As we saw recently, a number of celebrities’ photos, stored on iCloud, were leaked. While there doesn’t seem to be a single cause for this leak – the photos were accumulated over time, after being stolen using a variety of techniques – iCloud is partly to blame. Tim Cook, in an interview with the Wall Street Journal, stated that Apple is adding some new security features to protect against – or at least warn users about – similar attacks.
Cook is quoted as saying that “iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords.” I’ve pointed out several times on this blog some of the well-crafted phishing emails target Apple and iCloud users, and it’s certainly possible that some of these were the vector by which these accounts were accessed.
Cook also told the Wall Street Journal/ that “Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time.”
That’s all well and good, but what about this scenario: someone changes an account password, you get an alert, but by then you’re locked out of your account, because the password has been changed. How will Apple deal with that? What is the streamlined procedure for getting your account back, or at least getting it locked? This needs to be bulletproof, so no one can lock an account belonging to someone else. One of the problems with this type of security is that all your authentications occur electronically. You cannot, say, go into a local Apple store and prove your identity, with a photo ID and signature. (And many of us don’t have local Apple stores anyway.) So it’s entirely likely that this new procedure won’t help. It will alert you that something has happened, but my experience with Apple ID support is that they take a long time, and if an attacker has changed security questions, you can effectively no longer prove you own an account.
The article goes on: “He also said that Apple will broaden its use of an enhanced security system known as “two-factor authentication,” which requires a user, or a hacker, to have two of three things to access an account: a password, a separate four-digit one-time code, or a long access key given to the user when they signed up for the service.”
There is a problem with that as well. If you only have one device, you can’t use a second to authorize a change to an account, as you can do currently for iCloud Keychain. If your device is lost or stolen, then you cannot easily block your account, or even set up a new account. As for that long access key, those of use who use a password manager will have stored it safely, but how will other people keep it? On a post-it? In an unsecure note on their device?
The problem with all these methods is that they are too complicated for most users. I once went to Apple’s website to turn on two-factor authentication, and I admit that even I was daunted by the company’s explanations of the process, and the scary messages they give saying how, if you lose the long access key, you may never be able to access your account again.
All this security is essential, but it needs to be re-thought. These procedures are complicated and confusing to average users, and they shouldn’t be. There will always be a trade-off between security and usability, and as more of our data goes into the cloud, companies need to come up with better ways to ensure its security.