Hackers have threatened to reset the passwords of 300 million iCloud accounts and remotely wipe victims devices on April 7. That’s unless Apple coughs up $US75,000 ($98,441) in crypto-currencies Bitcoins or Ethereum, or $US100,000 worth of iTunes gift cards.
The website motherboard.vice.com reported the extortion attempt and spoke with one of the hackers from the so-called ‘Turkish Crime Family’. He disclosed emails to and fro Apple’s security team. But Apple says there has been no security compromise of Apple ID and iCloud accounts.
Whether true or not, the internet of 2017 is a dangerous place security-wise.
You either take a risk you will be hacked by not practising proper security, or you’re weighed down by a tedious login process. The rules are clear: use a unique password for each site that you regularly update, followed by a second tier of authentication.
Some of us still try to memorise passwords, or write them on bits of paper and throw them into a drawer.
The best way to implement unique passwords for every app is to use password safes such as LastPass, Dashlane, KeePass and 1Password. I prefer third-party password safes like these, because they work across different browsers and operating systems, and with phones, laptops and tablets.
You open the safe with its master password — the only one you need remember. And you can access all your recorded passwords. Safes can be configured to fill in individual app passwords as you access them. They minimise the pain.
Good password safes like LastPass go further. LastPass will tell you which passwords are at risk because of data breaches, and point out weak, old and reused passwords, and help you update them.
But nowadays we also have to consider two-factor authentication which makes sure only you access your accounts. It protects you even if someone may know your password. Typically a text message with a code is sent to your phone after entering a password. You then enter the code. So unless a hacker has your phone, you’re safe.
Understandably, it’s added complexity and tedium that many of us hate. Secondly, some programs, including older email clients, don’t work with it.
Let’s take iCloud. You switch on two-factor authentication in iCloud settings on your phone, tablet or Mac, and then nominate ‘trusted’ phone numbers that will be contacted to verify that it is you. You’re sent a code to type-in on the device accessing iCloud.
But there are problems. For example, Microsoft’s mail client in Windows 10 doesn’t show mail from an iCloud account using two-factor authentication. That’s useless if you use an iCloud mail account on your phone, but are a Windows desktop user.
Fortunately Apple has a feature called ‘app-specific passwords’. Whenever you need to, you can generate a one-off password that will work with third-party apps, even if they don’t support Apple two-factor authentication. With this, I got my iCloud mail account working again with the Windows Mail client.
App specific passwords aren’t as secure as two-factor authentication. Someone could steal your PC, and read your iCloud mail. But it does protect you against hackers across the world accessing your mail remotely. They won’t have that complex, one-off password. And with two-factor authentication still on, other iCloud access is protected.
Google offers two-step authentication too and it’s found at myaccount.google.com/security. With Google there are alternative second step authentication choices in case your phone isn’t accepting text messages. For example, you can create printable one-time passcodes to take travelling overseas where your SIM may not work. You can nominate a backup phone, or a Yes/No prompt on your phone.
You can also use Google’s Authenticator app. It too frees you from depending on SMS messages and it works even when you’re offline. Instead of typing in a six digit code sent by SMS, you fire up the Authenticator app which gives you a temporary code to use instead. Codes have a short-term life of, say, 30 seconds.
It’s a great idea to have authenticator installed if you are going overseas or plan to use a different SIM. You need to check that Authenticator supports the apps you have set for two-factor authentication.
There are third-party apps that claim to do the job better than Google Authenticator. Authy and FreeOTP Authenticator are two. LastPass also has an authenticator app that works with a swag of apps and websites.
Fortunately, there is light at the end of the tunnel — biometrics. Over time, fingerprint authentication should do away with typing codes into a phone. After all, who can forge your fingerprint login? Fingerprint verification already is being used by several banks in Australia. Hopefully the practice will spread quickly.
Windows Hello, which uses face recognition to log you into Windows 10, is being extended so you can log into websites on a PC using facial recognition with Microsoft Edge.
This technology is taking time to spread, but will make transacting on the internet more secure and convenient.
Reader comments on this site are moderated before publication to promote lively and civil debate. We encourage your comments but submitting one does not guarantee publication. We publish hundreds of comments daily, and if a comment is rejected it is likely because it does not meet with our comment guidelines, which you can read here. No correspondence will be entered into if a comment is declined.
