Do you use the same password for a number of websites? If you do, it’s time to think of a new memorable phrase because sloppy passwords could leave you vulnerable to attack by hackers in search of a quick buck.
Technology security experts have advised Apple users to change their iCloud passwords after a number of iPhone users were subjected to digital extortion attempts.
Several iPhone owners in the UK and Australia reported falling victim to a hack which locked their cell and demanded they send AU$100 (£55) to a PayPal account.
Since the attacks were first reported, there have been a number of suggestions about how hackers managed to do this.
Kaspersky Labs said victims were left vulnerable after hackers found out their iCloud password through phishing emails which tricked them into handing out vital information. The bad guys were then able to lock victims’ iPhones.
In an email, Sean Sullivan of the security firm F Secure told me he had carried out independent tests of this theory, which proved how easy it was for a hacker to freeze an iPhone.
However, he also suggested a different theory. The iCloud information may have been contained in “recent password dumps” in which hackers accessed and released databases containing vast amounts of personal information.
“If you don’t use a unique password for your iTunes account, then your iCloud account could be used against your iPhone or any other Apple device on which Find My iPad is installed,” Sullivan wrote.
If a crook manages to find out a person’s iCloud password, they are then able to sign into their account using a web browser. Once they have accessed iCloud, they are able to snoop through the target’s personal calendar and other private information. Crucially, criminals can also activate lost mode on the victim’s iPhone.
This allows them to freeze the phone and write a message on the lock screen. Normally, this is used to tell whoever finds a lost iPhone to call the owner on a different number, but Sullivan said this might be used to scam money from the phone’s owner.
The Australian hackers asked targets to send money to a Paypal account, but Sullivan warned that future attackers could just as easily ask people to send Bitcoin to a cryptocurrency wallet, which is an attractive option for thieves because the transactions would be extremely difficult to trace.
Even if the victim manages to get back into their phone, the attacker would be left with the option to “burn” the handset by activating the delete option.
Luckily, protecting yourself against such an attack is fairly straightforward: just use a decent, unique password.
“I don’t have an overly complex password for my iTunes account,” Sullivan continued. “But then I’ve made sure that iCloud is not enabled. I am not at all confident that the same can be said of the average consumer. There is likely a very large number of people with iPhones who don’t have a strong enough password protecting against unauthorized iCloud access.
“It seems like a Catch-22. If you use a strong iCloud password, it becomes annoying when you want to buy an app. Perhaps the current iPhone’s biometrics isn’t such a bad idea after all.”
Apple has also advised customers to change their passwords and insisted the problem was not down to an attack on iCloud itself.
Page 2 of 2
In a statement, Apple said: “Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.”
Despite all the theories, it is not yet entirely clear exactly how the hackers managed to gain access to the iPhones.
On the Apple comment thread which was first used to highlight the hacks, one user claimed to have been attacked several times, even though he changed his iCloud password each time a suspicious message was transmitted to his iPhone.
He wrote: “I know for a fact my Apple password was not used for anything else at all. After wiping and resetting my devices, and changing both my Apple ID password and my mail password, within two minutes there was another attempt at a hack. I know this, because I received an email saying an attempt to set my iPhone to ‘lost’ mode had just been attempted and failed.
“Within a couple of minutes of that happening, my Apple ID was locked, due to too many attempts at entering an incorrect password (and no, it wasn’t me!). Seems the bot was still going strong last night.”
Other commenters claimed to have seen a phishing email earlier this year which asked for iCloud details, while others suggested the problem might have been caused when hackers accessed a third party database of Apple passwords.