[youtube=https://www.youtube.com/watch?v=IKKZfZUqk3I]
More than four months after Tim Cook promised emailed login alerts and the reintroduction of two-factor authentication in the wake of the high-profile celebrity iCloud hacks, five Apple logins remain unprotected by the system. Hackers of NY founder Dani Grant used videos to demonstrate each of the vulnerabilities in a blog post.
Grant showed that two-factor authentication isn’t needed when using an unknown Mac to login to iMessage, iTunes, FaceTime, the App Store or Apple’s website. According to Grant, only one of the five services sent an email notification advising that an unknown device was used to log in …
FaceTime was the sole service for which Apple sent an email notification, Grant said:
It should be noted that similar messages have been sent out by Apple in the past for iMessage as well, though the same protection is not currently offered by iTunes, the App Store, and Apple’s website.
While the iCloud ‘hacks’ didn’t involve any compromise of the service itself, relying instead on a combination of phishing and easily-guessed passwords or security questions, it did draw attention to the risks to technically-naive users (especially celebrities, who are forced to choose from a limited number of security questions whose answers can be easily researched).
Apple briefly introduced two-factor authentication for iCloud.com in June of last year, before reintroducing it shortly after the scandal. But as Grant illustrates, other Apple services remain vulnerable.
Check out the rest of the video demos on Medium.
FTC: We use income earning auto affiliate links. More.
This is especially serious, as iMessage can be used to circumvent any other 2FA using SMS.
No one is forced to provide easily guessed answers to security questions. The answers can be just as inscrutable as the strongest passwords. “What is your mother’s maiden name?” can be answered with QKkAa3VMuuQyTB7gfegxGnoYcaNu. It’s users answering the questions truthfully that’s the problem.
Are you on drugs?
I can tell you from first hand experience running authentication services that letting users make up their own security questions, on the whole, is a lot less secure than letting them chose questions from a limited list. On the whole, people make up very stupid questions (like “what is 2+2”)
Also, it is important to note that there is an unlimited number of security answers that users can supply.
In short, only people who take security somewhat seriously can be secure. Even 2FA isn’t a panacea – those who think it is are putting too much trust in the technology and businesses that are involved in the business processes.
Wow…how hard would it have been for Apple to instruct an intern to figure all THIS out?
Which means they know. Which means they’re not fixing it. Which means…??
Give me a break. All of you experts on here. How do you know what’s going on behind the scene at Apple.
Every time I do something with my Apple ID I get an email and I have been getting this for years. I log out on say my iPad I get an email saying ____’s Apple ID has been signed out on _______’s device. Same when I log into a device, even if I have had it for years and I had to log out for some reason. I also get one when I enable iMessage or FaceTime or turn those services off. I honestly think I have been getting these since my iPhone 4 or 4S.
The worst thing is that you can log into iMessage with your Apple ID and ANY password. You do get an email about new device, but it’s not like you can do anything about it.
(I know this is ooollld, but I just recently started using Apple 2-Step Auth) I think that happened to me tonight, someone was phishing for my iCloud access. I got a notification that “Junior’s iPhoone” (spelled just like that) had MY iMessage added to it. I don’t have any devices named that. This disturbs me that anyone can ping my Apple ID with a fake password. I was asleep, I had to JUMP up and check all of my Apple Accounts. Not a sign of “Junior’s iPhoone” anywhere. Not even a history of the notification I got. The question is, HOW are they doing this, from another iPhone or are they using Google Allo? I had heard something about that, new Google messaging app, that it could be used to access iMessage accounts, and that’s not even on the same platform. I don’t know how true that is, though, but I can at least check that out by installing Allo into an android device I have and trying it myself. I think my safest bet is to use “Log out of all browsers” from my Primary iCloud accounts- But that’s iCloud, not iMessage. I don’t even know if this still applies, the article being 2 years old, I’m hoping that the security is a little better now. Thanks.