“Apple Inc. said it plans additional steps to keep hackers out of user accounts, but denied that a lax attitude toward security had allowed intruders to post nude photos of celebrities on the Internet,” Daisuke Wakabayashi reports for The Wall Street Journal. “In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities’ iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords. He said none of the Apple IDs and passwords leaked from the company’s servers. To make such leaks less likely, Mr. Cook said Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time. Until now, users got an email when someone tried to change a password or log in for the first time from an unknown Apple device; there were no notifications for restoring iCloud data.”
“He said Apple could have done more to make people aware of the dangers of hackers trying to target their accounts or the importance of creating stronger and safer passwords,” Wakabayashi reports. “‘When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,’ he said. ‘I think we have a responsibility to ratchet that up. That’s not really an engineering thing.'”
“He also said that Apple will broaden its use of an enhanced security system known as ‘two-factor authentication,’ which requires a user, or a hacker, to have two of three things to access an account: a password, a separate four-digit one-time code, or a long access key given to the user when they signed up for the service,” Wakabayashi reports. “As part of the next version of its iOS mobile-operating system, due out later this month, the feature will also cover access to iCloud accounts from a mobile device.”
Read more in the full article here.
MacDailyNews Note: Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.
Always use unique passwords, do not reuse passwords for different services, and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, this system works like a dream.
Good initial steps. Apple needs to alert users of every failed authentication. How often the active users forget their userid/password? Rarely… We are not living in the 90s
I wish it still was the 90s though. Nickelodeon was at it’s best, and Sega still was making great game consoles, until M$ ripped them off, and stole their Dreamcast to make the HEXBawx. Sure, Apple wasn’t at their best, but the music, cartoons, and games were. The perfect decade would have Apple, Cartoon Network making quality programs, Sega still making game consoles, and M$ bankrupt.
Actually, you are wrong. Users forget them all the time, I support several hundred users with iPads and they routinely forget, in fact a decent percentage of them do not know how to fix it when they do. Im not supporting morons either, most that I support are masters degree holders and beyond, it would really astound you to spend a week in my shoes supporting these highly educated users. Bottom line, they are human like everyone else, they are busy professionals and tech isn’t their focus, it is a tool they use.
Precisely. Normal people (i.e. those outside of the tech field) have many significantly more important things to remember and keep track of than their passwords. In today’s online life, one tries to simplify security by using the same password across the board. It begins easily enough (I’m watching it as my children grow into the online age of passwords): first it is an e-mail account (iCloud.com); then comes Skype; then the school gives them access to several educational sites (each with different passwords), then eventually Amazon (and/or Barnes & Noble), eBay, Gilt City / Living Social / Goldstar, Seamless / GrubHub, Yelp, work e-mail (and separate AD network account, it your company still hasn’t consolidate their LDAPs), and the passwords mushroom into the high double-digits. Nobody in their sane mind can keep up with upwards of 40 different passwords, so they simply use one password with every service, with variations as required by the service (and perhaps to avoid giving one’s e-mail address and password to that e-mail to every other service).
This is why there is a steady proliferation of password management apps and services out there (and they still don’t help much). Ordinary people simply can’t be expected to keep track of dozens upon dozens of different passwords they need in order to access their digital life.
Ya know… Having an iWatch on my wrist at all times may make 2-factor authentication a lot more practical… I’m too lazy to reach into my pocket for my iPhone…
In fact, a Touch ID on my wrist may be even cooler… and may move the industry away from passwords for authentication… Something I have (an iWatch), something I know (password) and something I am (Touch ID fingerprint)
Wow, you really are lazy if you can’t be bothered reaching into your own pocket!
I emailed Tim with some ideas about this – looks like he read my email :))
Consider another way to beef up two-factor authentication: whenever a device tries to join with iCloud for the first time, make the user authenticate that one time with the additional security measures.