Apple’s iCloud hack involving nude photos of celebrities is different from many of the other hacks we’ve heard about. When hackers steal credit cards — like with Target or allegedly now with Home Depot — the expense falls on the retailer and the banks. And these companies can cancel and replace credit card numbers to contain the damage.
But in this case involving Apple, just about all the damage falls on the user, like actress Kirsten Dunst. And you can’t take back the images. They’re out there forever.
Here are some questions we thought you might be asking:
Is the lesson here just: Don’t trust the cloud, don’t put anything else online?
Well, that’s one lesson. But it’s not very realistic given how much people like being able to view and upload their data from anywhere — from their iPhone or their tablet, from work, from home. All of that mobility is super-convenient.
But there are ways to have that convenience and a lot more security, too. Consider this analogy: When you’ve got family jewels and you put them in a bank vault, you need more than one key to get in. There’s your key and the bank’s, and then some ID checks. So when we’re putting more and more piles of valuable data into online vaults — like pictures and financial information — there should be more keys to protect that data. Several security experts tell us more keys (and a better lockout procedure for using too many faulty passwords) would have prevented the Apple hack.
We’ve been calling it the “Apple hack,” but didn’t Apple deny that any breach had happened?
That’s right. Apple put out a statement that was very carefully worded — and that some say is intentionally vague. The company says that according to the cases it has investigated, hackers didn’t breach iCloud or Find My iPhone.
But it’s entirely possible that another computer program that talks to iCloud, for example, and that has access to iCloud data was breached. So hackers could get the data they wanted that way. NPR asked Apple about this possibility, and the company has not yet denied it or ruled it out publicly.
If you don’t want sensitive stuff on Apple or Google servers, does deleting it from your phone mean it won’t go to the cloud? For example, is a naked selfie on your smartphone ever really private?
No! On a smartphone, the completely private naked selfie is a myth. A user has to take explicit steps to disable what’s called “automated backups.” Otherwise, Apple and Google are copying every picture to their servers. And it’s really common in these phone-related breaches for the hackers to target those backups. (Directions on how to turn backups on and off are here for Google and Apple iCloud.)
Lonnie Benavides, an information security expert at DocuSign, wants tech companies to create a new feature: “I believe that when I click delete on my phone, I should be offered the option of permanently deleting that file in a manner that assures me it’s really deleted. I think as a customer, I have a right to this.”
Has Apple done enough to protect its customers?
Meh. There’s a way to protect an account through a process called two-factor authentication. Basically, you have to use your password, and, separately, you might have to reply to a text to your smartphone, to confirm it’s really you.
This two-factor process has been around for a while. But Apple just introduced it into the iCloud Web app in June, according to Apple Insider. It seems that Apple may have left some holes in the accounts protected. And, according to Gary McGraw of Cigital, Apple also failed to market the technology. Especially with people in high-risk categories, like celebrities and politicians, it wouldn’t have hurt to say: “Boy should you guys use this!” Twitter, in contrast, was very forthcoming when it rolled out this security option after the embarrassing White House hack.
There could be a real cultural issue at play. Right now, leading tech companies including Google, Twitter and Cigital are sharing information internally about security breaches. But, McGraw says, Apple is reluctant to talk with peers. “Really, Apple is a very secretive place,” he says. “Their culture is that way because [founder] Steve Jobs was that way.”
This celebrity hacking spree doesn’t come at a very good time for Apple.
It’s very bad timing. Apple is expected to make a big announcement next week that it’s partnering with Visa and others to turn its next iPhone into a mobile wallet. That means not just a smartphone, but a financial instrument. Apple is also building more tools for health tracking. It already has apps to let you record and store your heart rate and blood sugar to the cloud. David Amsler, CIO with Foreground Security, says given the weakness of current security practices, these mobile financial and health features are “not something I would entertain at this point or feel comfortable recommending to anyone, either.”