Apple Inc. said it plans additional steps to keep hackers out of user accounts, but denied that a lax attitude toward security had allowed intruders to post NSFW photos of celebrities on the Internet.
The company also reiterated that Apple will broaden its use of an enhanced security system known as “two-factor authentication,” which requires a user, or a hacker, to have two of three things to access an account: a password, a separate four-digit one-time code, or a long access key given to the user when they signed up for the service.
When the feature is turned on, Apple requires users to complete two of those steps to sign into an iTunes account from a new device.
As part of the next version of its iOS mobile-operating system, due out later this month, the feature will also cover access to iCloud accounts from a mobile device.
Apple said a majority of users don’t use two-factor authentication, so it plans to more aggressively encourage people to turn it on in the new version of iOS. If the celebrities had the system in place, hackers wouldn’t have had an opportunity to guess the correct answer to security questions, Apple said. Apple CEO, Tim Cook also downplayed any issues with security oversight on Apple’s part for the leak.
While 2FA has been available from the web, users will soon be able to enable it from iPhones and iPads as well—a notable hole in the security option menu until now, given the near-ubiquity of Apple devices in some markets, like the United States. So, in addition to an Apple ID and password, users will have the option of requiring a PIN code sent to the device through SMS or a key generated at the time of sign-up.
Also, in about two weeks, Apple will begin alerting users via email and push notifications when a new device tries to log into an iCloud account for the first time, and anyone attempts to restore iCloud data to a new endpoint. It will also send a push notification when a password change is attempted or made.
Apple has been the subject of negative publicity in the wake of the photo leak. The theft, which affected about 100 unsuspecting celebs, was originally thought to be a brute-force attack that used a set of 500 or so common-ish passwords to randomly attempt to break into accounts. The implication is that Apple had set no limit on the number of times that account credentials could be tried before locking the user out.
However, speaking to the Wall Street Journal, Cook said that celebrities fell victim to hacking of their iCloud accounts because the perpetrators were able to successfully phish the credentials, or were able to answer security questions correctly—thus placing the blame squarely back on the shoulders of the celebrities themselves.
But Mr. Cook said the most important measures to prevent future intrusions might be more human than technological.
In particular, he said Apple could have done more to make people aware of the dangers of hackers trying to target their accounts or the importance of creating stronger and safer passwords.
“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.“
The Apple IDs and passwords were not, he stressed, leaked or lifted from the company’s servers. And, he pointed out the company’s pioneering position with biometrics, with the Touch ID fingerprint sensor in its iPhone 5S.
Apple said it is working with law enforcement to investigate the incident and identify the hackers. A spokesman declined to specify how many users’ accounts had been compromised, citing the continuing investigation.
“We want to do everything we can do to protect our customers, because we are as outraged if not more so than they are,” said Mr. Cook.
Apple is battling to preserve its reputation for looking after its users ahead of a major product announcement next week. The company is facing the type of negative publicity that it usually has managed to avoid, a situation magnified by the popularity of the victims.