How to Improve your iCloud Apple ID Security

Apple ID Icons

Before I provide my summary of this weekends cracking of celebrity iCloud accounts let me just say this, go to the Apple ID site (https://appleid.apple.com) and setup up Two-Factor Authentication. What is Two-Factor authentication you ask? Well think of your password as one factor. It’s not bad but isn’t two better then one? So we add another way to identify you are who you say you are. So like I said right now go to the Apple ID site here https://appleid.apple.com and Click on Manage your Apple ID –> Click on Password and Security –> Then Click on Getting Started under Two-Factor Authentication. That’s right go do that now. I’ll wait…

Ok good you’re back. To provide a slightly longer walk through of my experience:

Once I clicked on that Apple actually first asked me to update to a more secure password.
Then I was able to click on Password And Security and was asked to add 2 security questions which I did.
Then once I clicked back into Password and Security there was a section for Two-Step Verification.

Once enabled, the only way to make changes to your account will be to sign in with two-step verification.

The site will then explain to you that only you, using Two-Steps of Verification will be able to make changes to your account, and that Apple will no longer be able to reset your password with out them.
Then you click forward and realize there is a 3 day waiting period to activate Two-Step Verification after you make “significant” changes to your account(ie password changes and/or new security questions). This annoys me to no end but Apple is trying to claim that it’s a necessary thing to make sure someone else isn’t hijacking your account. They do however provide a mechanism to create a Calendar reminder to come back.

Some other useful links while we are on the topic:
Apples FAQ about account security http://support.apple.com/kb/ht4232
Apples FAQ about two-step verification http://support.apple.com/kb/HT5570

So why are we doing this?

Well over Labor Day Weekend 2014 a nice sized “hack” exposed a number of celebrity’s iCloud stored photo’s. Details are still being investigated into the how so many accounts were compromised and where the photo’s were stored, ie iCloud or Photo Stream. I want to point out that the correct term for this is actually a “crack” since passwords were cracked, not code or something being hacked together. We’ll excuse the media yet again for using these terms incorrectly.

Thus far Apple claims there was no serious flaw or crack/hack to iCloud. Instead Apple believes there was “a very targeted attack on user names, passwords and security questions,”. Basically someone was somehow getting or guessing celebrity Apple ID user names and their passwords. There is still the question of where the photo’s were stored, photo stream or iCloud back up. There are even some claims that the photo’s were deleted some time ago, meaning that either the cracks/hacks have occurred over a long period of time, or that simply deleting them isn’t enough to destroy them.

Also worth noting however was a security flaw in Find My iPhone that allowed a “Brute Force” attack on passwords. Basically someone could constantly try new passwords on some ones account with out being locked out. AMEX allows me 3 attempts to remember my new password before they lock me out. This flaw has been/is being addressed by Apple and it now looks like you have 5 attempts before it locks you out. Apple does not believe this was involved in these attacks. Digression – This raises the question, are our selfies and smart phone content now as valuable as our banking info? A topic for another post.

“This raises the question, are our selfies and smart phone content now as valuable as our banking info?”

You may be asking ”So what’s this Two-Factor or Multi-Factor Authentication you made me sign up for?” Multi-Factor Authentication basically employs more then one method of you proving you are who you say you are. If you consider simply using a password as a single factor, multi-factor typically add’s things like a code that gets sent via text, or a something like an RSA token or Google Authenticator that gives you a code to type in. In the case of Apple they will send you a 4 digit code that you have to enter when you try to access or make changes to you account. From the looks of the FAQ this is also used when you go to make iTunes and App Store purchases on new devices. It doesn’t sound like you have to enter in the second factor on current devices though. On some systems you need to use Two-Factors/Multi-Factor at any login. Just something to keep in mind, I’ll update this post once my 3 day waiting period is over.