Why Apple’s Two-Step Authentication Can Be Dangerous

Apple offers two-step authentication for iCloud accounts, but their version of this process is quite rigid, and is downlight dangerous. Owen Williams writes about this in an article for The Next Web, showing how he was nearly locked out of his account.

His account was locked for “security reasons;” in other words, someone tried to get into his account, and presumably made too many login attempts, and the account was automatically locked. No problem; just use the recovery key that he got when setting up two-step authentication… But, as Williams says, “How could I be foolish enough to misplace my Apple ID recovery key?”

And there’s the big problem with the way Apple implements two-step authentication.

Two-step authentication combines the need for a password and a code that is sent to you on a device you own. So, when logging into your account from a new device (you don’t do this every time you log in), you’ll get an SMS sent to your phone with a code. You need to have more than one device, in case you lose one of them. For example, if you lose your phone, you need to be able to log in on a computer, and add a new phone as a trusted device. (Hmmm, what does happen if you lose both your computer and phone…?)

HT5570_01-icloud-2stepfaq-001-en.png

In Apple’s case, there is a recovery key, which you can use if you no longer have any trusted devices; this code is also needed if your account gets locked for any reason.

So the real problem is ensuring that you save the recovery key. Apple recommends that you print it out, and keep it in “a safe place,” and that you do not save it on your computer. (Though saving it in an app such as 1Password would be fine.) If you do this, you’ll have no problems. But if you don’t, then you could get locked out of your account; Apple makes this very clear.

So, Apple’s two-step authentication is dangerous, but if you follow the instructions to the letter, you won’t have anything to worry about. As far as I’m concerned, I’ve never set it up, because while the risk of losing access to the account is minimal, it exists. If my house were to burn down, and I lost both physical and digital access to the recovery key, then I’d lose access to a lot of my stuff. If you use this two-step authentication, make sure to have a copy of that key somewhere safe, and make sure to remember, say ten years from now, where you put it, in case you need it then.

I Almost Fell for This Apple ID Phishing Email

I almost fell for this; until I read the subject line. iPhone 3; seriously? These guys need to update their stuff.*


phishing.png

  • Apparently some readers think I was being serious above. I’ve added this footnote for those who didn’t spot the sarcasm, which, perhaps, is not as obvious as I thought.

Apple Now Emails You When You Sign into iCloud on the Web

There is always a fine balance between security and usability. Apple was strongly criticized because of the iCloud selfie breach, and Tim Cook announced that the company would be implementing new security procedures.

As of today, one of them is live: if you sign into iCloud on the web, you’ll get an email:

Mail001.png

This is interesting, but is it useful? First, if you get one of these every time you sign into iCloud on the web, it’ll just be a bother. Sure, if you didn’t sign into iCloud, you can reset your password, but too much security hampers usability. People will, over time, get tired of these messages and just delete them.

And, what if I just accessed iCloud around the same time someone broke into my account? Will I get two emails? Or will I just assume that the email I get is for my access?

In any case, by the time you get the email, it might be too late.

As my friend and editor Michael Cohen pointed out:

“Of course, if someone DID sign into your iCloud account via a Web browser, that person would see the email, too… and could reset your password, locking you out! Unless you use 2-factor authentication; then it might be harder to do the last.”

iCloud or not iCloud: What Really Happened in the Nude Selfie Breach?

You’ve seen it on the internet, even on TV news shows: a number of A-list celebrities had nude selfies swiped from their phones, or their iCloud accounts. Initial thoughts pointed to iCloud, since an exploit was released a couple of days before the photos leaked which targeted Find My iPhone, part of iCloud. This exploit found that Find My iPhone wasn’t rate limited; that it didn’t block users after a certain number of failed password attempts. So the exploit used a list of the 500 most commonly used passwords, and tried them against any Apple ID. If your password was weak, well, you’d get owned. Apple patched iCloud to fix this issue two days later.

But Apple came out with a public statement, saying, “After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

So, who to believe? Some stars jumped the gun, relying on sketchy media reports suggesting that Apple was to blame, and cast aspersion – well, pizza turd – on the company:

Safari001.png

But evidence suggests that if iCloud was to blame for some of these breaches, it was not the case for all of them. Some of the stars claim the photos are fakes, while others point out that they don’t use iPhones. According to Apple, their iCloud security questions – the ones you answer to reset a forgotten password – were too easy to figure out. (Though I haven’t seen any suggestions that any of these stars found themselves locked out of their accounts, which would have happened if their passwords were reset.)

There’s lots of speculation, and one of the more interesting theories comes from Boris Gorin of FireLayers. As PC World reports, Gorin said, “The images leaked have been gradually appearing on several boards on the net prior to the post at 4chan–making it reasonable to believe they were not part of a single hack, but of several compromises that occurred over time.”

The PC World article goes on to say:

“Gorin shared a theory the celebrities may have been hacked while connected to an open public Wi-Fi network at the Emmy Awards. If they accessed their personal iCloud accounts, attackers connected to that network would have been able to intercept and capture the username and password credentials. That’s not a security flaw with iCloud and having a strong or complex password wouldn’t offer protection against transmitting that password in clear text on a public Wi-Fi network.”

So we’re stuck in a he-said-she-said loop. In this corner, Apple is saying that these people were targeted by password-reset hacks, which depended on weak security questions. Yet none of the celebrities have said that they found anything amiss when trying to log into anything with their phones or computers. (Of course, they may not want to admit that.) And in that corner, security researchers are looking at old-school man-in-the-middle hacks on public wifi networks.

What seems likely is that, as Gorin says, these were images that were slowly leaked, and that one person decided to dump all at once, to suggest that they all come from the same exploit or hack. And if so, why? Should one speculate that there is a link between this photo dump and Apple’s new product event next week? That, perhaps, a competitor contracted with some black-hat hackers to try and get Apple to have some egg on their face; or some pizza turd?

Put your tinfoil hat on, dear reader. We will probably never know the answer to this one.

One suggestion to the celebrities reading this article (there might be one or two): you have people who tell you what to say and what to wear; find someone to tell you how to keep your personal data secure. It’s not that complicated.

Update: We now know much more about this breach. There was no one single incident grabbing all the photos, a number of techniques were used, from simple figuring out the answers to security questions to forensic software, which anyone can buy for $400 (or simply torrent). Part of the fault is Apple’s, for those accounts that were accessed using the brute-force script, but not all of the accounts whose photos have been leaked were accessed in that manner.