Normally this sort of attack is preventable by enabling two factor or two step authentication on an account. This method of authentication requires entering a code after a username and password is accepted. The code is either pushed to a mobile device or is generated on the device using an authentication app. It combines something the user has (the mobile device) plus something they know (their user name and password).
This means that even if a hacker obtained a user name and password they could not access the account without having physical access to the mobile phone.
Apple has a two factor authentication system, and the company recommended that users enable it this week in the wake of the celebrity hacking incident. That would be great advice if the company’s two factor system actually protected device backups stored on iCloud. It unfortunately does not.
Apple’s two factor authentication is used only for making payment or email changes to an account, or when purchasing an app, album, or book on a device that hasn’t previously been used with that Apple account before. It does not protect any iCloud features including email, photos, and full system backups.
Russian security firm Elcomsoft’s Phone Password Breaker is able to log in and download iCloud device backups without any second factor authentication. It just needs a user name and password to access a user’s account and grab everything – including photos, call logs, and other personal data. The software is used by law enforcement agencies but is also available as a $200 download to anyone.
In the past a good password was usually good enough. But now as more and more websites are compromised and user information is stolen, having that second authentication factor is becoming more and more critical to securing personal data.
Apple needs to act quickly to extend its two factor authentication to all of its services like its competitors Microsoft and Google already do.