Apple's iCloud attack is nothing in comparison with the kind of attacks every tech firm must prepare for, as they offer payment and connected solutions for home, health and car. Here's some ways for you to protect yourself and for Apple to improve its own security.
Brief version: Apple's statement and information from elsewhere suggests hackers targeted individuals using a combination of research (finding place and date of birth and other information used in Apple's password protection) and brute force attacks to hack the accounts of known individuals. These excellent reports illustrate this. Using these methods hackers got hold of complete iPhone backups.
There are steps everyone should immediately take to improve iCloud account security:
Use a strong account password: iCloud customers should change their Apple ID to a new, strong password at My Apple ID immediately, using extra characters and punctuation marks. Change the password regularly.
Enable two-step verification: Apple offers two-step verification as an option. Two-step verification requires you verify your identity using one of your devices before you can make changes to your account information or purchase digital goods using an unknown device. Enable it.
Change your security questions: Apple uses security questions to help you identify yourself online or when contacting Apple Support. These are personal questions, such as where you had your first kiss. If you are in the public eye, it makes sense to use memorable lies rather than give true answers, as iCloud hackers apparently researched such answers when hacking into the accounts. The answers just need to be memorable, not accurate.
Use iTunes backups: Many backup devices to iCloud. Given it's possible iCloud backups were used to access personal data, it makes sense to switch to using iTunes backups, pending new security protections being put in place. (Settings>iCloud>Storage & Backup and toggle the iCloud backup switch off.)
Replace credit cards regularly: Your credit card details travel with every purchase you make. Be paranoid.
How can Apple improve security?
A few suggestions Apple might follow to improve iCloud security:
Apple should make two-step verification default as soon as possible.
Given mobile devices and Macs know where they are (if permitted), it makes sense to use location as security: users could tell iCloud to only permit certain actions (such as downloading backups) if the device is situated in a defined country, city, region or street. Travelling iCloud customers should easily be able to let the service adapt to their plans.
The user should be alerted and the task prevented if attempts are made from devices outside this customer-defined geofence. This kind of geofencing will significantly impair hackers. Customers could be permitted to disallow account access using a computer or device that does not reveal, or appears to mask, its location.
When a customer attempts to access their iCloud account from a device authorized to their account equipped with TouchID, a successful fingerprint scan may be required as part of the login process.
Apple's iPhoto already recognizes faces. Why not apply this feature within security protection? Most computers have webcams; most devices have cameras. This isn't impossible.
Apple's Preview app can take a picture of your signature. Most systems have cameras -- to access your account a signature match could be required.
The truth about online security on any platform is that every form of security can in some way be undermined, but technology firms must maintain the dialog of regularly introducing new protection. It's the equivalent of showing your home is occupied to deter against burglary. No platform is immune and vigilance is required.
- Mobile health: Who'll keep your secrets, Apple or Google?
- How to defend against Apple's Oleg Pliss iCloud attack
- Can Apple keep us safe in the Internet of Things
- Security expert rejects Apple, NSA, iOS backdoor claims
- Adobe CS and the dangerous cloud
- 6 ways Apple protects your privacy in iOS 8
- Apple's 'Gotofail' bug sucks, but here's 8 ways to stay safe online
- Apple values your privacy, ads firms complain
- Apple has no Heart (bleed)
Got a story? Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me on Twitter so I can let you know when fresh items are published here first on Computerworld.