Is your iCloud account secured by a good password? That’s not going to help you if Apple sidesteps your security and hands hackers access to your account.
Yesterday I posted Mat Honan’s tale of woe. Hackers got into his iCloud account and used that to remote wipe his iPhone, iPad and MacBook before going on to create more mayhem. At the time it was assumed that the hackers had used bruteforcing – trying passwords until they got lucky — but it turns out thatApple gave the hackers access to his iCloud account.
I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.
“Social engineering” is a fancy word for tricking the person on the other end to do what you want by making them believe that they are you.
Nothing can protect you from this kind of targeted attack. You ca have the best password possible, and awesome security questions, but if the hacker can convince the tech support person that they are you, they can walk past all that security.
People can be tricked, but given the power that access to an iCloud gives someone — access to documents, photos, not to mention the ability to delete devices — I would expect Apple to have tighter controls over how people are allowed to bypass security questions. People do forget their passwords, and they do forget their security questions, but before allowing someone to bypass these safeguards Apple should err on the side of caution, perhaps making the person making the request jump through a number of hoops before giving them access to the account.
This high-profile hack of an iCloud account has highlighted that Apple has a weakness here, and the company needs to tighten up security and come clean about what went wrong here.