After reading the news Australian Apple iDevices Hijacked, Held to Ransom in The Age, I sent the following response email on the main takeaways to family:
1) make sure you have a passcode/ password in order to access your device.
2) make sure you are diligent in updating your password when a service/website informs you of a data/privacy breach.
With (1) I would be interested to monitor the iMac at home since it fits the vulnerability criteria. The main thing is that my Dad (as the primary user) doesn’t use websites/ services which have suffered data/privacy breaches.
Apple offer 2-form factor login which you can set-up if you feel this will provide a greater sense of security:
Since I’m blogging this, I will take this opportunity to analyse the news in more detail.
Based on the comments offered by each of the major telcos, the number of incidents seems to be very low. It again points to the fact that the vast majority of the millions of Apple iDevices are safe because they have been practicing good security practices in the two actions/messages at the start of my article – most of us have passcodes (or fingerprints on the iPhone 5S) protecting access to our devices.
The authorities (with Apple’s) help, have also helped to alleviate the concerns of affected hacked users – the money they transferred was to a non-existent Paypal account. According to normal procedure, the transaction will error and the money returned.
This makes me think that whoever initiated and exploited this weakness (which only exists because users choose to allow it – by not being vigilant in following the norm of establishing secure logins for their devices) was really doing this as an awareness campaign. The news did report some loss of data, but the user experience mentioned did seem to suggest it was of a minor nature.
The masterminds behind this latest hacking event have done us a service in helping to raise awareness of good security practices.
The article also mentions how the likely way hackers obtained user passwords was via data/privacy breaches of other websites, where users have been reusing their password across AppleIDs and these other more vulnerable services. Now, whilst I do reuse passwords across 100s of websites/systems, I don’t actually fall into this situation. For unintentional reasons which now appear to has paid off my AppleID has remained isolated from my practice of reusing passwords… I suspect this is in part that when I cleaned up my original multiple AppleIDs I ended up turning my preferred password into one I had to discard… Additionally, on my iPhone 5S, my Touch ID/ fingerprint serves as a higher level of security protecting general access.
However, I will admit that I heavily reuse passwords across 100s of sites/systems. My workplaces require me to update by password every 90 days; this also forces me to update the alignment for work-related system access. For all my online shopping needs, I actually use one of three passwords, depending on my assessment of: how frequent I would visit the site and the level of security I feel is appropriate. I guess this is closest I would come to revealing my passwords – I have one for low security level usage and the others have a much higher complexity. This strategy has helped me stay in control of password management without adopting tools like 1Password. It also creates virtual communities of the websites I visit/use based on which side of the fence they sit. It goes without saying – my simplex password is completely unrelated to my complex one!
In the event my simplex password is compromised via a data/privacy breach, the impact to me is contained. In the event my complex passwords are compromised, I could however be severely impacted. For high powered users like myself who use so many different systems/websites, we tend to compromise – if every different system/website I used had a unique password, without using a tool like 1Password, I just would not be able to cope.
Apple Safari offers a password generator feature which I have yet to utilize. Each one of the suggested passwords are highly complex and would require me to relinquish control over knowing my own password and instead relying on the system to remember it. For now, I choose to retain control and knowledge…
So, please make sure you are all taking the appropriate steps to keep your online and digital identity safe & secure!