Apple doubles down on iCloud security – new alerts and powers for users

5 Sep 2014

Tim Cook, CEO of Apple

Apple CEO Tim Cook has said the company will begin alerting iCloud users by email and push SMS if someone tries to change an account password, restore iCloud to a new device, or if a new device logs into iCloud.

The new notifications system, which begins in a couple of weeks, stops short of being two-factor authentication. Users already have the option of applying two-factor authentication if they wish to their iCloud account.

The key difference is the new system allows users to retake control of their iCloud account and restore data by alerting Apple’s security team.

The current notification system in place sent users an email if someone tried to log in from an unknown device and tried to change a password.

The move comes in response to the data breach that emerged this week, whereby Hollywood celebrities including Jennifer Lawrence and Kirsten Dunst had their iCloud accounts compromised.

It is believed the hackers were able to correctly guess answers to security questions to obtain passwords. In other cases, the stars were victims of phishing scams aimed at obtaining their usernames and passwords.

But while the hackers may have had their moment of fun, they have in effect awoken a giant.

Apple to broaden use of two-factor authentication across its products

In an interview in The Wall Street Journal, Apple’s CEO Tim Cook said none of the Apple IDs or passwords were leaked from the company’s servers and denied there was a lax attitude to security within the company.

He said no matter how much the company invested in security, it still comes down to human beings devising stronger passwords.

“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece. I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

Cook added that Apple intends to broaden its use of two-factor authentication, which requires a separate one-time code that will be sent to the user by SMS or email in addition to the username and password.

The security debacle comes at a crucial time for Apple. On Tuesday, Apple is expected to unveil its new iPhone smartphone family and potentially a new wearable device. The new iPhone is expected to come with NFC mobile wallet capabilities and iCloud will be central to managing and storing vital credit-card details.

It really has become a high-stakes game.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years