In the wake of the naked celebrity photo hacking, Apple chief executive Tim Cook says the company could have done more to make people aware of security measures and will introduce ways to better protect user accounts.
In an interview with the Wall Street Journal, his first since the photos of Jennifer Lawrence and others went public, he said celebrities’ iCloud accounts were compromised because they either fell prey to a phishing scam to obtain their login information or hackers guessed the answers to their security questions.
He denied that the celebrity photo hack was due to a security failure on Apple’s part. He said none of their user IDs and passwords leaked from the company’s servers.
To make future breaches less likely, Apple will start sending e-mail alerts and push notifications to users any time an account password is changed, iCloud data is restored to a new device or a device logs into an account for the first time. Previously users were not notified when data was restored to iCloud, where users can back up photos, music and other data.
The new measures, which take effect in two weeks, will allow users to take immediate action to protect their account by changing their password or contacting Apple.
However, users won’t know until after the fact if their account has been hacked. At that point, private photos or personal data could be making its way around the Web.
Cook acknowledged the company could have done more to educate users. “When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he told the Journal. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”
He also said Apple will do more to encourage users to enable two-factor authentication, which requires a special code in addition to a username and password to access an account. The feature is designed to protect users when their usernames and passwords are stolen.
On Apple’s new iPhone, due out later this month, the feature will also cover access to iCloud accounts from a mobile device, Cook said.
Currently, two-factor authentication only protects three things: signing in to My Apple ID to manage an Apple account; making iTunes, App Store, or iBookstore purchases from a new device; and getting Apple ID-related support from Apple.
That wouldn’t have protected the celebrities whose photos were stolen, according to TechCrunch, because hackers can exploit the fact they don’t need a verification code to restore a device from an iCloud backup, one of many iCloud services not currently protected by two-factor authentication. That means, if a hacker steals your username and password, he can export the data using an application called the Phone Password Breaker. A security researcher who works for the company that created Phone Password Breaker actually talked about the vulnerability at a security conference last year. It has also been widely covered by the Tech press: Ars Technica, ZDnet and TUAW, to name a few.
Apple said its working with law enforcement to identify the hackers.