Apple enhances security features in iCloud
Apple has stated that its iCloud servers were not compromised, but it has indicated that some accounts may have not been adequately protected, such as, weak passwords and easy security questions. CEO Tim Cook further widened the blame blanket that some account holders might have fallen for a phishing scam.
Since the story broke over the weekend, Apple patched a clear exploit in iCloud which allowed unlimited log-in attempts, a perfect target for a brute force user ID and password combination attack. Apple has not stated, and probably will not, if some of the compromised accounts were accessed in this manner.
While two-factor authentication might have provided some extra security, Apple admits that the majority of its customers do not use it. So, awareness on that piece, among other steps, are part of the enhancements Apple plans to roll out in assisting customers protecting their data.
In addition to more aggressively promotion two-factor authentication, Apple will also start alerting customers via email and iMessage when iCloud is asked to restore data to a new device. Also, alerts will be sent when the user tries to log in from a new device for the first time. Even then, these notifications are arguably after-the-fact events, so the responsibility still lies with the user.
Some of these measures may seem like “Cybersecurity 101,” but we can all relate when such steps ultimately impede the user experience to the point where a customer simply will not use a given feature. Apple is working with the FBI, which is investigating the incident which saw more than 100 iCloud accounts get side-stepped.
These are good first steps for Apple to take, but it will also need to find a way to adequately inform its customers through the user experience about how its cloud services work, what the risks and benefits are, and how to best protect data, pictures, and videos backed up to iCloud. This may be an opportunity to evolve the legalese from a "too long, didn't read" click through, and incorporate something more engaging.
For now, the newly announced measures will go into effect over the next two weeks.
sources: The Wall Street Journal and CBS News