by Gil Poulsen | Sep 17, 2014 | Mac, Technology
NOT ONLY does that bastardized quote make an appropriate lead-in to this posting, it reminds us of the fact that although we put a man on the moon way back in 1969, we still rely on passwords to protect our identity online and offline. And because it takes a concerted effort–even with the services of a password manager–to update and strengthen all those passwords, we often end up putting that task off for another day.
In the wake of the recent “celebrity photo iCloud hack,” Apple has been urging all of us to employ “two-step verification,” which as the name implies, involves a second step beyond simply entering a password in order to verify your identity when you make an iTunes store purchase or update your Apple ID account info. This isn’t a new concept; Apple and many other online services (including Google, Yahoo!, Facebook and Twitter) have offered various flavors of this security enhancement for years.
WHAT IS NEW is that Apple is now officially urging us to make use of two-step verification, in addition to strengthening our passwords. I’m all in favor of anything that makes our accounts more secure, as long as it doesn’t make our computing experience unnecessarily complicated. For most of us I feel the extra step is worth the additional protection, but read on to make sure that it’s a good option for your particular situation.
The additional “step” in two-step verification involves a unique PIN code that is sent to your cellphone via text message (or iDevice, via a “push” notification) once you’ve entered your password. At that point you’ll see a prompt to enter this code, which changes each time it’s used. So this prevents anyone from accessing your iTunes Store account or your iCloud data, even if they are able to guess your password. It’s a relatively simple process and requires only a one-time setup on Apple’s site.
KEEP IN MIND, however that if you decide to enable and use two-step verification, you must have a cell phone that can accept SMS text messages (most can) in order to set up TSV, and you must have either that cell phone (or any iDevice on which you’ve enabled Find My Phone) with you whenever you want to do any of the following:
- Make a purchase from the iTunes Store, iBooks Store or App Store, whether on your Mac or any of your iDevices
- Make any changes to your Apple ID info (credit card, password, etc.)
- Sign into the iCloud Web site
- Call Apple for help with your Apple ID
One other word of caution: Once you enable TSV, your Apple ID password is encrypted in such a way that even Apple can’t retrieve it for you. That’s why in the setup process you are prompted to create an emergency Recovery Key, which can be used in the event you forget your password. Obviously you will want to keep that in a safe place on your Mac, ideally within your password manager or in a Word document that is password-protected.
SHOULD YOU determine that two-step verification is the way to go for you, start with the setup instructions here:
Frequently asked questions about two-step verification for Apple ID:
http://support.apple.com/kb/HT5570
and then check out this Wall Street Journal article, which details how to enable TSV for many other Web sites:
Safety First! How to Sign Up for Two-Step Verification on 11 Top Online Services:
http://blogs.wsj.com/personal-technology/2014/04/11/safety-first-how-to-sign-up-for-two-step-verification-on-11-top-online-services/
If you’ve determined that you don’t want to go the TSV route, that’s perfectly fine–only if you’ve created very strong passwords for your Apple ID and any other Web properties that contain your personal or financial info.
SO THAT’S two-step verification. Unlike the moon landing, it’s not rocket science. But compared to using only a password–especially a “weak” one–it really is one giant leap for security.
by Gil Poulsen | Sep 11, 2014 | Mac, Technology
That’s exactly what Apple’s been doing. Seemingly lost between Tuesday’s unveiling of yet another pair of new iPhones (the 6 and 6 Plus) and the Apple Watch–which will no doubt sell by the truckload despite its hefty price tag ($349 and up) and the fact that it needs to be accompanied by an iPhone for full functionality–was the revelation that Apple has concocted a “virtual wallet” payment system to accompany its newest smartphone models.
This system works with your existing credit cards, but it’s more secure than any available payment method. It’s dead simple to use, incredibly convenient, and already supported by national chains like Macy’s/Bloomingdales, McDonalds, Subway, Walgreens, Petco, Toys “R” Us, Staples and more.
Apple calls it simply Apple Pay. I call it pretty remarkable because after seeing the demo and the ecosystem they’ve created around it, I think it truly does have the potential to change the way we pay for things. It’s not the first system to take a crack at mobile payments via a virtual wallet (see Google Wallet) but it’s the first one to come out fully locked and loaded, with retailers, banks, and credit card companies already on board.
Apple Pay is based on an already-existing technology called near field communication (NFC). Put simply, it’s a way for two devices to “talk” to each other over very short distances by establishing a temporary wireless connection. By waving your smartphone in front of an NFC enabled device at your friendly neighborhood retailer’s checkout, a credit card payment can be made in mere seconds. No need to launch an app; in fact, you don’t even need to unlock your iPhone–thanks to the Touch ID technology that Apple introduced with the iPhone 5s.
When you compare this experience to fumbling with credit cards, security codes, picture IDs and swipe card readers that never seem to get it right the first time, the advantages in terms of convenience are pretty obvious. What’s probably not as obvious are the advancements in security and privacy that are baked into this new system. Although Apple Pay can make use of any VISA, American Express or MasterCard, it never actually uses (or stores) credit card numbers or security codes on your iPhone.
Instead, a unique secure ID is encrypted and stored on your iDevice for each of your credit cards, and it is this information, along with the transaction info and a one-time security code, that is sent to your credit card company. At that point the unique secure ID is linked to your actual card no. and account, and payment is transmitted to the merchant. This means that your card number is never sent anywhere in the process of making a purchase, and because you don’t actually hand the card to the cashier, no one even sees your card number–much less any other personal info–at the point of sale.
Further, if your new “virtual wallet,” aka iPhone, is lost or stolen, you can remotely suspend all recent payments and wipe the device from any other iDevice or Web browser using Find My Phone. That’s not really new, but consider this: Because the credit card numbers and other info for each card are not stored in the iPhone, and because–in theory, at least–you left your actual wallet at home, you don’t need to call up and cancel all your credit cards. You just import their info into your replacement iDevice, and you’re back up and running. Or buying, as the case may be.
Apple’s demo of Pay at Tuesday’s press event made it seem almost impossibly simple, convenient and secure. And it just might be all that when it comes on line this fall. As you may have already guessed, this revolutionary payment system requires the purchase of the new iPhone 6 or 6 Plus. So now that Apple has made us Pay, Apple is going to make us… pay.
Or, to paraphrase the official motto of the Commonwealth of Virginia: Sic semper Appleus.
—
A brief note on security, or, what else is new?
Regarding the recent “celebrity photo iCloud hack,” which most of you have probably heard of by now, it appears after much investigation and finger pointing that there is no inherent security flaw in the iCloud system, and that these were isolated attacks specifically directed at the iCloud accounts of female celebrities (Kirsten Dunst, Jennifer Garner, Kate Upton etc.) in hopes of discovering compromising images to post online. The attacks were conducted using common “brute force” hacking techniques; in other words, sending password after password at the account in rapid succession until the correct one was discovered.
Nothing new or innovative about that, and since the targets were specifically young, nubile female celebs, it’s probably safe to assume that none of us were affected. In the wake of these attacks, Apple has pledged to improve iCloud security, but also urges users to implement strong passwords as well as to enable two-step verification, which is generally a good idea in terms of making your Apple ID even more secure. Because TSV involves a very specific setup process and requires that you have a cellphone with you whenever you make a purchase on the iTunes Store, we’re going to explore it in a future posting to help you decide if it’s the right move for you, or if it will cause more problems than it solves.
So what’s the moral of this story? It’s two-fold:
- Resist the temptation to post naked selfies to your Photo Stream.
- Use a strong password for your Apple ID/iCloud account. If any or all of the celebs affected by this had employed strong passwords, their accounts would not have been compromised.
Finally, some of you have been asking about the Home Depot hack, which was confirmed this past Monday and potentially affects up to 60 million accounts. It really has nothing to do with your computers or iDevices, and since it had been going on undetected for at least six months, you probably already know if any cards you used there have been compromised. Just to be sure, however, check your recent statements carefully for any suspicious charges and report them to your card issuer ASAP.
