Monthly Archives: June 2017

New Mac Malware-as-a-Service offerings

A couple weeks ago, two new Malware-as-a-Service (MaaS) offerings for the Mac became available. These two offerings – a backdoor named MacSpy and a ransomware app named MacRansom – were discovered by Catalin Cimpanu of Bleeping Computer on May 25.

Cimpanu evidently had some trouble getting hold of samples, but on Friday analysis of MacRansomwas posted by Fortinet and analysis of MacSpy was posted by AlienVault.

Both of these malware programs were advertised through Tor websites, claiming them to be “The most sophisticated Mac spyware/ransomware ever, for free.” Neither programs were directly available, but could only be obtained by emailing the authors at protonmail[dot]com email addresses.

Behavior

Despite the claims of sophistication, these malware programs are not particularly advanced. The programs provided to both Fortinet and AlienSpy were simple command-line executable files that, when run, copy themselves into the user’s Library folder.

MacSpy:

~/Library/.DS_Stores/updated

MacRansom:

~/Library/.FS_Store

Because the .DS_Stores folder and the .FS_Store file both have names starting with a period, they are hidden from view unless the user has done something to show invisible files.

As part of the installation, these programs also create LaunchAgent files for persistence – a not at all original method.

MacSpy:

~/Library/LaunchAgents/com.apple.webkit.plist

MacRansom:

~/Library/LaunchAgents/com.apple.finder.plist

Some recent malware has had the capability to customize the install locations and names, but there’s no indication in the reports from Fortinet and AlienVault that such a feature is available in MacSpy or MacRansom, making these quite easy to detect.

MacRansom is created with a custom “trigger date,” after which time the malware detonates and encrypts the files in the user’s home folder, as well as on any connected volumes, such as external hard drives. As happened with KeRanger, which had a 3-day delay before encrypting, this delay will likely mean that few people who are using security software will actually be affected, as the malware will probably be detected before it encrypts anything.

Further, the encryption uses a symmetric key – meaning that the same key is used both to encrypt and to decrypt – that is only 8 bytes in length, making it rather weak and relatively easy to decrypt. However, the key creation process involves a random number and the resulting key is apparently not saved to the hard drive or communicated back to the authors in any way, making it impossible to decrypt the files except via brute force.

After encryption, the malware will display a pop-up alert informing the user of what must be done to decrypt the files, and will continue to reappear even if the user clicks the “Destroy [sic] My Mac” button. The malware does not save any copies of that information to files on the hard drive, as is typical of most ransomware.

MacSpy is fairly simple spyware, which gathers data into temporary files and sends those files periodically back to a Tor command & control (C&C) server via unencrypted http. It will exfiltrate the following data:

  • Screenshots (taken every 30 seconds)
  • Audio captured via microphone
  • Keystrokes*
  • Clipboard contents
  • iCloud photos
  • Browser data

In the case of keylogging, the malware requires an admin password, which can be provided in the email requesting a copy of the malware. This requires that the attacker knows the password for the target Mac in advance.

If the attacker pays for the malware, they will get additional capabilities, such as more general file exfiltration, access to social media, help with packaging the executable into a Trojan form (such as a fake image file), and code signing.

Analysis avoidance

Although neither of these programs is particularly sophisticated, they both do include some reasonably effective analysis avoidance features. Both include three methods for determining whether they are being analyzed by a researcher, in which case they shut down and do not display their malicious behaviors.

First, they will check to see if they are being run by a debugger, using a call to ptrace.

They will also parse the output from the shell command sysctl hw.model for the word “Mac”, terminating if that is not found. In a virtual machine, this command will not return the model identifier for the hardware, but will instead return a value specific to the virtualization software being used. Thus, if the output does not contain “Mac,” it is most likely being run in a virtual machine, and the most likely reason for that is that it’s being analyzed by a security researcher.

Another virtual machine check that is performed is a check for the number of logical and physical CPUs. Since the number of CPUs is simulated in a virtual machine, this is another fairly reliable indicator that the malware is under analysis.

If any of these checks fail, the malware terminates.

Fortunately, because the malware isn’t signed, it’s possible to hack the executables to bypass these anti-analysis checks and then analyze it in a virtual machine.

About the authors

The websites for the malware include an “About Us” section, in which the authors provide some information about their motivations:

We are engineers at Yahoo and Facebook. During our years as security researchers we found that there lacks sophisticated malware for Mac users. As Apple products gain popularity in recent years, according to our survey data, more people are switching to MacOS than ever before. We believed people were in need of such programs on MacOS, so we made these tools available for free. Unlike most hackers on the darknet, we are professional developers with extensive experience in software development and vast interest in surveillance. You can depend on our software as billions of users world-wide rely on our clearnet products.

I suspect that a lot of this is probably not accurate. I seriously doubt that they would really give away information about their former employers, which would provide a clue that could be used to help track them down and could be used as evidence in a trial. Further, as a security professional myself, it’s rather laughable that the best a security researcher could do for persistence is a launch agent.

Also, the lack of any way to decrypt files in a ransomware app is extremely amateurish. This means that 2/3 of the Mac ransomware that has ever existed has had no means for decrypting files so that users who pay will get none of their data back in return. Hopefully, this will make victims of future Mac ransomware reluctant to pay, which will, in turn, make it unprofitable to develop such malware in the future.

All these factors mean that these hackers undoubtedly do not have the qualifications they claim to have and are actually amateur developers with a tendency towards crime.

Disinfection

The presence of any of the following items is an indicator of infection:

~/Library/LaunchAgents/com.apple.webkit.plist
~/Library/LaunchAgents/com.apple.finder.plist
~/Library/.DS_Stores/
~/Library/.FS_Store

Malwarebytes for Mac will detect these as OSX.MacSpy and OSX.MacRansom.

If you were infected with MacSpy, after removing it, you should be sure to change all your passwords, as they might have been compromised by the keylogging, screen captures and/or clipboard exfiltration. If your work computer has been compromised, contact your IT department to alert them to the issue; otherwise, your accounts or other information leaked could potentially give a criminal inside access to your company’s servers.

If you had a MacRansom infection and didn’t get your data encrypted, consider yourself very lucky. Start backing up your computer regularly if you didn’t already and avoid leaving the backup drive connected all the time.

If you did have data encrypted by the ransomware, it’s possible that it could be decrypted by an expert in cryptography. Although we don’t currently have information about decrypting such files, we will update this article in the future if a method for doing so is identified.

 

via:  malwarebytes

Google launches its AI-powered jobs search engine

Looking for a new job is getting easier. Google today launched a new jobs search feature right on its search result pages that lets you search for jobs across virtually all of the major online job boards like LinkedIn, Monster, WayUp, DirectEmployers, CareerBuilder and Facebook and others. Google will also include job listings its finds on a company’s homepage.

The idea here is to give job seekers an easy way to see which jobs are available without having to go to multiple sites only to find duplicate postings and lots of irrelevant jobs.

 

With this new feature, is now available in English on desktop and mobile, all you have to type in is a query like “jobs near me,” “writing jobs” or something along those lines and the search result page will show you the new job search widget that lets you see a broad range of jobs. From there, you can further refine your query to only include full-time positions, for example. When you click through to get more information about a specific job, you also get to see Glassdoor and Indeed ratings for a company.

You can also filter jobs by industry, location, when they were posted, and employer. Once you find a query that works, you can also turn on notifications so you get an immediate alert when a new job is posted that matches your personalized query.

“Finding a job is like dating,” Nick Zakrasek, Google’s product manager for this project, told me. “Each person has a unique set of preferences and it only takes one person to fill this job.”

To create this comprehensive list, Google first has to remove all of the duplicate listings that employers post to all of these job sites. Then, its machine learning-trained algorithms sift through and categorize them. These job sites often already use at least some job-specific markup to help search engines understand that something is a job posting (though often, the kind of search engine optimization that worked when Google would only show 10 blue links for this type of query now clutters up the new interface with long, highly detailed job titles, for example).

Once you find a job, Google will direct you to the job site to start the actual application process. For jobs that appeared on multiple sites, Google will link you to the one with the most complete job posting. “We hope this will act as an incentive for sites to share all the pertinent details in their listings for job seekers,” a Google spokesperson told me.

As for the actual application process itself, Google doesn’t want to get in the way here and it’s not handling any of the process after you have found a job on its service.

It’s worth noting that Google doesn’t try to filter jobs based on what it already knows. As Zakrasek quipped, the fact that you like to go fishing doesn’t mean you are looking for a job on a fishing boat, after all.

Google is very clear about the fact that it doesn’t want to directly compete with Monster, CareerBuilder and similar sites. It currently has no plans to let employers posts jobs directly to its jobs search engine for example (though that would surely be lucrative). “We want to do what we do best: search,” Zakrasek said. “We want the players in the ecosystem to be more successful.” Anything beyond that is not in Google’s wheelhouse, he added.

Monster.com’s CTO Conal Thompson echoed this in a written statement when I asked him how this cooperation with Google will change the competitive landscape for job sites. “Google’s new job search product aligns with our core strategy and will allow candidates to explore jobs from across the web and refine search criteria to meet their unique needs,” he wrote. “Yes, as with anything, there will be some challenges and adjustments to existing job posting sites; the biggest perhaps being for those that are currently driven by SEO.”

 

via:  techcrunch

Google Adds New Behavior-Based Malware Scanner To Every Android Device

google-play-protect-android-app-scanning

In order to keep its billions of users safe, Google has introduced another security defense for its Android devices, called Google Play Protect.

Google Play Protect, which is part of the Google Play Store app, uses machine learning and app usage analysis to weed out the dangerous and malicious apps, which have always been albatross around the tech giant’s neck.

Since Google Play Protect actually comes with the Google Play Store, users do not need to install or activate this security feature separately.

 

Google Play Protect for Android devices consists:

  • App scanning
  • Anti-Theft Measures
  • Browser Protection
Play Protect’s App Scanning Feature

Google Play Protect is an always-on service on devices which said to scan 50 billion apps each day across a billion Android devices to ensure they are safe.

Google already has a number of security measures in place to help keep your smartphones safe, including Verify Apps and its Bouncer service, but once apps are uploaded to the Play Store and installed on your device, Google does not have anything in place to monitor the behavior of those apps – something that most malware apps were abusing.

Running automatically in the background, Google Play Protect is actually built into devices, which will not only analyze apps before appearing on the Play Store, but also monitor them once installed on the device, including apps that have been installed from third-party stores as well.

For this, Google makes use of machine learning algorithms that automatically compares app behavior and distinguishes those acting abnormally, and if encounters any malicious app, it warns you or even disables the app to prevent further harm.


Google says it works around the clock to keep up with the latest threats

Google says the new machine learning system regularly updates to help Android ecosystem stay one step ahead of any potential threats by always looking out for “new risks, identifying potentially harmful apps and keeping them off your device or removing them.”

Play Protect’s Anti-Theft Measures

With the introduction of Google Play Protect, Android Device Manager has been replaced with Find My Device, use to locate lost and misplaced devices.

You can use the browser or any other device to remotely call, locate, and lock, your Android device or even erase the data to protect sensitive information remotely.

Find My Device is the same old solution, but Google included it into the Google Play Protect program.

Play Protect’s Browser Protection

With Safe Browsing feature in Chrome, Play Protect lets users stay safe while browsing the Internet.

Usually, virus, malware and worm land on to your smartphones and computers via malicious web browsers. So, if you visit any website that is acting suspicious, Safe Browsing feature will warn you and block websites that feel sketchy or seems to be unsafe for you.

Google Play Protect service will be rolling out to Android devices over the coming weeks.

 

via:  thehackernews

Select Restaurant chain hit with POS data breach

The Ohio-based Select Restaurant chain reported it suffered a point-of-sale breach during which customer payment card information was compromised.

The breach took place between October 36, 2016 and February 3, 2017 at 12 of the company’s restaurants, which are located across the United States, the company said in a written statement. The breach was noticed on March 30 when a third-party vendor reported that some unusual activity was taking place within its system. It was then confirmed on April 26 that some customer payment card information may have been compromised, including cardholder’s name, card number, expiration date and CVV.

The company is now working with a forensics firm to determine the extent of the breach and to identify anyone who may have been affected. Select did not know how many people were potentially impacted by the breach.

The chain is recommending that any guests who frequented one of its establishments involved in the breach review their bank and credit card accounts to search for irregularities.

The list of affected restaurants can be seen here.

 

via:  scmagazine

Erebus Linux ransomware attack demanded $1.62 million from South Korean firm

South Korean firm NAYANA was hit with a Linux ransomware attack that demanded an unprecedented 550 Bitcoins (BTC) or $1.62 million ransom.

Erebus ransomware attack demanded NAYANA demanded $1.62M.

Erebus ransomware attack demanded NAYANA demanded $1.62M.

The attack occurred on June 10, 2017, and on June 12, 2017, the company announced the attack. On June 14, 2017 the web hosting company was eventually able to negotiate down to the ransom to 397.6 BTC, nearly $1.01 million, to be paid in three installments, according to a June 19 blog post.

The threat actors used the Erebus ransomware to infect 153 Linux servers and 3,400 businesses sites hosted by NAYANA and as of June 19, 2017, two of the three payments have already been made. The final payment is expected to be made one the first and second batches of servers have been successfully recovered.

A local exploit may have been used in the attack though it is unclear exactly what exploits were used to infect the system as there isn’t a clear understanding of what vulnerabilities are in the systems.

Researchers said it’s worth noting the ransomware is limited in terms of coverage and is heavily concentrated in South Korea. Other samples however, have been submitted from security researchers in Ukraine and Romania.

Erebus was first spotted in a spate of malvertising attacks in September 2016 and then reemerged in February 2017 using a method to bypass Windows’ User Account Control. The recent Linux variant was similar to the updated variant discovered in February 2017, with OS-specific changes in the way it gains access to the system, Trend Micro Director of Hybrid Cloud Security Steve Neville told SC Media.

“The Windows version leveraged a strategy of bypassing the User Access Controls (UAC) to gain elevated privilege in order to execute,” Neville said. “The Linux version leverages a similar mechanism in Linux, but also adds a fake Bluetooth service to ensure that the ransomware is executed even after the system or server is rebooted.”

Researchers warn to always make sure all of their systems are patched and up to date to prevent infection as well as the backing up of critical files.

 

via:  scmagazine

Fashion Retailer Buckle Finds Malware on PoS Systems

The Buckle, Inc., a fashion retailer that operates more than 450 stores across the United States, informed customers on Friday that malware had been found on some of its point-of-sale (PoS) systems.

Buckle suffers credit card breach

According to the retailer, malware was present on PoS systems at some of its stores between October 28, 2016, and April 14, 2017. The company has called in outside experts to investigate the incident and help secure its network.

The malware was designed to steal data from a card’s magnetic stripe, including cardholder name, account number and expiration date, but The Buckle believes the malware did not collect data from all transactions conducted via infected PoS systems.

The company pointed out that all its stores support EMV (chip card) technology, which makes it significantly more difficult to clone cards using stolen data. Nevertheless, the compromised payment card data can still be useful to cybercriminals, particularly for card-not-present fraud.

 

The Buckle said there was no evidence that social security numbers, email addresses or physical addresses were obtained by the attackers, and there is no indication that its website and online store are affected.

“As part of Buckle’s response, connections between Buckle’s network and potentially malicious external IP addresses were blocked, potentially compromised systems were isolated, and malware-related files residing on Buckle’s systems were eradicated.

Additionally, Buckle reported a potential incident to the payment card brands and is cooperating with them regarding this incident,” the company said in a statement.

The Buckle has advised customers to keep an eye out for any suspicious activity on their payment card, and immediately report any unauthorized charges to the card issuer. A list of affected stores has not been made available.

The Buckle’s announcement comes just two weeks after big box department store chain Kmart, which operates more than 700 stores, informed customers of a payment card breach and a couple months after 200 Brooks Brothers Stores were Hit by Payment Card Breach.

 

via:  securityweek

Phishers Padding URLs with Hyphens to Target Facebook Users

Phishers are sending Facebook users fake login pages with URLs they’ve padded with hyphens, a trick which makes the sites look legitimate on mobile devices.

The attack works by sending a real, legitimate domain within a larger URL that’s fake.

For instance, the following link redirects users to a phishing site: hxxp://m.facebook.com—————-validate—-step1.rickytaylk[dot]com/sign_in.html.

The genuine path for Facebook mobile, “m.facebook.com,” appears in the URL, but the link’s actual domain is rickytaylk[dot]com.

Why does that matter? Just see what it looks like in a mobile browser.

Screenshot of URL in mobile browser. (Source: PhishLabs)

Not so easy to spot the difference from the real Facebook mobile sign-in page, is it? Not only that, but the attackers include a work like “validate” or “secure” after their first round of hyphens. This tactic further boosts the fake link’s appearance of legitimacy.

PhishLabs has detected at least 50 instances of this phishing technique since January 2017. Researchers at the security awareness training provider haven’t found lures for the attack just yet. Even so, they believe fraudsters are mainly spreading around these hyphen-padded URLs via SMS messages.

Crane Hassold, senior security threat researcher at PhishLabs, says this belief comes down to mobile users’ inability to verify the location of a link sent via SMS:

“… Until you visit the site, you have no way of knowing whether it’s legitimate. And, as we’ve already seen, once you’re there the URL padding approach is highly effective at obscuring the site’s real domain.”

He goes on to say that phishers are likely using Facebook users’ credentials they steal in this campaign to access victims’ accounts and then send out additional phishing lures in updates and private messages. They could also use the login details to commit password reuse attacks across multiple web accounts, a digital threat against which Carbonite warned in late June 2016.

This isn’t the first type of scam to target the popular social networking platform, and it’s not even the sole innovative phishing technique to emerge in recent weeks. With that said, mobile users need to exercise caution around clicking on links in suspicious SMS messages. They should also refer to these tips to further protect themselves against phishing attacks.

 

via:  tripwire

Apple Music quietly added a $99 annual subscription plan

If you’re an Apple Music subscriber, chances are that you’re paying $9.99 every month, $14.99 for a family plan, or $4.99 per month if you’re a student. But Apple quietly added another option as Tehnot spotted. You can now pay $99 for a 12-month subscription.

This setting is quite buried as Apple doesn’t want you to know that you can pay less than what you’re actually paying. We tried different scenarios, and it was quite hard to find the new annual plan — but it’s real.

If you’re not a current Apple Music subscriber, the Music app only lets you subscribe to a normal monthly plan as pictured above. But if you’re an existing subscriber, you can go to your membership settings and switch to an annual plan. So new users will have to buy a monthly subscription first and then switch.

Now stay with me as it’s about to get a bit complicated. Let’s hope that the upcoming App Store redesign is going to make it easier to access the subscription settings because we’re not there yet.

First, you need to open the App Store app and scroll to the very bottom of the Featured tab. Then tap on your Apple ID, enter your password and tap on “View Apple ID.” Finally, tap on the Subscriptions button and you can access your Apple Music membership settings. Here’s what it looks like (prices may vary depending on your country):

So if you think you’re going to keep using Apple Music for the foreseeable future, you can switch in a couple of taps and save around 17.5 percent.

Before this change, you could buy an Apple Music gift card for $99 to get a full year of service access. But if you’re not a gift card person, there was no way to access this discounted rate.

 

via:  techcrunch

The Reality of Internet Safety: Why Education Trumps Technology

For many people, the Internet’s ubiquity is akin to a utility. Like electricity and running water, there’s a tendency to not think about the Internet too much – until something goes very wrong. But also, prevailing attitudes towards Internet safety tend towards ‘flick of a switch’ solutions – the notion a piece of software or a service from an ISP is enough to ensure the younger members of your family remain safe online.

This is fundamentally wrong. Although software can be an ally – especially when you’re attempting to protect very young children – the reality is education and discussion are also vital. And that means for children and parents alike.

What follows are three short stories that impart useful lessons when considering how to manage Internet usage for your own families, with ongoing safety and privacy in mind.

Lesson 1: Software is not a magic wand

This story isn’t a personal one, but nonetheless provides insight into what can happen when people make broad assumptions about technology-based Internet filters. In my native United Kingdom, the government has of late been keen on Internet service providers activating content filters by default, only barely stopping short of outright centralized content regulation (although that’s in the current government’s manifesto). The reasoning is to protect young children from unsuitable content.

If you’re well-versed in technology, it’s easy to be cynical about such claims. Arguments about censorship rage, with concerns that when any legal content becomes blocked by default, it’s the thin end of the wedge. But reports that pop up in the news suggest the more widespread problem is the somewhat scattershot nature of filtering combined with complacency on the part of users.

Sometimes, content that shouldn’t get through a filter does, resulting in parents who assumed unsupervised children were ‘safe’ getting a nasty shock. Elsewhere, you’ll find stories about opaque and over-zealous blacklists wrongly blocking content, leaving vulnerable teens and children unable to access helplines regarding child abuse or critical information about sexuality.

Whether these blocks were algorithmic or accidental in nature is irrelevant. The point is that should you decide to activate such filters or software, you need to do so with your eyes open, and an understanding that software isn’t typically very nuanced. For very young children, supervision remains key. Should they get unsupervised time online, consider a ‘whitelist’ of sites you’ve personally vetted and are happy for them to use alone, rather than automated blacklists.

As children get older, though, the best route to Internet safety is to prioritize discussion over technological solutions, which is the subject of the next story.

Lesson 2: Discussion is key to children being safe online

An acquaintance is a prominent figure in the technology industry. Her daughter had therefore grown up surrounded by technology and Internet-enabled devices, and had always been respectful of such things – even slightly cautious.

When old enough to surf the web alone, she one day decided to search for her mother’s name. Instantly, the browser listed page after page of articles and images about her mother. Needless to say, this was a jolt.

Her mother explained that having authored many books and spoken at a range of public events, such an online presence was to be expected. Most importantly, these decisions had been down to choices she consciously made. However, she warned it would be feasible to find a similar level of information about yourself online if you shared content in an unthinking manner.

Stories elsewhere on the web about online sharing are often far less pleasant and reasoned tales. We hear of kids who send intimate imagery to someone who then vindictively shares it with all and sundry. The natural instinct of parents and governments alike is to assume ‘control’ is a fix. They clamp down on Internet use and install filters. But as already noted, the Internet is today close in nature to a utility – as kids get older, they will find ways to get online.

It’s therefore vital they are well informed. They need to understand that the Internet is a glorious, amazing place, but also something to approach with caution. And while over-sharing may feel good at the time, sending someone anything of a very personal nature may result in it being permanently accessible to the world, rather than a single individual.

Lesson 3: Think what you yourself are sharing

When parents get into Internet safety, they tend to spend time thinking about what their kids are doing, yet don’t consider their own actions. After all, they are the grown-ups and know how everything works! Or so they think. But from simple social media status updates to photo uploads, have you already started building a searchable mesh of online content about your children? Will they thank you for that when they get older?

That might sound extreme – even a bit tinfoil hat. But the reality is search engines and social media sites suck in whatever information they can. And while you might reasonably think photos of your amazing children at every stage of development need sharing with the entire planet, you should instead consider being more focussed and private regarding such online activity.

This line of thinking became particularly apparent for me before I had a child of my own; it was largely down to a friend who I for a while thought was eccentrically expressing his inner Seuss. In every public online post that referred to his children, he’d call them Thing One and Thing Two. There wasn’t even a reference to gender. He later explained this was intentional. He enjoyed talking about and was rightly proud of his children. But through stripping posts of identifiable information, he retained a measure of privacy for his kids. In the future, there will be no way to search for their names and see a string of posts and photos from their father.

So consider a similar approach. Obfuscate personal details about your children when posting publicly. Consider not uploading photos to public-facing web pages, and instead use services that enable you to restrict access to a specific list of people (such as iCloud Photo Sharing or a private Facebook group). At least then your kids will be able to decide what they want to share with the world when they’re old enough, rather than you having already widely shared many years of their life without their consent.

 

via:   intego

Apple’s New iCloud Security Requirements – What to Expect

We talk about the importance of keeping your data secure often on the Mac Security Blog. There are a number of ways to do this, some involving encryption, others involving ensuring that only you have access to your accounts. Some of your most important data is in Apple’s iCloud, and on other services. Data security in the cloud is especially important, because of its distributed nature; after all, anyone who has your credentials can log into your account no matter where they are.

Apple has offer enhanced security for iCloud accounts for some time now: first two-step verification, then more robust two-factor authentication. Apple is now planning to tighten up this security, requiring that third-party apps that access your iCloud data need special authorization from June 15. Read on to find out what you need to do to keep using third-party apps with iCloud.

Who is affected?

Apple recently sent emails to iCloud users who do not have either two-step verificationor two-factor authentication on their iCloud accounts. Apple’s email said:

Beginning on June 15, app-specific passwords will be required to access your iCloud data using third‑party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts, and calendar services not provided by Apple.

If you simply use Apple’s apps — Mail, Calendar, or Contacts — then you won’t have to change anything. And if you already use Apple’s two-step verification or two-factor authentication, then nothing will change. But if not, you may need to initiate a complex process to continue accessing your iCloud data from your apps.

To start with, two-factor authentication (2FA) is a powerful way of enhancing the security on your account. We discussed how this works for a number of services, and why you should use it in this article.

Apple’s version of 2FA is a bit different from that of other companies. While many forms of 2FA rely on codes sent by text message or SMS, Apple uses a system that is built into macOS and iOS. You receive codes on trusted devices as alerts, rather than as more portable text messages. This has pros and cons. It is more secure than SMS, but if you don’t have access to any trusted devices, then you may not be able to log into your iCloud account. (Read this article to learn how to set up Apple’s 2FA.)

What should I do?

If you want to continue using third-party apps, and don’t yet have 2FA activated on your iCloud account, you will have to turn this on. Apple’s Two-factor authentication for Apple ID support document explains the process.

When you have activated 2FA, you’ll find that your third-party apps will no longer be able to access your data. Most will tell you that your user name or password is incorrect. You’ll need to create app-specific passwords for each of these apps. These are passwords that the Apple ID website creates that only allow authentication for the apps for which they are created. Apple explains that process here.

What’s the risk?

You’ll have enhanced security with 2FA, but — and this is a big but — you may not be able to go back and turn it off. In the past, this was possible, but Apple now says:

You can’t turn off two-factor authentication for some accounts created in iOS 10.3 or macOS Sierra 10.12.4 and later. If you created your Apple ID in an earlier version of iOS or macOS, you can turn off two-factor authentication.

It’s not clear what this means. This suggests that if you created your Apple ID years ago, under MobileMe or .Mac, then you may be able to revert your account. However, back then, you may not have created your Apple ID “in a version of iOS or MacOS,” but simply on Apple’s website.

If you lose access to your trusted devices, then you could have problems. If you get locked out of your account, Apple says:

If you can’t sign in, reset your password, or receive verification codes, you can request account recovery to regain access to your account. Account recovery is an automatic process designed to get you back in to your account as quickly as possible while denying access to anyone who might be pretending to be you. It might take a few days — or longer — depending on what specific account information you can provide to verify your identity.

“A few days — or longer” seems a bit worrisome. If you’re traveling and lose your iPhone, and need to, say, log into iCloud.com to access email, you may not be able to do so. Make sure you add a trusted phone number for a friend, spouse, or other family member; so, if you need access in such a case, you can contact them. (Of course, you may need to write down their phone numbers. I don’t know about you, but I don’t know any phone numbers by heart expect my own; I just tap my contacts in my iPhone to make calls…)

What are my other options?

You could stop using third-party applications to access your iCloud data. Again, this change seems to only affect email, calendar, reminder, and contacts. Apps that access photos in your iCloud Photo Library on an iPhone or iPad access the photos directly on the device, from the Photos app; they don’t connect to iCloud. The same is the case for music you may have in iCloud Music Library; third-party apps play back music using a database stored on your iOS device, rather than connecting to iCloud to access the music.

What’s next?

It’s possible that this is the first step toward Apple requiring 2FA for all iCloud accounts. This would be cumbersome and problematic for many users. It does provide extra security, but it can be complicated to manage.

In the meantime, if you do use any third party email, calendar, or contact apps, you should turn on 2FA before June 15, so you have time to understand how the system works before the change takes effect.

 

via:  intego