How Apple and you can improve iCloud security

Apple's iCloud attack is in the spotlight, but it's nothing compared to the attacks you can expect. Apple and every user must take immediate action to protect your digital lives. Here is what you can do.

Apple's iCloud attack is nothing in comparison with the kind of attacks every tech firm must prepare for, as they offer payment and connected solutions for home, health and car. Here's some ways for you to protect yourself and for Apple to improve its own security.

What happened?

Brief version: Apple's statement and information from elsewhere suggests hackers targeted individuals using a combination of research (finding place and date of birth and other information used in Apple's password protection) and brute force attacks to hack the accounts of known individuals. These excellent reports illustrate this. Using these methods hackers got hold of complete iPhone backups.

Protection now

There are steps everyone should immediately take to improve iCloud account security:

Use a strong account password: iCloud customers should change their Apple ID to a new, strong password at My Apple ID immediately, using extra characters and punctuation marks. Change the password regularly.

Enable two-step verification: Apple offers two-step verification as an option. Two-step verification requires you verify your identity using one of your devices before you can make changes to your account information or purchase digital goods using an unknown device. Enable it.

Change your security questions: Apple uses security questions to help you identify yourself online or when contacting Apple Support. These are personal questions, such as where you had your first kiss. If you are in the public eye, it makes sense to use memorable lies rather than give true answers, as iCloud hackers apparently researched such answers when hacking into the accounts. The answers just need to be memorable, not accurate.

Use iTunes backups: Many backup devices to iCloud. Given it's possible iCloud backups were used to access personal data, it makes sense to switch to using iTunes backups, pending new security protections being put in place. (Settings>iCloud>Storage & Backup and toggle the iCloud backup switch off.)

Replace credit cards regularly: Your credit card details travel with every purchase you make. Be paranoid.

How can Apple improve security?

A few suggestions Apple might follow to improve iCloud security:


Apple should make two-step verification defaultas soon as possible.


Given mobile devices and Macs know where they are (if permitted), it makes sense to use location as security: users could tell iCloud to only permit certain actions (such as downloading backups) if the device is situated in a defined country, city, region or street. Travelling iCloud customers should easily be able to let the service adapt to their plans.

The user should be alerted and the task prevented if attempts are made from devices outside this customer-defined geofence. This kind of geofencing will significantly impair hackers. Customers could be permitted to disallow account access using a computer or device that does not reveal, or appears to mask, its location.


When a customer attempts to access their iCloud account from a device authorized to their account equipped with TouchID, a successful fingerprint scan may be required as part of the login process.

Face recognition

Apple's iPhoto already recognizes faces. Why not apply this feature within security protection? Most computers have webcams; most devices have cameras. This isn't impossible.


Apple's Preview app can take a picture of your signature. Most systems have cameras -- to access your account a signature match could be required.

The truth about online security on any platform is that every form of security can in some way be undermined, but technology firms must maintain the dialog of regularly introducing new protection. It's the equivalent of showing your home is occupied to deter against burglary. No platform is immune and vigilance is required.

Also read:

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic's Kool Aid Corner community and join the conversation as we pursue the spirit of the New Model Apple?

Got a story? Drop me a line via Twitter  or in comments below and let me know. I'd like it if you chose to follow me on Twitter so I can let you know when fresh items are published here first on Computerworld.

Join the CSO newsletter!

Error: Please check your email address.

Tags OS X Maverickscloud securityhardware systemsiPhonecloud computinginternetiTunesiPadAppleEnableiOS 8ios 7consumer electronicssecurityCloudsmartphonestablets

More about AppleCustomersGoogleMacsNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jonny Evans

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place