The story of dozens of nude celebrity pictures reportedly hacked from Apple's iCloud has captured the headlines since the weekend. Personally, I am not the least bit concerned about someone hacking my iCloud account in search of my naked pictures, because there are none. Today it may be stolen pictures, but tomorrow it could very well be your bank account. In fact, some reports suggest that these same hackers may also have private financial information on these very celebrities (similarly to what happened last year when Hillary Clinton, Tiger Woods, Ashton Kutcher, Bill Gates, Mitt Romney and others had their credit reports hacked). So, rather than writing this all off as just a twisted story of eccentric celebrities, I was convinced that there was a bigger lesson here for the rest of us that take pictures with our clothes on.
As more details emerge on how hackers obtained these pictures, it appears that iCloud may not have had a security breach after all. Apple denies that there was a systemic breach of their system, and as the evidence is stacking up, this may be nothing more than an old fashioned 'Phishing' attack.
There is a common belief is that all hackers are geniuses that are able to devise a way to defeat the most sophisticated security systems. The reality is that most hacking is extremely low tech, and Phishing is the lowest form of the art.
What Is Phishing?
It may be a clever way of spelling the word fishing, but is really nothing more than a high tech version of its sporting namesake. The victim receives an e mail that appears to be from a trusted source such as their bank, brokerage firm, auction site, or even Facebook. The e mail offers a highly compelling reason to click on a provided link to address an urgent problem. The link is clicked and the victim arrives at a fake website (known as a cloned site, it looks exactly like the legitimate version it is copying). Just as usual, they type in their username and password. As soon as they click submit, their log in credentials will be stolen. Within a matter of minutes, their username and password may be up for sale on any number of black market websites.
My wife Ann received an e mail over the weekend informing her that there was an urgent security issue with her Bank Of America account. She was very concerned about it and asked me what she should do. I reminded her that she does not have a Bank Of America account. I went on to explain that this was clearly a Phishing e mail that was blindly sent out to thousands of people (thus the name fishing). Ann wondered if just maybe over the years she had forgotten about an old account with Bank Of America. This is how good these e mails are. My wife, being super conscientious, was worried even without actually having an account with this bank. Imagine the reaction this same e mail would invoke from a bonafide Bank Of America account holder.
Phishing Is Low Tech Hacking, But It Continues To Work
Celebrities like Jennifer Lawrence are easy targets for Phishing hackers. They are human beings like the rest of us and many will be just as easily tricked by a well crafted e mail from a hacker. There is, however, one factor that makes celebrities much easier to hack than the average Joe citizen. Their public status makes guessing their password challenge questions abundantly easy. For example, I am sure that not many people know my mother's maiden name, the city where my father was born, or the name of my favorite childhood pet. A quick Google search will give you all of this information (and more) on virtually any celebrity you choose. Consider the Sarah Palin hacking episode as my exhibit A.
Examples Of Phishing e Mails
"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
4 Ways To Protect Yourself From Phishing
1. Never click on a link from within an e mail to log in to your accounts. If you believe there is reason to be concerned, open up a browser, type in the website address, and navigate directly to the financial institution's website and then log in. Even better, pick up the phone and call them to find out if there is a real issue with your account.
2. Look for tell tale signs of a bogus e mail. Many of these e mails contain glaring grammatical and spelling errors. In an attempt to panic the recipient, some are so over the top that they are dead giveaways.
3. Before logging in be sure your are on a secure site that has a padlock icon. If you are on a secure site, you will see https rather than http in the beginning of the web address. Look for a small padlock icon that indicates that the site has a valid security certificate. Double click on the padlock to display the security certificate which should also contain the name of the organization as well.
4. School your spouse and other family members about Phishing. In many families, pin codes, passwords, e mail log ins, and other sensitive information is common knowledge within the home. Be sure that all of your family members get a crash course on Phishing. Your kids may be geniuses on the computer, but most would fall for a phishing e mail.
The Broad Misunderstanding Of iCloud
One of the hacked celebrities remarked that someone must have gone to a lot of trouble to get the pictures of her as they had been deleted a very long time ago. Deleted from where? Your iCloud account is a backup of what is on your iPhone or iPad. Even if you delete an item from your device, it may still remain in your iCloud account. The iCloud is merely an online storage of your data (such as contacts, pictures, e mails, and documents). The settings on your Apple device allow you to choose to backup your data to the iCloud or not. You can always choose not to backup your device, but then you will lose everything if it is lost or stolen.
If you have an iCloud account, go there and take a look at what you have stored. You may need to do some serious house cleaning. It may also be a great time to come up with a new password and set up two factor authentication. Here is a fantastic article on how to create easy to remember passwords that are hard to guess.
How to enable Phishing Protection in your Chrome Browser
While we don't know exactly what happened here and how the hackers pulled this off, I will speculate that it appears to be a two pronged attack. First, many of these celebrities were victims of a Phishing e mail. Secondly, there was probably some percentage of the scheme that used public information to successfully answer security challenge questions (as in the Sarah Palin case).
In my view, if you are a victim of a large hacking attack such as the Target breach you are in a much better position than if you are individually hacked. In these large cases with big name corporations, you will have an army of people offering you assistance. You will usually be given free credit monitoring for an extended period of time, and a hotline phone number to get additional assistance. Unless you are famous, I don't think your chances of getting FBI assistance are very good if you are individually hacked (especially if it is about pictures). Don't be overly confident in traditional account protection either. More and more financial instutions are trying to find excuses NOT to take the loss on their end - check out this shocking case as just one example.
I hope this article motivates you to step it up a notch with your online security. If you have your own online security strategies, please use the comments section below and we can start a conversation.
Breaking News 12:22 am Eastern 9/3/2014: New reports say that 'Text Phishing' was also employed by the hackers. We published a warning about Text Phishing just ten days ago.
Helping you make the most of God’s money!