Apple now emails users whenever their iCloud account is accessed through a Web browser

Posted:
in iCloud edited September 2014
As part of its efforts to beef up iCloud security and prevent unauthorized access, Apple now by default sends users an email when someone has logged into their iCloud account through a traditional Web browser.




Starting Monday morning, just a day before the company is expected to show off its next-generation iPhone, users began receiving emails notifying them of access to their account through the iCloud.com site.

The email informs users that their Apple ID was used to sign in to its iCloud account via a Web browser. The note includes a date and time that the account was accessed.

Users are told that if the access was authorized, they should disregard the email. But if someone else may have gained access to their account, a link to quickly reset the Apple ID password is provided.

The new security measure is enabled by default, unlike more extensive methods users can employ, such as two-step verification for iCloud and iTunes accounts.

Apple Chief Executive Tim Cook signaled last week that his company planned to roll out new iCloud security alerts, and also that two-step authentication would become available to more iCloud users worldwide. The changes come on the heels of a celebrity hacking scandal, and also as the company is expected to offer new functionality, including a rumored mobile payment system, with its next-generation iPhone.




After a number of private celebrity pictures leaked onto the Internet last week, Apple spoke out to dispel rumors that its iCloud service had been hacked. Officials at Apple reportedly looked into the leaks and found that targeted attacks were used to steal the images, while the iCloud service remains safe and secure.

It's believed that the images have been circulating amongst a close-knit group of hackers and file traders on the Internet for some time, potentially years. The images showed celebrities taking "selfies" with a number of handsets, including Apple's iPhone, as well as Android and Blackberry devices.
«1

Comments

  • Reply 1 of 37

    Stuff like this was simple for Apple to do from the start. Glad it's finally here, though.

     

    I don't know if this question has been definitively answered, but I'll ask anyway: is iCloud protected against 'brute force' password hack attacks?

  • Reply 2 of 37
    I personally don't mind some type of notification when there are invalid login attempts either. If someone is trying to break into my house, I want to know when and who. Some way of reporting suspicious activity would be nice too.
  • Reply 3 of 37
    Bit late by then - surely should provide 2-factor auth? (Although I'm sure that's a significant change they'll be working on furiously already).

    And what email do they send to? If someone's logged into icloud they can just delete the mail?
  • Reply 4 of 37
    Time to create a filter in gmail.
  • Reply 5 of 37
    I'd much rather get an email after there have been like 10 failed attempts to access my account - regardless of which way it happened (web, OS X, iOS, whatever). That way I know if someone is trying to brute force my account.
  • Reply 6 of 37

    Getting an email each time I access the cloud is kind of cumbersome in that it clutters up already too full email accounts.  If two factor authentication can get rid of the emails then that is a better solution.

  • Reply 7 of 37
    john.bjohn.b Posts: 2,714member

    It's a start.

     

    It's actually encouraging IMO to see them doing something before tomorrow's keynote.  But there is more work do to do.  As I said in a thread a couple days ago,it doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name from Ancestry.com, or your birthdate and favorite sports team from Facebook.  Don't get me wrong, this is better than nothing, but it's not "fixed" yet.  If someone has hacked your iCloud account, it stands to reason that they can probably delete the notification email before you ever see it.

  • Reply 8 of 37

    SO,

    AFTER the hacker logs into your iCloud account, (and now having access to your iCloud emails)

    they just wait for the email to arrive in your iCloud inbox, and delete it.

     

    Did I get this right, or am I mistaken?

  • Reply 9 of 37
    apple ][apple ][ Posts: 8,360member

    Here's a story for AI, just saw it on my twitter feed.

     

    From the loop, Adam Levine tweets from an iPhone, less than a week after appearing on stage with Samsung!

     

    This is just getting ridiculous now!

     

    Celebs who claim to use Android are nothing but paid, lying shills!

  • Reply 10 of 37
    Don't targeted attacks require numerous repeated tries, with everyone and everything in their life being tried as a password? Apple should have at least caught and flagged those repeated attempts.
  • Reply 11 of 37

    It's very slow to notify me, I logged in and I got an email almost 10 minutes later, a hacker can do a lot in that time whilst logged in to my account...

  • Reply 12 of 37
    herbapouherbapou Posts: 2,200member

    imo they should give the option to use a SecurID or something like blizzard Authenticator.

  • Reply 13 of 37
    john.bjohn.b Posts: 2,714member
    Quote:
    Originally Posted by John.B View Post

     

    If someone has hacked your iCloud account, it stands to reason that they can probably delete the notification email before you ever see it.


     

    Quote:
    Originally Posted by BuffyzDead View Post

     

    AFTER the hacker logs into your iCloud account, (and now having access to your iCloud emails)

    they just wait for the email to arrive in your iCloud inbox, and delete it.


     

    Great minds think alike.  8-) 

     

    Seems like you would be better off getting a notification on your iOS devices that someone had just logged into your iCloud account from the web, vs. an email to an IMAP account (or Gmail, for those so inclined) that could easily be deleted. 

     

    Still not perfect, but IMO it would be far more likely to alert the actual account owner to a potential problem. 

  • Reply 14 of 37
    MarvinMarvin Posts: 14,161moderator
    The downside to the emails is the added phishing attempts. They just change the Apple ID link, make people think they've been targeted and then get the login details directly. Some email clients are terrible for not showing the proper source.

    http://www.symantec.com/connect/blogs/apple-ids-targeted-kelihos-botnet-phishing-campaign

    There they use the address datacare@apple.com and you see no warnings in the email saying it doesn't officially come from apple.com. You can see the bad writing but apparently this is done deliberately in many cases in order to catch people who are not careful enough to check the text.

    There ought to be a service like Spamhaus that email clients use to check certified email headers for big companies. When average people send mail, they don't have to be checked, when emails are pretending to be from a big company and aren't, the address should be marked red and all links broken. When it's valid, the address can be marked green.
  • Reply 15 of 37
    1) If this email isn't going to contain info like the IP address that was used, or convert that to a country/state/city then you might as well just make it a Push Notification.

    2) I'm against adding hyperlinks in emails for signing in do to phishing scams. Users can easily type it in a web browser or choose from their favourites if they need to access a site.
  • Reply 16 of 37
    I get so many security warnings now, like when I restore one of my many iOS devices that causes a cascade of notifications on the other devices, that I pretty much have to ignore them all. That's the problem with security warnings. If you send too many, people are simply annoyed by them. If someone ever did try to hack an account, it would be lost among all the other BS notifications. When was the last time you actually paid attention to a car alarm?
  • Reply 17 of 37

    This is somewhat similar to most credit cards.  I have my CC companies shoot me an email or text message if the card is not present for the transaction as in an online purchase, among other things.

     

    I don't see why it can't be a text message.  As mentioned above that would cut down on phishing.  If someone has your icloud credentials as well as your unlocked cell phone you are pretty much effed in the A regardless.

  • Reply 18 of 37

    I just tried this and the message I received went to my iCloud account not my backup email -- so if somebody hacks your account they could just delete the warning email when it comes in. 

  • Reply 19 of 37
    john.bjohn.b Posts: 2,714member
    Quote:

    Originally Posted by Marvin View Post



    The downside to the emails is the added phishing attempts. They just change the Apple ID link, make people think they've been targeted and then get the login details directly. Some email clients are terrible for not showing the proper source.



    http://www.symantec.com/connect/blogs/apple-ids-targeted-kelihos-botnet-phishing-campaign



    There they use the address datacare@apple.com and you see no warnings in the email saying it doesn't officially come from apple.com. You can see the bad writing but apparently this is done deliberately in many cases in order to catch people who are not careful enough to check the text.



    There ought to be a service like Spamhaus that email clients use to check certified email headers for big companies. When average people send mail, they don't have to be checked, when emails are pretending to be from a big company and aren't, the address should be marked red and all links broken. When it's valid, the address can be marked green.

     

    I've been waiting two decades for a whitelisted email service that would replace SMTP.

  • Reply 20 of 37
    Quote:

    Originally Posted by John.B View Post

     

     

     

    Great minds think alike.  8-) 

     

    Seems like you would be better off getting a notification on your iOS devices that someone had just logged into your iCloud account from the web, vs. an email to an IMAP account (or Gmail, for those so inclined) that could easily be deleted. 

     

    Still not perfect, but IMO it would be far more likely to alert the actual account owner to a potential problem. 




    OR you could just have it send to another account outside of your iCloud email account.

Sign In or Register to comment.