCloud data is being downloaded to a new device or and use two-factor authentication for iCloud, given the amount of sensitive information that gets sucked up into these accounts.

And, given that this stuff has been going on for a long time, with ordinary people as well as celebrities being affected by having data stolen, it’s unfortunate, to say the least, that Apple is only springing to action to this degree when a very high-profile case hits just before a major iPhone launch.

9 Responses to “Apple ups iCloud security following celebrity hack, adding alerts and boosting two-factor authentication”

  1. WaltDeMille

    “Better late than never.” …as if Apple is so woefully behind the times on iOS security that it’s almost beyond all hope? iOS, despite these weaknesses in the users of iCloud being so inept they post security question-information on their social media, is still an incredibly secure and stable system – much more so than Android but, suspiciously for ‘neutral’ journalism, no one bothers to document those insecurities, post misleading headlines, and fan the flames of misinformation as much as possible.

    • DragonTBear

      Hmm .. maybe Late IS NEVER for Apple … If you log into TODAY, there STILL is NO WAY to enable 2-step from that page.

      One would think Apple would have BIG FLASHING info on that page pushing users to go enable 2-step.

      I’m left to assume Apple just doesn’t care if non-tech users get there stuff stolen.

  2. According to Apple the breach is not due to any problems with iCloud security so why does Apple want to fix something that is not broken. Some sites allow for security questions and answers that can be chosen by the users themselves rather than preset ones which might be better

  3. Now, I’m no Software Engineer, but I’m a bit disconcerted by HOW FAST Apple released statements. Are a couple of days enough to say without doubt that its system has no security flaws?

    The bigger problem is “safe browsing”. It seems like every website nowadays requires a new user account. How many different password combinations are people actually going to use? I get confused with gmail, my work, facebook, wordpress, and amazon. Many jobs require people to update their passwords regularly. Passwords are also required to have numbers and special characters.

    Let’s assume that Apple is completely safe – that the celebrities did have easy passwords to crack.Two password verification will help Apple security, but what about the rest of the web? Will Google just sit back? When the trend catches on, won’t the same problem arise?

    • David Meyer

      I think to an extent this stuff was easy to bring in. It’s really a constant tussle between security and usability – when Apple saw enough people were upset about security, they shifted the balance.

    • Google has had 2 factor authentication for years. They even have their own Google Authenticator app that one can install on iOS and Android rather than using SMS. Google Authenticator works with a variety of services including MS but not Apple. That is too bad since Appe’s two factor authentication requires SMS that does not work with some cell phone carriers (personal experience).

      • Yeah, in Asia everyone uses What’s App or WeChat. What’s App is great because it’s cross-platform and works on all major smartphones. Now that Facebook has acquired it – and started a forced migration of its users to download the Facebook Chat app – it seems like the next step will be to integrate the two. But that would probably breach anti-trust laws, right? I got off topic…