Apple have taken a step towards improving security measures by introducing two-factor authentication for users of iCloud and other services. This extra protection later requires mobile phone verification for changes in personal details or online purchases, to protect against hackers trying to access peoples’ accounts. Similar measures have also been implemented by Google, Facebook and Hotmail after significant increases in hacking.
Two-factor authentication relies on the user having a ‘trusted’ mobile phone in their control, although users are also given a backup code in case they lose their phone or are outside network coverage. Any changes to personal details which are made online have to be verified using a code that is sent to the mobile phone. Without this code, changes such as altering a backup email address or password will not be approved. iCloud currently has over 250 million users, and this extra security will undoubtedly be gratefully received by many.
The 2FA system replaces “security questions”, which often contain information about people that is publicly available, for example school or pet names. The change can be made under ‘manage your Apple ID’. However, it doesn’t prevent children or others from spending large amounts of money on devices where they already have the password; that has to be prevented by settings on the device.
Weaknesses in single password security have been demonstrated publicly on a number of occasions. The BBC Weather Twitter account was hacked by pro-Syrian activists, who either guessed the password or captured it. Twitter is also working on a two-factor authentication service.
The writer Mat Honan also saw his iCloud account wiped last year when hackers accessed it after getting access through an Amazon account. Apple was criticised for allowing password resets over the phone, while Amazon was criticised for accepting changes to account settings via phone. Hackers guessed his Apple email, and then broke into his Amazon account via a credit card number and billing address. They then methodically wiped his Gmail account of emails, took control of his Twitter account, and remotely wiped his iPhone, Macbook and iPad.
Apple said: “Apple takes customer privacy very seriously, and two-step verification is an even more robust process to ensure our users’ data remains protected. We are now offering our users the choice to take advantage of this additional layer of security.”
If you’re concerned about the security of your communication systems or mobile devices, please contact us and we will be happy to provide help and advice, as well as answer any queries.