Don't Rely on Apple iCloud's Faulty Two-Factor Security
What good is a deadbolt lock on your front door when the back door is missing and the house keys are sitting inside, in plain sight?
It's not a perfect analogy, but its pretty close to the situation many Apple users are in, without even knowing about it. Earlier this year, Apple released two-factor authentication. It was heralded, as all two-factor implementations are, because as more and more of our data (and our clients' data) move to the cloud, there is more and more to lose from someone cracking a simple password.
(Sidebar: If you haven’t read our post on two-factor authentication, the gist is this: you put in your password, the site texts you a code, you put the code in on the site. If your password is hacked, they’ll still need your phone to get access to your accounts.)
Two-factor authentication is not perfect, but it’s pretty dang secure. Unless you are an Apple user, reports Ars Technica.
Apple’s implementation is great at one thing: stopping fraudulent purchases in the iTunes store. However, if someone has cracked your password (which is apparently much easier than you’d think, especially when most people tend to use the same password across multiple services and a big company is hacked every week), all they need to do to get access to your data is to restore your iCloud backup to a new device.
Grab an iPhone. Enter cracked password. Automagically have access to your entire life. And since Apple’s iCloud syncs changes, that malicious hacker can presumably delete all of your data from the cloud.
To be fair, two-factor authentication, while wonderfully secure, is also a massive pain in the butt. Imagine trying to sign into your new iPhone, only to be told by the phone that you need a code, which was texted to you, in order to sign in. It’s chicken-and-the-egg, but with passwords. Then you’d have to sit on the phone with Apple’s tech support. That hardly fits with Apple’s “It just works” credo.
Convenience or security? What’s more important?
Now, what does this mean for you, dear lawyers? For one, change your password on your iCloud account regularly. Keep it different from your other passwords as well, just in case another major site is hacked. Also, if you access client data on your phone, store that data in a more secure environment than the iCloud, such as a combination of DropBox and Boxcryptor (an app that encrypts everything in your DropBox) or SpiderOak (like DropBox, but natively encrypted).
Related Resources:
- Onion’s Twitter Gets Hacked; Still No Two-Factor Authentication (FindLaw’s Technologist)
- We Asked and We Received: Twitter Gets Two-Factor Authentication (FindLaw’s Technologist)
- WordPress Sites Targeted by Hackers; Strong Password Myths (FindLaw’s Technologist)