Apple Inc. AAPL -0.83% said it plans additional steps to keep hackers out of user accounts but denied that a lax attitude toward security had allowed intruders to post nude photos of celebrities on the Internet.
In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities' iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords or when they were victimized by a phishing scam to obtain user IDs and passwords. He said none of the Apple IDs and passwords leaked from the company's servers.
To make such leaks less likely, Mr. Cook said Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device or when a device logs into an account for the first time. Until now, users got an email when someone tried to change a password or log in for the first time from an unknown Apple device; there were no notifications for restoring iCloud data.
Apple said it plans to start sending the notifications in two weeks. It said the new system will allow users to take action immediately, including changing the password to retake control of the account or alerting Apple's security team.
But Mr. Cook said the most important measures to prevent future intrusions might be more human than technological. In particular, he said Apple could have done more to make people aware of the dangers of hackers trying to target their accounts or the importance of creating stronger and safer passwords.
"When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," he said. "I think we have a responsibility to ratchet that up. That's not really an engineering thing."
Asked about the criticism that Apple hadn't focused enough on the security of its products, Mr. Cook pointed to the company's work with Touch ID, the fingerprint sensor in its iPhone 5S that unlocks the phone and authorizes purchases.
He also said Apple will broaden its use of an enhanced security system known as "two-factor authentication," which requires a user, or a hacker, to have two of three things to access an account: a password, a separate four-digit one-time code or a long access key given to the user when they signed up for the service.
When the feature is turned on, Apple requires users to complete two of those steps to sign into an iTunes account from a new device. As part of the next version of its iOS mobile-operating system, due out later this month, the feature will also cover access to iCloud accounts from a mobile device.
Apple said a majority of users don't use two-factor authentication, so it plans to more aggressively encourage people to turn it on in the new version of iOS. If the celebrities had the system in place, hackers wouldn't have had an opportunity to guess the correct answer to security questions, Apple said.
Outside security experts said Apple had made it too easy for hackers to access users' information, by requiring only the answer to two security questions. Particularly for celebrities, such answers can be guessed by outsiders.
"There's a well-understood tension between usability and security," said Ashkan Soltani, an independent security researcher who has worked with The Wall Street Journal in the past. "More often than not, Apple chooses to err on the side of usability to make it easier for the user that gets locked out from their kid's baby photos than to employ strong protections for the high-risk individuals."
He said the new notifications "will do little to actually protect consumers' information since it only alerts you after the fact."
Apple said it is working with law enforcement to investigate the incident and identify the hackers. A spokesman declined to specify how many users' accounts had been compromised, citing the continuing investigation.
"We want to do everything we can do to protect our customers, because we are as outraged if not more so than they are," said Mr. Cook.
Apple is battling to preserve its reputation for looking after its users ahead of a major product announcement next week. The company is facing the type of negative publicity that it usually has managed to avoid, a situation magnified by the popularity of the victims.
Nude photos of actress Jennifer Lawrence and a host of other celebrities started spilling onto the Internet last week, raising concerns about the security of Apple's online services. Apple users can back up photos, music and other data onto its iCloud service.
In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities' iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords or when they were victimized by a phishing scam to obtain user IDs and passwords. He said none of the Apple IDs and passwords leaked from the company's servers.
To make such leaks less likely, Mr. Cook said Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device or when a device logs into an account for the first time. Until now, users got an email when someone tried to change a password or log in for the first time from an unknown Apple device; there were no notifications for restoring iCloud data.
Apple said it plans to start sending the notifications in two weeks. It said the new system will allow users to take action immediately, including changing the password to retake control of the account or alerting Apple's security team.
But Mr. Cook said the most important measures to prevent future intrusions might be more human than technological. In particular, he said Apple could have done more to make people aware of the dangers of hackers trying to target their accounts or the importance of creating stronger and safer passwords.
"When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," he said. "I think we have a responsibility to ratchet that up. That's not really an engineering thing."
Asked about the criticism that Apple hadn't focused enough on the security of its products, Mr. Cook pointed to the company's work with Touch ID, the fingerprint sensor in its iPhone 5S that unlocks the phone and authorizes purchases.
He also said Apple will broaden its use of an enhanced security system known as "two-factor authentication," which requires a user, or a hacker, to have two of three things to access an account: a password, a separate four-digit one-time code or a long access key given to the user when they signed up for the service.
When the feature is turned on, Apple requires users to complete two of those steps to sign into an iTunes account from a new device. As part of the next version of its iOS mobile-operating system, due out later this month, the feature will also cover access to iCloud accounts from a mobile device.
Apple said a majority of users don't use two-factor authentication, so it plans to more aggressively encourage people to turn it on in the new version of iOS. If the celebrities had the system in place, hackers wouldn't have had an opportunity to guess the correct answer to security questions, Apple said.
Outside security experts said Apple had made it too easy for hackers to access users' information, by requiring only the answer to two security questions. Particularly for celebrities, such answers can be guessed by outsiders.
"There's a well-understood tension between usability and security," said Ashkan Soltani, an independent security researcher who has worked with The Wall Street Journal in the past. "More often than not, Apple chooses to err on the side of usability to make it easier for the user that gets locked out from their kid's baby photos than to employ strong protections for the high-risk individuals."
He said the new notifications "will do little to actually protect consumers' information since it only alerts you after the fact."
Apple said it is working with law enforcement to investigate the incident and identify the hackers. A spokesman declined to specify how many users' accounts had been compromised, citing the continuing investigation.
"We want to do everything we can do to protect our customers, because we are as outraged if not more so than they are," said Mr. Cook.
Apple is battling to preserve its reputation for looking after its users ahead of a major product announcement next week. The company is facing the type of negative publicity that it usually has managed to avoid, a situation magnified by the popularity of the victims.
Nude photos of actress Jennifer Lawrence and a host of other celebrities started spilling onto the Internet last week, raising concerns about the security of Apple's online services. Apple users can back up photos, music and other data onto its iCloud service.
No comments:
Post a Comment