Cloud hacking isn't as hard as most would think


The scandal surrounding the hack of a number of celebrities' iCloud accounts is causing many smartphone camera users to wonder just how secure online data really is when stored in a cloud environment.

Unfortunately, it seems as though the answer is that it is not that secure and users must take some extra steps in some cases to shore up data security.

For example, with Apple's iCloud hackers have long known how to find email address associated with an account, and that's one of two steps needed for a hack.

One problem with online account security is the "security question" method. These questions are often not as secure as they seem. For example, to get into someone's Apple account, a hacker might be asked about the user's email address, birth date and childhood nickname, all things which can likely be researched and found through online searches.

To counter this potential weakness, Apple uses what is called "two-step verification," which involves entering a code that has been sent to the account holder's smartphone or another device. This is supposed to verify that access is being requested by the legitimate account holder.

"It's pretty clear that Apple's doing its best to guard your wallet with this implementation -- anything that might cause a credit card charge via an unfamiliar iOS device is going to force you to authenticate," said Michael Rose in an Apple news site post.

Unfortunately, Apple only initiates two-step verification in instances like buying a movie or app with a new device or attempting to change account preferences. To have it in use all the time, the account holder must set it up as a standard security function, and Apple is encouraging users to do that, as well as to use a strong password.

"Certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions," said Apple in a statement. "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."

Hackers can also use Apple's "create account" page to see if an email address is being used for an iCloud account. They can then enter an email address and Apple displays whether it's being used for an iCloud account or not. Essentially, if a hacker were able to find a user's email address and password, they could access that user's iCloud photos.

"Convenience trumps security very often when it comes to various services," said Satnam Narang, a security response manager at Symantec.

ⓒ 2018 All rights reserved. Do not reproduce without permission.
Real Time Analytics