We introduced this service two years ago when Apple discovered a major security breach in its Apple ID system just hours after it had launched its own version of mobile phone verification for critical passwords that could work on the iPad, iPod or iPhone. Since then Apple has made it clear that its 2 Step Verification is expected best practice for ensuring the safety of this critical account data, particularly as the Apple ID is almost always connected to a credit card account. Google, Amazon, Twitter, Facebook, WordPress and Tumblr and others have been offering similar solutions, though often with different names.
From Heartbleed to Talktalk – online security is difficult
We started helping clients to set up 2 Step Verification following the Heartbleed security crisis that affected the security infrastructure of the web itself. The Heartbleed computer code failure mattered because it breached the defences of web servers using openSSL to provide secure transactions where the padlock icon should have meant that your passwords and data were safe to use and transmit. Even though new server software and certificates are deployed to make systems more secure, breaches still occur, often because criminals can use social engineering to bypass systems by persuading individuals to override the controls. Thefts of email addresses and personal information such as those taken from Talktalk servers continue to plague us and cyber security experts increasingly take the view that dependence on passwords has become the problem. So, while this is still not a moment for a collective panic about the web and until we have a full blown replacement for passwords, it is the moment to focus on setting unique passwords per account and to couple these with 2 Step verification on our phones or other gadgets as “belt and braces” for critical accounts.
So Connectworks now offers an enhanced 2 Step Verification and password resetting advisory service. This can be through the ‘On the Wing‘ telephone support network or as a one-off session. The one-off session will cost £75 + VAT and will last about an hour and provide the following:
- Explaining the current state of risk and how when to put steps in place
- Tailoring a system for setting unique passwords across all your online accounts
- Guidance on setting up 2 Step verification across key accounts
And why this all matters
The heart of this is the problem that account details stored online can compromised via the internet, particularly if action can be taken online without reference to you at a physical location. It only takes one weakness to be found for the other online security elements to fall like dominoes. The most famous case of this is Matt Honan’s story from the August 2012 where the attacker overcome the resistance of people in customer services, in fact at both Apple and Amazon, and was then able to tease the remaining parts of the jigsaw out of the Amazon and Apple accounts in order to hijack Matt’s Twitter and Google accounts and lay waste the rest. And yes, Honan admitted his guilt in using the same passwords across numbers of accounts.
The Heartbleed openSSL server software failure revealed that we had already been vulnerable for two years. Future problems are not an impossibility. Apple’s security hole in March 2014 associated with the theft of celebrity photos came about through the discovery of a piece of code that could be injected into the form for recovering an Apple ID password. This would have enabled a potential hijacker to take over your account with only your email address / Apple ID and your date of birth, often to be found on FaceBook or Skype or other places on the web. 2 Step Verification — the process of identifying yourself by using a 4 or 6 digit pin sent to an already verified mobile or iPad/iPod you have with you — stops that kind of remote hijack in its tracks.
The risks of not being more secure include compromised credit cards, abuse of one’s online presence through malicious log in and posting on your accounts and the wider problem of identity theft and fraud. The chances of becoming a victim may have remained relatively low, but they are clearly increasing and the online equivalent of not only locking “doors and windows” before going out, but also carrying ID to prove that it’s you letting yourself back in, must become a habit and be made as easy to organise as possible.
There may also be an upside to all of this focus on making security more workable. If you decide to follow me on Twitter you can track my thinking on where Apple is poised to subvert systems next to make life that bit easier. Two years ago I wrote that “The chip and pin idea of an iPhone for verifying accounts is a clue to one more area where Apple may be about to become a major disruptive player”. This translated into the finger print reader on the iPhone 5S. The next step in the shape of Apple Pay via the iPhone or Apple Watch is now commonplace. I’ll keep trying to “Read the Runes” on this and particularly to see who is going to crack the problem presented daily by passwords as “keys” that are more trouble than they are worth.