Apple Celebrity Nude-Photo Hack Shows Risk in Security Questions

By Jordan Robertson and Adam Satariano

Sept. 3 (Bloomberg) -- Michael Wolf, founder and managing director at Activate, discusses how hackers operate when infiltrating a bank and obtaining data. He speaks on “Bloomberg Surveillance.”

Questions such as your mom’s maiden name are often used by companies to improve online security. The theft of nude celebrity photos from Apple Inc. accounts shows the ease with which those questions can be hacked.
Apple yesterday said that a spate of nude photos from actresses including Jennifer Lawrence that were recently posted online were individually stolen from Apple accounts. The celebrity accounts were “compromised by a very targeted attack on user names,
passwords and security questions, a practice that is all too common on the Internet,” the Cupertino, California-based company said in a statement.
The incident underscores how techniques adopted by companies to step up security are far from foolproof, exposing a risk for everyday Internet users. As people post more sensitive information to social networks, it has become easier for criminals to obtain the answers to security questions. That means consumers can rarely rely on just one set of defenses and have to add more layers, even if it makes online accounts less convenient.
That’s especially true for famous people, who have long been ripe hacking targets because security questions protecting their online accounts from intruders are trivial to answer. Based on the public information available about them, basic questions such as where somebody went to high school or what their birthday is can be easily figured out -- and don’t end up being much of a security barrier.

Photographer: David Paul Morris/Bloomberg

Apple Inc. CEO Tim Cook speaks about the iCloud service during an event at the... Read More

Personal Questions

“Personal questions as a password recovery mechanism is flawed,” Chris Morales, a manager at security-testing and analysis firm NSS Labs Inc. in Austin, Texas, wrote in an e-mail. “I never use them. If I have to, I don’t provide the obvious expected answers to questions like my mother’s maiden name, my pet’s name, or where I was born. If you have a user’s e-mail and know a bit of personal history on that person, it isn’t that hard to get the password.”
Apple worked yesterday to quiet the firestorm about the celebrity accounts, on the same day Home Depot Inc. said it was working with banks and law enforcement to investigate a possible data breach. Last week, Bloomberg News also reported that JPMorgan Chase & Co. had been hacked.
Apple made its statement after looking into reports that hackers allegedly obtained the nude photos by using the company’s iCloud service to illegally access files. The reports, which prompted scrutiny from the U.S. Federal Bureau of Investigation, threatened to mar an Apple event on Sept. 9, where the company is set to unveil new iPhones, a wearable device and a mobile-payments system, people with knowledge of the matter have said.

Two Steps

Apple said in its statement that iCloud wasn’t breached by hackers and it encouraged people to use stronger passwords, including having at least eight characters with one number, one letter, one capital letter and not be used in the prior year. Apple said it also wants customers to use two-step verification, which means after a password is entered, an additional code will be sent to a person’s mobile phone.
“When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source,” the company said. “Our customers’ privacy and security are of utmost importance to us.”
The rise of social media and the shift to cloud computing is exposing more people to the kinds of attacks that used to affect mainly people with big public personas. The common denominator is a ubiquitous security system that includes personal security questions. The use of such questions as an authentication mechanism -- which were designed to help people when they forget their passwords or require an additional layer of verification -- carries significant risks for users when the questions are answered honestly.

Celebrity Pitfalls

Numerous celebrities have also previously been compromised through personal security questions. Sarah Palin’s Yahoo account was once hacked when a college student used a Wikipedia page to find her birth date, while Paris Hilton’s T-Mobile account was breached when hackers correctly entered her dog’s name in response to her security question. Nude pictures of actress Scarlett Johansson and other celebrities also leaked following the breach of their accounts by a hacker who guessed the security questions correctly.
The repercussions of such attacks can be devastating. Technology journalist Mat Honan wrote in 2012 about a harrowing experience he had where attackers got their hands on his personal information and then used the data to compromise multiple accounts. They erased all the data on his iPhone, iPad and MacBook.

Balancing Act

All of this highlights challenges that Apple and other developers of Internet services confront in striking a balance between security and convenience, said Brian Finch, a partner in the Washington office of the law firm Pillsbury Winthrop Shaw Pittman LLP.
Many consumers are unwilling to use features that tighten security because they make the services harder to use, he said. That, in turn, can damage corporate brands.
“You can’t sell what people don’t want, and there needs to be a greater awareness among consumers about the need for security and the effectiveness of security functions,” Finch said. “So much of cyberattacks can occur because the Internet and so many services are built for reliability first. Security is a far lower consideration.”