Apple now emails users whenever their iCloud account is accessed through a Web browser
As part of its efforts to beef up iCloud security and prevent unauthorized access, Apple now by default sends users an email when someone has logged into their iCloud account through a traditional Web browser.
Starting Monday morning, just a day before the company is expected to show off its next-generation iPhone, users began receiving emails notifying them of access to their account through the iCloud.com site.
The email informs users that their Apple ID was used to sign in to its iCloud account via a Web browser. The note includes a date and time that the account was accessed.
Users are told that if the access was authorized, they should disregard the email. But if someone else may have gained access to their account, a link to quickly reset the Apple ID password is provided.
The new security measure is enabled by default, unlike more extensive methods users can employ, such as two-step verification for iCloud and iTunes accounts.
Apple Chief Executive Tim Cook signaled last week that his company planned to roll out new iCloud security alerts, and also that two-step authentication would become available to more iCloud users worldwide. The changes come on the heels of a celebrity hacking scandal, and also as the company is expected to offer new functionality, including a rumored mobile payment system, with its next-generation iPhone.
After a number of private celebrity pictures leaked onto the Internet last week, Apple spoke out to dispel rumors that its iCloud service had been hacked. Officials at Apple reportedly looked into the leaks and found that targeted attacks were used to steal the images, while the iCloud service remains safe and secure.
It's believed that the images have been circulating amongst a close-knit group of hackers and file traders on the Internet for some time, potentially years. The images showed celebrities taking "selfies" with a number of handsets, including Apple's iPhone, as well as Android and Blackberry devices.
Starting Monday morning, just a day before the company is expected to show off its next-generation iPhone, users began receiving emails notifying them of access to their account through the iCloud.com site.
The email informs users that their Apple ID was used to sign in to its iCloud account via a Web browser. The note includes a date and time that the account was accessed.
Users are told that if the access was authorized, they should disregard the email. But if someone else may have gained access to their account, a link to quickly reset the Apple ID password is provided.
The new security measure is enabled by default, unlike more extensive methods users can employ, such as two-step verification for iCloud and iTunes accounts.
Apple Chief Executive Tim Cook signaled last week that his company planned to roll out new iCloud security alerts, and also that two-step authentication would become available to more iCloud users worldwide. The changes come on the heels of a celebrity hacking scandal, and also as the company is expected to offer new functionality, including a rumored mobile payment system, with its next-generation iPhone.
After a number of private celebrity pictures leaked onto the Internet last week, Apple spoke out to dispel rumors that its iCloud service had been hacked. Officials at Apple reportedly looked into the leaks and found that targeted attacks were used to steal the images, while the iCloud service remains safe and secure.
It's believed that the images have been circulating amongst a close-knit group of hackers and file traders on the Internet for some time, potentially years. The images showed celebrities taking "selfies" with a number of handsets, including Apple's iPhone, as well as Android and Blackberry devices.
Comments
Stuff like this was simple for Apple to do from the start. Glad it's finally here, though.
I don't know if this question has been definitively answered, but I'll ask anyway: is iCloud protected against 'brute force' password hack attacks?
And what email do they send to? If someone's logged into icloud they can just delete the mail?
Getting an email each time I access the cloud is kind of cumbersome in that it clutters up already too full email accounts. If two factor authentication can get rid of the emails then that is a better solution.
It's a start.
It's actually encouraging IMO to see them doing something before tomorrow's keynote. But there is more work do to do. As I said in a thread a couple days ago,it doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name from Ancestry.com, or your birthdate and favorite sports team from Facebook. Don't get me wrong, this is better than nothing, but it's not "fixed" yet. If someone has hacked your iCloud account, it stands to reason that they can probably delete the notification email before you ever see it.
SO,
AFTER the hacker logs into your iCloud account, (and now having access to your iCloud emails)
they just wait for the email to arrive in your iCloud inbox, and delete it.
Did I get this right, or am I mistaken?
Here's a story for AI, just saw it on my twitter feed.
From the loop, Adam Levine tweets from an iPhone, less than a week after appearing on stage with Samsung!
This is just getting ridiculous now!
Celebs who claim to use Android are nothing but paid, lying shills!
It's very slow to notify me, I logged in and I got an email almost 10 minutes later, a hacker can do a lot in that time whilst logged in to my account...
imo they should give the option to use a SecurID or something like blizzard Authenticator.
If someone has hacked your iCloud account, it stands to reason that they can probably delete the notification email before you ever see it.
AFTER the hacker logs into your iCloud account, (and now having access to your iCloud emails)
they just wait for the email to arrive in your iCloud inbox, and delete it.
Great minds think alike.
Seems like you would be better off getting a notification on your iOS devices that someone had just logged into your iCloud account from the web, vs. an email to an IMAP account (or Gmail, for those so inclined) that could easily be deleted.
Still not perfect, but IMO it would be far more likely to alert the actual account owner to a potential problem.
http://www.symantec.com/connect/blogs/apple-ids-targeted-kelihos-botnet-phishing-campaign
There they use the address datacare@apple.com and you see no warnings in the email saying it doesn't officially come from apple.com. You can see the bad writing but apparently this is done deliberately in many cases in order to catch people who are not careful enough to check the text.
There ought to be a service like Spamhaus that email clients use to check certified email headers for big companies. When average people send mail, they don't have to be checked, when emails are pretending to be from a big company and aren't, the address should be marked red and all links broken. When it's valid, the address can be marked green.
2) I'm against adding hyperlinks in emails for signing in do to phishing scams. Users can easily type it in a web browser or choose from their favourites if they need to access a site.
This is somewhat similar to most credit cards. I have my CC companies shoot me an email or text message if the card is not present for the transaction as in an online purchase, among other things.
I don't see why it can't be a text message. As mentioned above that would cut down on phishing. If someone has your icloud credentials as well as your unlocked cell phone you are pretty much effed in the A regardless.
I just tried this and the message I received went to my iCloud account not my backup email -- so if somebody hacks your account they could just delete the warning email when it comes in.
The downside to the emails is the added phishing attempts. They just change the Apple ID link, make people think they've been targeted and then get the login details directly. Some email clients are terrible for not showing the proper source.
http://www.symantec.com/connect/blogs/apple-ids-targeted-kelihos-botnet-phishing-campaign
There they use the address datacare@apple.com and you see no warnings in the email saying it doesn't officially come from apple.com. You can see the bad writing but apparently this is done deliberately in many cases in order to catch people who are not careful enough to check the text.
There ought to be a service like Spamhaus that email clients use to check certified email headers for big companies. When average people send mail, they don't have to be checked, when emails are pretending to be from a big company and aren't, the address should be marked red and all links broken. When it's valid, the address can be marked green.
I've been waiting two decades for a whitelisted email service that would replace SMTP.
Great minds think alike.
Seems like you would be better off getting a notification on your iOS devices that someone had just logged into your iCloud account from the web, vs. an email to an IMAP account (or Gmail, for those so inclined) that could easily be deleted.
Still not perfect, but IMO it would be far more likely to alert the actual account owner to a potential problem.
OR you could just have it send to another account outside of your iCloud email account.