Thwart iForgot Password Reset Flaw
Following the lead of companies like Facebook, Google, and Microsoft, Apple last week announced two-step verification (also known as two-factor authentication) to help customers secure their Apple IDs against hackers. Unfortunately, just a day later, a major new security hole was discovered that affected any customer who had not implemented their new two-step security feature.
iForgot password reset flaw
Late last week, a step-by-step tutorial was uncovered that explains in detail how to bypass security settings on Apple’s iForgot password reset page. With only a user’s date of birth, a hacker could create a modified link to the page that allowed them to change the user’s password. And as one report confirmed, this exploit did not require major hacking skill; it’s an easy process that “just about anyone could manage.”
While Apple has now fixed this security issue, it is extremely telling that the only users who would have been protected were those who had implemented two-step verification.
Below, I explain more on how this security process works, and I urge ALL Apple users to set up the feature as soon as possible.
Two-step verification is a security technique I previously discussed here in the blog, and it involves 2 out of 3 authentication factors: something you know, something you have, and something you are. To recap, something you know is something that you can remember – like a PIN, password, or pattern you swipe. Something you have is a physical object that you keep with you, like an ATM card or your mobile phone. Something you are is something that is a part of you, like the pattern of your fingerprint.
Requiring at least two of these three factors to log into an account decreases the likelihood of a hack. For example, while it is easy to crack many passwords online, it is much less likely that a hacker will have access to your physical mobile device. In turn, if someone steals your mobile phone, it’s unlikely that they will also have the technical skill to effectively crack your passwords.
In Apple’s case, the feature automatically sends a verification code to one of your trusted devices before you make a purchase. This adds another layer of protection to your account, and it immediately notifies you if a fraudulent transaction is attempted.
How to set up two-step verification for Apple ID
I highly recommend setting up two-step verification if you have an Apple ID, and you can activate the feature at appleid.apple.com by following the steps below:
- Select “Manage your Apple ID” and sign in.
- Select “Password and Security.”
- Under Two-Step Verification, select Get Started and follow the on-screen instructions.
Keep in mind that after you’ve enabled this feature, two-step verification does not make you 100% invulnerable to cybercrime. Hackers are always finding new and more effective ways to bypass even the most sophisticated security measures, which is why we work so hard here at McAfee to keep your information and devices safe from harm. For more peace of mind, we recommend always keeping your devices protected with a solution such as McAfee All Access.
In addition, keep a close eye on new and emerging threats to stay one step ahead of the bad guys. We do our best to update followers about threats in real time on Facebook and on Twitter with @McAfeeConsumer, so we hope you’ll tune in and share that information with friends and family as well.