Apple, Inc. (AAPL) CEO Timothy Cook continues to deny that his company was to blame for the hack of celebrity iCloud accounts and theft of their private photos, including a number of nudes. But in a telling gesture he agreed to strengthen security with new notifications to alert users of potentially suspicious activity.
Apple contends that the celebrity accounts were compromised when hackers correctly guessed security questions that allowed them to reset the account password to one of their choosing. Some celebrity accounts were also believed to be compromised via stolen username and password data obtained by spear-phishing attacks with fake login pages.
In an interview with The Wall Street Journal (WSJ), Mr. Cook stated:
When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece. I think we have a responsibility to ratchet that up. That’s not really an engineering thing. We want to do everything we can do to protect our customers, because we are as outraged if not more so than they are.
To Apple’s credit, many sites’ data could be compromised using similar tactics. However, it is fair to say that Apple hasn’t exactly been leading the way when it comes to protecting its customers’ security when it came to mobile device cloud content.
Apple CEO Tim Cook says he’s “outraged” at hackers for stealing celebrities data from the iCloud.
[Image Source: AP]
Microsoft Corp. (MSFT) for example offers aggressive alerts whenever password changes take hold or whenever a user logs in from a new device. It also offers the option to set up multi-factor authentication for even more security. Facebook, Inc. (FB), likewise, has adopted a creative authentication system that requires users to identify photos of friends whenever they log in from a new device or location.
Such procedures could be viewed as the digital equivalent of posting a guard to protect a site, versus simply assuming a lock on the door meant a location was secure.
Apple did support two-factor identification (using a four-digit PIN) in some of its online portals, but it did support them on the mobile front. By contrast Windows Phone incorporated multi-factor authentication in a mobile form factor. According to Mr. Cook, iOS 8 will change that, allowing two-factor identification when logging in to the iCloud from a mobile device for the first time. It’s unclear whether that feature was previously planned or was added in response to the recent intrusions.
With Cloud Drive in iOS 8 Apple will add the option of two-factor authentication on mobile devices.
He also said Apple would add extra suggestions to users logging in iCloud to suggest activating the protection.
Under Apple’s new procedures, alerts will be sent when the user changes their password, backs up their photos to a new device, or logs into an account for the first time. The procedures are probably most similar to those used by AOL, Inc. (AOL), AOL Instant Messenger (AIM), which notifies users when they’re logged in from multiple locations (a potentially suspicious sign).
In the WSJ report, Ashkan Soltani, an independent security researcher, suggested that factors such as two-factor authentication may annoy users and that the new alerts won’t help as they notify users of intrusions after the fact. He states:
There’s a well-understood tension between usability and security. More often than not, Apple chooses to err on the side of usability to make it easier for the user that gets locked out from their kid’s baby photos than to employ strong protections for the high-risk individuals.
[Additionally, new notifications] will do little to actually protect consumers’ information since it only alerts you after the fact.
The jury may be out indeed on the usefulness of these new features, but it appears Apple has finally responded more responsibly to the growing backlash, pledging to match Facebook, Microsoft, and other top firms in security options.