Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Apple/Mac / Apple Ups Security for iCloud Backup
Apple Adds Two-Step Verification for iCloud Backup
Apple Adds Two-Step Verification for iCloud Backup
By Shirley Siluk / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Stung by a recent high-profile hacking involving nude photos of celebrities, Apple has added two-step authentication for backups on its iCloud cloud-based storage service. The change is aimed at preventing hackers from being able to access someone's personal backup data with just a password.

A user who chooses the option of two-step authentication must enter both a password and a four-digit code sent at his request to his phone or other trusted device. While Apple already offered two-step authentication for iCloud, the previous level of security left backups and the Find My iPhone service vulnerable.

Those vulnerabilities enabled someone to access nude photos that several female celebrities had taken using their iPhones, even after the women had deleted the pictures from their devices. A large number of those photos were then posted on the imageboard site 4chan in late August.

‘A Very Targeted Attack’

In a statement issued on September 2, following the release of the stolen photos, Apple said that it was "outraged" and "immediately mobilized Apple’s engineers to discover the source." Those investigations revealed that the celebrities' accounts were "compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet."

To prevent such security attacks, Apple recommended that all users "always use a strong password and enable two-step verification."

On September 10, however, Ars Technica reported that its team was able to use forensic software and other strategies to access other users' iCloud backups. Included in that backup data were phone call histories, deleted images, Apple Maps address searches and an address book database.

"It’s clear that anyone targeted by an iCloud account hack hasn’t just had pictures exposed; their entire digital lives have been laid out on display," Ars Technica reported at the time.

In a followup article published Tuesday, Ars Technica reported that it was no longer able to use forensic software to access backup data from iCloud accounts protected with the new two-step authentication. Accounts that had not activated two-step authentication were still vulnerable, it added.

App-Specific Passwords Required Soon

Apple on Tuesday updated its FAQ page on two-step verification. It noted that users who enable two-step verification must be sure to remember their passwords, keep their devices physically secure and store their recovery keys in safe places. The 14-digit recovery keys ensure that users who forget their passwords or lose their trusted devices can still access their accounts.

Two-step verification is now available to Apple users in 59 countries, including the U.S., U.K., Germany, France, China, India and Brazil.

Starting October 1 of this year, iCloud users who want to sign into their accounts using third-party apps (such as Microsoft Outlook or Mozilla Thunderbird) will also be required to use app-specific passwords. Such passwords allow users to "sign in securely, even if the app you're using doesn't support two-step verification," Apple noted.

Tell Us What You Think


Hitoshi Anatomi:
Posted: 2014-09-19 @ 11:11pm PT
2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected with the devices finally locked, they would have to see the device reset.

Touch ID and other biometric products are operated by (2) so that users can unlock the devices by passwords when falsely rejected, which means that the overall vulnerability of the product is the sum of the vulnerability of biometrics and that of a password. It is necessarily larger than the vulnerability of a password, say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

As for an additional vulnerability unique to biometrics, we could refer to

Needless to say, so-called 2-factor systems with a password remembered as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience. This may have misled many people to take it for granted that using two factors will always raise security, and, that the devices with biometric sensors are always safer than the devices without.

Like Us on FacebookFollow Us on Twitter

Over the past decade, hospitals have been busy upgrading their systems from paper to electronic health records. Unfortunately, spending so much on EHR may have left insufficient funds for security.
The British government officially blamed Russia for waging the so-called NotPetya cyberattack that infected computers across Ukraine before spreading to systems in the U.S. and beyond.
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.