Sophos Cloud Optix
Apple really is listening, and doubly so!
The company backed down over the “foistware” U2 album that you recently received via iTunes, like it or not.
And later the same day, it announced that its two-step verification system would be applied to iCloud, effective immediately.
We’re delighted to hear it!
Bogus blame of iCloud in nude photo scandal
At the start of September 2014, a scandal broke when illegally-collected nude photos of 100 celebrities were published online.
Early rumours suggested that this might be down to some sort of iCloud “hack,” because at least some of the photos had been stolen from iCloud accounts, and because the photos all appeared at once, as though they had been grabbed as a job lot.
That turned out to be bogus reasoning.
The photos were apparently stolen from multiple sources in various ways, but released as a job lot by a collector.
He seems to have accumulated them in a series of underground trades and purchases.
So stolen, phished, keylogged and otherwise illegally acquired Apple ID passwords are a better explanation for the iCloud-related celebrity selfie breaches than a problem in iCloud itself.
→ Remember, re-used passwords make the problem worse: if you have one password for all your accounts, the crooks can breach any one of them and that’s that. So phishing your Gmail password would get them into iCloud, or vice versa.
Two-step verification
Apple’s response, as we reported at the time, was to urge iCloud users to turn on its two-factor authentication system, known as two-step verification (2SV).
2SV augments your password with a one-time login code sent via SMS:
Even a crook who knew your Apple ID password wouldn’t have enough to get into your account and restore your iCloud data onto his computer.
Also, if you were to see SMS verification codes popping up when you didn’t expect them, you’d have an early warning that someone was trying (and failing!) to breach your account
Huzzah for Apple, we thought.
2SV not enough
Except that 2SV didn’t apply to iCloud at all, as Naked Security writer Chester Wisniewski went out of his way to check.
Turning on 2SV only protected certain operations on your Apple account, such as editing your account details or buying products from iTunes or the App Store from a new computer or device.
So we ran a poll, asking whether Apple should change its mind and extend 2SV to iCloud.
The results were overwhelming:
Nearly 95% of you said, “Yes.”
Apple pays attention
And Apple, it seems, was listening, sending out an email late yesterday Cupertino time (2014-09-16T018:00-7) to its 2SV users:
Thank you for using two-step verification to protect your Apple ID. This email provides information about recent updates to your service.
Two-step verification now protects iCloud
Starting today, in addition to protecting your Apple ID account information, two-step verification also protects all of the data you store and keep up to date with iCloud. For more information, read the Two-Step Verification FAQ.
The FAQ (which is article HT5570 in Apple’s knowledgebase) has been updated accordingly:
It now lists 2SV as applying when you:
- Sign in to My Apple ID to manage your account
- Sign in to iCloud on a new device or at iCloud.com
- Make an iTunes, App Store, or iBooks Store purchase from a new device
- Get Apple ID related support from Apple
2SV still not right
This is a good move, and we want to express public thanks to Apple for responding so quickly.
But we’ll also offer the opinion that the company still hasn’t got 2SV right.
Indeed, it’s a bit of a stretch for Apple to say that 2SV now “protects all of the data you store and keep up to date with iCloud” when, in fact, it only protects your very first login with a new device.
In other words, after you’ve signed in for the first time from your new iPhone, 2SV provides no further protection as you go about actually storing and keeping your data up to date.
In the same way that Apple’s 2SV can’t be turned on for every online purchase you make (why not?), it can’t be turned on for your actual data interactions with iCloud, such as kicking off a restore (why not?).
Allowing a stolen password alone to be used to pull down all your iCloud data, even if it’s being restored to your usual device, seems a huge waste of 2SV.
Trusted apps
Apple’s email also tells you that:
If you use iCloud with any third party apps such as Microsoft Outlook, Mozilla Thunderbird, or BusyCal, you can now generate app-specific passwords that allow you to sign in securely even if the app you are using does not support two-step verification.
. . .
App-Specific passwords will be required starting on October 1, 2014.
App-specific passwords (which effectively act as a pre-approved security bypass) are far from ideal.
But they do prevent crooks from bypassing your 2SV simply by choosing a login method that doesn’t support it.
Again, this is a good move, and hats off to Apple for setting a short deadline (October 2014) to enforce it.
The bottom line
Thanks to Apple for kicking off the process of adding 2SV to iCloud.
Your quick reaction is appreciated.
We urge iCloud users who live in one of the 59 supported countries to turn on 2SV sooner, rather than later, for the extra security it provides.
But please keep in mind: Apple has more work to do before 2SV truly “protects all of the data you store and keep up to date with iCloud”.
This is great news but the problem about data restores is still there. Anyone with just your apple ID and password can restore all your data to a new device (or the Elcomsoft tool). No 2SV needed. A great improvement but they still need to come up with a solution for restoring a phone. Perhaps asking for a code created when setting up the phone or the last 4 digits of the credit card associated with the Apple ID.
Er, like the 2SV recovery code, you mean 🙂
Seems it would be perfect for the job, and will neither cut you off from the SMS because your phone was stolen, nor let the SMS go straight to the crook who stole your phone.
Let ‘s say I only own one iPhone and no other Apple device. Next, I loose my iPhone (it gets stolen) and I want to change my Apple ID and/or password. With 2SV I can’t do this, because I don’t have a trusted device any more. Or am I missing something ?
Recovery code. Presented when you enable 2SV. Write it down, lock it in a safe-deposit box against the day that you can’t receive the 2SV messages.
Two step verification can have a flaw. I don’t have an iPhone, so someone needs to check if this applies.
But on Android, my phone puts my SMS messages into my email; this same email account that I use on my desktop. Thus if my email account is compromised, two step verification is not going to protect me because they bad guys don’t actually need my phone, just access to my email.
And if someone has a stolen phone and have been able to unlock it, how does the thief receiving a code on the stolen phone protect the account?
People should also take a look at two step verification; I was setting up a new Windows 8.1 machine for my wife while she is not around and for some verification I was able to substitute my phone number for the one stored. It is possible that I was using a linked account and thus gained some admin rights, but it certainly took me by surprise at the point I was able to do it.
I have yet to see an implementation of 2SV that will not by difficult for the user to manage particularly less sophisticated users. You know, the ones who use ‘password’ as their password because it’s easy to remember. I’m sure it can be done. Just not done well yet.
SMS-based two factor authentication is well-established in some parts of the world, less so in others. For example, I’ve met South Africans visiting Oz who have got so used to SMS-based 2FA when banking (it’s been common there for years) that they’ve expressed astonishment at Aussies who *don’t* use it.
I guess it’s like wearing a seat belt when you drive – 30 years ago, experienced drivers felt it was an imposition, or uncomfortable, or would sometimes genuinely forget. But I’ve never driven when or where they were optional, so it feels weird not wearing one.
You say it only applies on the first login ? If I login via a we browser it asks each time unless you tell it to remember.
Also app passwords – don’t Google and Microsoft also use app passwords ?
What about those of us who don’t have a mobile phone? (I’m sure that I’m not the only such person.) Should one get a mobile phone just to enable two-step (or factor) authentication?
It’s not a totally wild idea. I did 🙂
I bought the smallest, lightest (and cheapest, as it happened, at about $9 including the SIM) mobile to use as a clock, an alarm and as my 2FA token. I keep the radio turned off unless I am about to log in, which. makes the battery last for weeks.
That approach is not for everyone, but I’ve found it to be much less of a hassle than I thought.
Many non-Apple services support software tokens, too, which you can run on non-GSM mobile devices…
Paul, Thanks. I might well follow your advice and get the cheapest cell phone just to receive SMS authentication messages. With Pay As You Go, I think you sometimes have to use the phone every x months to avoid losing credit / retaining the service.
My prepaid service requires (if memory serves) one SMS or outbound call to a toll-paid number every three months. After that your number goes back into the bucket of numbers available for re-use and so you may or may not be able to get it back…bit like deleting a file and later trying to undelete it 😉
I use a service that sends SMS messages into a webmail account with a randomized username and password. Not the most secure thing, but it works, and any attacker still needs to know about the email account, the username, and the password. Since the messages are one-time, I don’t really worry about whether the mail service provider secures them over time.
That is one thing about SMS codes…just how “one time” are they? You can’t easily tell from the tiny sample you will collect over time 🙁
I thought Apple requires that the SMS recovery messages go to an iPhone or perhaps another type of smart phone. Is that correct?
Also, can the recovery messages be directed to Gmail, for example? That is what I would prefer.
SMSes pretty much go to a SIM (subscriber identity module) card, not a phone. You can put that SIM into any device you like. How would Apple know what it was before the message was sent?
You’re both right – when you have 2SV set up for Apple, and you need to use it, it will present you a list of trusted phone numbers and trusted devices – if you use a phone number it sends an SMS to that number. If you use a device (has to be an Apple device) it appears to use some in-built Apple notification mechanism to send the code to that device.
Ah, yes, that’s APNS (Apple Push Notification Service).
IIRC, however, you do need to give a phone number and you must be able to receive at least one SMS to kick the 2SV service off.
I believe you are incorrect in your statement: “In the same way that Apple’s 2SV can’t be turned on for every online purchase you make (why not?), it can’t be turned on for your actual data interactions with iCloud, such as kicking off a restore (why not?)”
I just completed a restore of iPhone 5 from my 2SV-enabled iCloud account, and it required 2SV to kick the restore off.
So, in my way, Apple is doing exactly the right thing. Requiring 2SV for every payment etc. would be silly overkill. Now, all data interactions that matter *are* protected.
OK, sounds good. But was this a new-to-your-account device? If you restore it a second time (go on, you know you want to do a factory reset and repeat the exercise to take one for the team 🙂 will it ask?
If so, I’m pleased. It’s not what Apple’s FAQ says (or even implies), as far as I can see, though. The FAQ talks about “first login on new device.” That should stop a crook who gets your password and Brings His Own Device, but it doesn’t sound as though it would stop a crook who steals your device recovering to it data you thought you’d deleted. Of course, if he’s got the device and it’s the one you send your SMSes to, you’re in trouble anyway, but…
And why wouldn’t you want an option to get a 2SV code before your money gets spent? I know plenty of people who prefer a bit more friction in their payments…making payments super-easy sounds to me like more of a benefit to the merchant than to you 🙂
This is an existing device that I needed wipe and restore, so 2SV appears to protect the restores.
I continue to respectfully disagree with your logic on purchases. Device and account security (passcode & password or TouchID) seems the right amount of security as frictionlessness (did I just invent a new word?) is in my opinion in the interest of all parties.
Using a security measure (2SV) to mitigate a behavior problem (lack of impulse control) seems like a misapplication of tools… 🙂
The point is that people should be able to choose how much they want 2SV to protect (perhaps with a minimum). Why shouldn’t I be able to protect every purchase if I want to? Apple wouldn’t have to force it on everyone – they could easily allow everyone to choose what level of 2SV protection they want to use.
Also, the point isn’t to mitigate a behaviour problem – if someone steals my device or somehow gets my account password currently there is no 2SV protection against them making purchases on it.
Apple, one of the most “reactive” companies in the world. BTW Itunes sucks. Next to Sony and their stumblings. Sorry if I offended any diehard fans of those companies. And no one should be a diehard fan of a company anyway.
No one should be a diehard enemy of a company either. That’s still fanboyism. Perhaps you should post a comment that’s actually relevant to the article.
Ok jet86. Apple has an awesome PR department. Their marketing campaigns seem to be always the utmost on precision, quality and information. They have no problems leading anyone to believe that they will always strive to be one of the top leaders in technology. Unfortunately, that same zeal & effort and money doesn’t spread where it should. I own a Macbook. But I call out any company ignoring their own issues that they can absolutely take care of.