With the recent spate of high-profile hacks you have to wonder who should be held accountable when someone makes a mistake that results in a system breach.
Even if the Apple iCloud fiasco (opens in new tab) was caused by weak passwords or phishing scams on the celebrities themselves, Apple still left the security door wide open by not limiting login attempts. This meant that hackers could use brute force attacks to repeatedly guess user passwords over and over again until they hit upon the correct one.
I’m guessing that most people (including the celebrities who had their iCloud accounts hacked (opens in new tab)) don’t realise how fast even a standard desktop computer can run though literally tens of thousands of possible combinations per minute.
Most systems limit the number of login attempts before they stop the process and fall back on security questions, two-factor verification, or simply ask the user if they have forgotten their password and offer to email it to them. Apple didn't implement this most basic of security features until after the celeb breach.
Someone at Apple screwed up here. But finding out who that particular person was could be extremely difficult – particularly because it wasn’t so much a bug but a feature that was never implemented. Either way someone at Apple should have known this was a flaw.
The problem was exacerbated by the fact that Apple touts just about everything they do as being easy and safe. For years Apple has boasted about the relatively few viruses there are on Macs. They’ve even taken a number of pot-shots at Microsoft over the years, criticising them for security flaws and crashes. Just recently Tim Cook said the Android market was rife with malware and unsafe apps (the implication was that apps in the Apple Store were all perfectly safe).
Apple wants people to believe that you don’t have to be a techie to use their products. They want people to think that using an iPhone, iPad or Mac is easier than using any other device.
But this also involves an implicit promise that Apple will take care of all the techie stuff for you, and that includes protecting you and your data from any attack.
Now Apple can’t help it if someone reveals their password to someone else either out of sheer stupidity or by falling prey to some sort of scam, but not telling people about the ways they can protect themselves is another mistake.
Apple does offer two-factor verification, but only if the user actively enables it (it isn’t the default). However, since it isn’t even mentioned in the iPhone manuals the user would have to somehow know what it is, dig deep into the online help to enable it, and they would have to know that it even exists.
Apple needs to rethink how they can make everything easier for their customers – including security.