The recent iCloud hacks that targeted several well known celebrities, resulting in personal photos being posted online for the whole world to see, could have easily been avoided if the users had enabled two factor authentication.
Security is a legitimate concern for users of any service where data is stored off-site in a datacentre rather than physically on the device. In this case, it wasn’t actually the security of Apple’s servers that was compromised, it was the individual user’s accounts. It is much more difficult to gain unauthorised access to a datacentre, but if you can figure out a user’s password then you are in.
Firstly, users should use more secure passwords. Hackers have access to tools that can help them to figure out easy to guess passwords. For example, there are tools that will automatically try every word in the dictionary as a password, and then try every word with every number between 1 and 100 tagged onto the end.
Secondly, if all users of Apple’s iCloud and other cloud storage services enabled Two Factor Authentication, these kind of data security breaches would be considerably less likely to happen.
Two factor authentication is an extra layer of security that requires a username and password to be entered as normal, but also requires something that only the authorised user would have on them – such as a physical token. Physical tokens can have a small display that shows a unique code which is generated at the touch of a button and must be entered along with the user’s password. This code times out after a set period (for example 30 seconds) after which a new code is needed.
In the case of iCloud, two factor authentication (if enabled) will send a unique four digit code to your mobile phone via text message every time a user tries to log in from a new device. Unless the hacker has access to your text messages, they won’t be able to gain access to your account. This one simple step would have prevented the recent celebrity photo leak.
What about my business data?
Word of these recent leaks may have you increasingly anxious about your sensitive business data. You should not fret. It is important to reiterate that when cloud data is ‘hacked’, it is usually the user’s account security that is compromised, not the security of the data centre where the files are hosted.
There is still clearly a risk for businesses using cloud services to store data, but provided you make the ‘keys’ (i.e. the login details) difficult to obtain, there shouldn’t be a problem. You wouldn’t leave the keys to your physical office lying around, so make sure your passwords are strong and you’re using two factor authentication for all user logins to effectively ID all visitors at the door!