Unless you’ve been on the moon this week, you will have heard about the Great Big Celebrity Naked Picture Theft.
Apple has confirmed it’s found no evidence of a security breach, but it does know that some individual iCloud accounts were compromised.
From a statement, released on Tuesday:
None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
The company said that the individual accounts were accessed the old-fashioned way – by figuring out the victims’ login credentials.
Which led to the following recommendation:
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.
I couldn’t agree more. It is just unfortunate that Apple’s two-step verification is almost useless and would not have prevented these attacks at all.
This leads me to the conclusion that it is time for an intervention. Users of Apple products and services deserve choices that at least allow them to opt-in to security functions that have become industry standards.
I wrote about the limitations of Apple’s two-step verification last October, including that it was – at the time – only available in a handful of countries. Since then, very little has improved.
The only real difference is that people in more than 11 countries can now feel a false sense of security by enabling “two-step”.
To be sure this was still the case, I spent the day with my Apple devices trying every combination I could to create a situation that would prompt Apple to verify my identity using more than my password.
First I added my phone to my Apple ID and enabled two-step verification. I agreed to the multitude of warnings of how I would be on my own and no one could save me if I proceeded.
Not exactly reassuring for those who don’t understand what is going on behind the scenes.
I then proceeded to take a selfie with my iPad and allowed it to synchronize to my iCloud account. I set up a new Mac to access the same Apple ID and voila! I could see my photos with nothing more than the account password.
I became a bit more worried. What good is two-step verification if it doesn’t protect any of my information?
I proceeded to log into a second iPad and chose to delete the backup I made of my primary iPad. *BOOM*, deleted. No need to verify my identity, just gone.
The final test involved erasing the iPad after deleting the backup. A few clicks, I reaffirmed my password and gone. Deleted. Convenient if stolen, but a damning confirmation that two-step verification is not in any way helping protect your data.
What does it take to prompt you for the “second step”? I could only find two ways to make it happen.
- Attempt to modify the security settings of your Apple ID.
- Make a purchase from the App Store or iTunes from a unknown device.
This behaviour is not only unacceptable, but it is misleading. Here at Naked Security we have been advising our readers to enable two-factor (or two-step as Apple calls it) authentication to provide an extra security blanket that goes beyond passwords.
While it can occasionally be inconvenient, security and privacy minded individuals like the option to have a speed bump between a key logger and access to their entire digital kingdom.
The concern of the public about the security of their information shared in the cloud is valid and Apple’s response is only half baked.
At best, Apple’s suggestion of choosing secure, long and complex passwords is valid, but the suggestion that the two-step authentication option will secure its customers is simply wrong.
It’s genuinely disappointing. Apple has the tools, infrastructure and capability to offer more secure options to its customers, but up to this point has chosen not to.
This isn’t unusual for Apple, it always tries to be sure your experience is frictionless, but it seems to be a disservice to not offer security when all of the pieces are in place and so many of its customers desire more protection.
Should Apple extend its two-step authentication to not just protect your email and password, but also the sensitive data (photos, contacts, calendars and backups) you rely on iCloud for? Answer our poll and feel free to share your comments below.
Special thanks to Anna Brading for a kick in the pants to move this along and Paul Ducklin for advice on the efficacy of Apple’s choices.