Massive iCloud Hack Shows Criticality of Strong Authentication
Apple has a reputation for building secure systems. The Mac is still far more hack proof than PCs, and the iPhone being a closed system has not been hit with a plethora of malware.
The iCloud had much the same reputation – until this week.
Hackers reportedly successfully compromised millions of iCloud logins. The hackers, dubbed the Turkish Crime Family (but ironically based in London), then demanded Apple given them $100,000 in iTunes cards. This is a takeoff on ransomware. Instead of locking up data and demanding money, the bad guys steal data and want cash for its return. The group has been trying to extort money in return for the log ins from other companies as well.
There is some dispute as the facts of this case. Apple says its iCloud servers were not compromised and whatever data the Turkish Crime Family claims to have come from a hack against LinkedIn some five years ago, Business Insider reported.
Apple may have spoken too fast as the hacker group promptly turned over the data to ZDnet which confirmed that it was iCloud log in data. In fact, the data was enough to help ZDnet contact ten of the victims and confirm that it was their data that was stolen.
As of this writing it not completely clear if Apple was entirely mistaken. One theory still making the rounds is that log in information did come from the LinkedIn hack and that these victims simply reused that log in info for their iCloud accounts. Many users reuse authentication information because complex passwords are so hard to remember.
Meanwhile ZDnet is still trying to get the bottom of it, and believes the compromised credentials did not come from Apple itself.
“Based on our experience and our interactions with the group and its members, it's evident that the group is naïve and inexperienced. Based on its grandiose claims and its cherry-picking media outlets to cover its claims, it's also clear that the group is gunning for publicity. When we began asking the group questions, the conversation quickly turned to whether or not CBS News (which like ZDNet is also owned by CBS), would also cover the group's claims,” ZDnet said.
Apple so far has not asked users to reset their passwords. It did, however, strongly suggest the use of two-factor authentication.
Two-Factor to the Rescue
Often referred to as 2FA, two-factor authentication is a verification process that adds one more layer of credential confirmation to a login process. Also recognized as a multi-factor authentication, 2FA requires the input of the standard password/username combination, as well as, a second piece of information that can only be provided by the authorized individual. With the incorporation of 2FA, cyber-hackers find it far more challenging to access account to steal an identity or obtain crucial confidential information.
In the cyber world, 2FA is now used on a variety of large websites including Yahoo, MSN, Google, and Twitter along with a plethora of banking institutions. By incorporating two-factor authentication into the login process, businesses can dramatically lower the rate of identity theft. It also helps avoid phishing expeditions through email accounts, because the cyber-criminal will need to purloin more than just the standard username and password combination to gain access to accounts and data.
Check out our 2FA Buyers Guide for more information.