Apple iCloud Hacking in China: Credentials Are the Problem

10/23/2014 / 0 Comments

Apple Inc. is facing another high-profile case of hacking that has targeted its iCloud storage service, this time with hackers in China using a “man-in-the-middle” (MITM) attack in an attempt to steal iCloud credentials from unsuspecting Chinese customers.

As reported by Reuters and revealed by Greatfire.org, which monitors Internet censorship in China, the attackers set up their own website between iCloud users and Apple’s server. This site was designed to intercept data and potentially gain access to passwords, messages, contacts, and photos.

With man-in-the-middle attacks, these “spoof” sites are typically designed to mimic the interface of a real website, such as that of Apple’s iCloud service, and if users do not heed browser security warnings or use built-in browser features to verify that they are accessing a legitimate website, they can be duped into entering their login credentials and inadvertently sharing them with attackers.

Apple has since released an updated support document for iCloud security, including instructions on how to avoid these attacks. But this the second time in recent weeks that Apple has been forced to address security issues with its iCloud service

In September, in the wake of a celebrity photo hacking case that made international headlines and allegedly also involved iCloud accounts, Apple announced that it would add extra security measures to iCloud. And it also announced that it would expand its use of two-factor authentication to cover access to iCloud accounts from a mobile device, addressing glaring gaps in two-factor authentication security for some of its services.

 

Standard Two-factor Authentication and Apple Security Are Not Enough

Unfortunately, with man-of-the-middle attacks, simply extending and enabling two-factor authentication is not enough to protect users and prevent unauthorized access to user accounts.  In previous cases, such as the hacking of Swiss banks and other financial institutions in Europe, two-factor authentication was bypassed by using a similar man-in-the-middle strategy to steal credentials, including one-time codes or one-time passwords that are required for authentication.

According to computer security company Trend Micro, which analyzed the attack that bypassed two-factor authentication for online banking, “Even advanced security schemes are vulnerable now.”

But the real problem lies in the type of advanced security that is used and in the failure of companies like Apple to realize and address the fundamental problem of entering, transmitting, or storing passwords or other credentials during the login and authentication process.

After the celebrity photo hack, Apple CEO Tim Cook told the Wall Street Journal that, “When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece. I think we have a responsibility to ratchet that up.”

But Apple’s immediate response was only to expand its use of two-factor authentication, which was warranted in light of the gaps in its security, but its methods rely on one-time codes and one-time passwords that can be collected or intercepted through a variety of methods, including SIM card cloning.

Apple also did not address the more fundamental problem that motivates and enables nearly every major hacking case, which is use of passwords or other sensitive credentials, in any form, for user logins.

Stealing user credentials is the primary motivation of most attackers because it provides them with the means to access user accounts and steal personal and confidential data. It not only enables celebrity photo hacking or the compromise of user accounts in China.

It enables the deployment of malware such as SQL injection to compromise over 420,000 websites and FTP sites and steal billions of user credentials. It enables the installation Backoff malware to launch point-of-sale attacks and compromise millions of consumer payment cards. And it is what enables attackers to gain unauthorized access to servers and steal over 4.5 million medical records that include names, birthdates, and Social Security numbers.

 

Making Hacking Impossible By Eliminating Passwords and Credentials

The solution to all of these problems is not just to extend and enable two-factor authentication but to use the right method to render hacking impossible. Companies and developers must acknowledge that the password is dead, and they must remove passwords and credentials from the login process.

If the right cryptography and best two-factor authentication are used, users can authenticate using quick and convenient technology, much like they do with two-step verification or two-factor authentication that they may currently use with services from Apple, Microsoft, Google, Dropbox, and many other companies. But the difference is in removing the password requirement from the process and removing the one-time code or one-time password that is typically required to complete two-factor authentication.

Using public key infrastructure (PKI), which involves the same concepts and levels of security as smart cards and chip-enabled credit cards, no password or credential is entered through the login process, and none is ever transmitted or stored on a server. This means that they are physically no credentials to steal, so password theft is impossible. Hacking, phishing, and malware are rendered obsolete because they cannot be used to steal credentials.

With PKI, users can log into a service using only a non-confidential user ID. They can combine their knowledge of a PIN or passcode, or their fingerprint biometric, with physical possession of their mobile device, to complete authentication using a simple mobile app.

The PIN, passcode, or fingerprint is known or possessed only by the user and is entered only in the mobile app to verify identity and ownership of a private key that is stored securely on the mobile device. Importantly for additional security, the PIN, passcode, or fingerprint does not constitute authentication because the final verification process is completed by tapping an access symbol in the mobile app that matches one that is shown on the login screen for the secured service.

This password-free approach takes just seconds to complete and uses 2048-bit encrypted and asymmetric key pairs, based on algorithms that are mathematically impossible to compromise with any current or anticipated level of technology. When deployed with the right solution, PKI two-factor authentication also protects the private key on the mobile device with patented security that prevents brute force attack, even if the device is lost or stolen.

This method meets the specifications being championed by data security experts and industry leaders through the FiDO (Fast Identity Online) Alliance, which includes key stakeholders such as Google, Microsoft, PayPal, Visa, MasterCard, Discover, Bank of America, QualComm, and many others.

Most importantly, it guarantees that users and organizations can never again be victimized by any form of credential hacking, and, thus, sensitive data will remain completely secure from any such attacks.

PKI-based authentication can be deployed in the cloud or on-premise and can be integrated with virtually any website, application, network, or system, with user self-enrollment and a convenient user ID that can even be used as a single-sign on with the strongest possible two-factor authentication.

 

Deploying PKI Two-factor Authentication for Better Login Security

To learn more about two-factor authentication using public key infrastructure and advanced cryptography, visit the SecSign Technologies website for technical details, videos, consultation, and an opportunity to download the SecSign ID mobile app and test the secure login process for yourself.

SecSign Technologies is a sister company of SecCommerce Informationssysteme GmbH, a pioneer of cryptography solutions with more than 16 years of experience in developing public key infrastructure (PKI), electronic signature, and smartcard technologies. SecSign’s security experts and cryptography engineers have developed, deployed, and maintained systems that have successfully protected confidential business data and user access for numerous major corporations, including IBM, Siemens, Johnson & Johnson, Fujitsu, T-Systems, BMW, and Audi.

Do NOT follow this link or you will be banned from the site!