After flying into a stormy iCloud, is it time to kill the online security question…to kill it with fire? Plenty of people have suggested exactly that for many years, the latest being Kevin Rose. After Googling for five minutes, he had security answers for President Barack “Obama’s first pet, city of birth and the first name of his maternal grandfather.”
The IEEE Computer Society's Center for Secure Design recently released a report on the top 10 security design flaws and how to avoid them. Under the heading of “use an authentication mechanism that cannot be bypassed or tampered with,” part of the report states that the use of authentication techniques that don't fall into the category of something you know like a password or the answer to an online security question, something you are via biometrics such as fingerprints, or something you have like a smartphone, “may also allow users to access a system or service they shouldn't.”
Yet knowledge-based online security questions should “truly be answerable only by you,” said Rose before suggesting a security question like "What's your favorite porn site?" That’s the kind private info you likely will not share about yourself on social media. Even if you think of a security question that couldn’t be guessed by something you posted online, or even answered via your publicly shared pictures, “guessing this information wouldn't be hard for your ex, your best friend, or someone who could view your Instagram history, your LinkedIn profile, or your Facebook photos and piece the information together.”
“There's no reason a company like Apple should be relying on questions like ‘What was the model of your first car?’ for password recovery in 2014,” Rose added. “If that's the best way we have of making sure a user is legit, we might as well change all of our passwords to ‘1234’ and hope for the best.”
Today, there are 18 security questions presented upon setting up an Apple ID and you must select three. They are not all horrid, but have you given clues online as to the answers?
Sadly there is no choice to create your own security question and then answer, but then again…there would be way too many “first pet” questions. A Social Network Fraud Survey conducted in 2010 by ID Analytics found that, "Nearly 20 million Americans reveal their pets' names on their social networks, another common security question asked to verify identities."
For Apple two years ago, the security questions included the city where you were first kissed; what and where for first job, first concert and “Where were you on Jan. 1, 2000?” There were plenty of complaints about the choices, including giving the dreaded fake answer when presented with a security question that has no relevance in your life, or giving an answer that changes based on your current “favorite.”
Many of those criticisms about Apple security questions occurred right around the time tech journalist Matt Honan was “hacked hard” and that included using iCloud's remote wipe service to completely erase Honan's iPhone, iPad and MacBook.
That also coincided with Steve Wozniak warning that the cloud was “going to be horrendous” and there would be “a lot of horrible problems in the next five years. With the cloud, you don't own anything. You already signed it away… A lot of people feel, 'Oh, everything is really on my computer,' but I say the more we transfer everything onto the web, onto the cloud, the less we're going to have control over it.”
That’s true even if you don’t backup your smartphone photos in the cloud. Deleting your dirty little secrets like compromising selfies on a phone is not as straightforward as it should be, meaning erasing your data via factory reset doesn’t mean it’s really deleted.
NPR asked, “If you don't want sensitive stuff on Apple or Google servers, does deleting it from your phone mean it won't go to the cloud? For example, is a naked selfie on your smartphone ever really private?”
NPR’s Aarti Shahani responded:
No! On a smartphone, the completely private naked selfie is a myth. A user has to take explicit steps to disable what's called automated backups. Otherwise Apple and Google are copying every picture to their servers. And it's really common — in these phone-related breeches — for the hackers to target those backups. (Directions on how to turn backups on and off are here for Google and Apple iCloud.)
Shouldn’t clicking delete really mean delete everywhere? It should, but it doesn’t. It’s on the owner of the photo to make sure it’s permanently gone and not backed up elsewhere; just as it is on the owner of the photo to make sure metadata is removed as people have been busted for posting photos of pot as well as stalked.
On Sept 9, Apple CEO Tim Cook is expected to reveal a mobile wallet system during the launch of iPhone 6, something that some fans started lining up for a week in advance. Bloomberg suggested the mobile payment system includes agreements with Visa, MasterCard and American Express, meaning Cook was about to ask users to have even more faith in the cloud. Faith is in short supply for Apple investors as Apple shares fell yesterday, costing investors $26.1 billion. “To put the day’s decline in perspective, the market value lost in Apple in one day exceeds the entire value of more than half the companies in the Standard & Poor’s 500.”
Cook may choose not to address the iCloud drama, but it’s likely he will reassure users that two-step verification will roll out to include iCloud. Until then, enable two-factor authentication for your Apple ID and possibly turn off iCloud so your selfies aren’t stored there and potentially awaiting someone else to access them.