This week, an underground ring of hornballs published online more than 100 intimate photos of famous women, many of which were stolen from iPhones. Apple was quick to investigate the alleged iCloud leak, but the company’s public-facing conclusions were, well, more confusing than they were helpful.
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords, and security questions, a practice that has become all too common on the Internet,” the Cupertino, California-based company said in a statement. “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”
In other words: Yes, your data was stolen. But no, it wasn’t our fault. Our systems were safe!
In a rare interview, Tim Cook spoke with the Wall Street Journal about coming changes to iCloud’s security protocols. Soon, Apple will begin alerting users using email and push notifications whenever someone tries to change their password or restore iCloud data to a new device. But here’s the key part:
He also said that Apple will broaden its use of an enhanced security system known as “two-factor authentication,” which requires a user, or a hacker, to have two of three things to access an account: a password, a separate four-digit one-time code, or a long access key given to the user when they signed up for the service.
When the feature is turned on, Apple requires users to complete two of those steps to sign into an iTunes account from a new device. …
Apple said a majority of users don’t use two-factor authentication, so it plans to more aggressively encourage people to turn it on in the new version of iOS. If the celebrities had the system in place, hackers wouldn’t have had an opportunity to guess the correct answer to security questions, Apple said.
How Apple plans to do that, exactly, is unclear. And plenty of people–including myself–found activating two-factor authentication on the iPhone to be nothing short of an enormous headache. As security researcher Patrick Thomas of Neohapsis told me on Tuesday, the fact that most people don’t utilize two-factor authentication speaks to a serious security failure on Apple’s part. Two-factor authentication, he argued, should come on every phone as the default.
“As a security person, I wouldn’t want us to say here’s a special thing that you need to do to send private photos to someone,” Thomas said. “You shouldn’t have to resort to complex tools in order to do something as simple as send a private email or photo.”