A security expert says Apple’s new security feature not good enough

Posted at 9:16 PM, Jan 14, 2015
and last updated 2015-01-14 21:16:12-05

NEW YORK (CNNMoney) — After the celebrity iCloud hack last year, Apple promised to better protect customer accounts.

So Apple expanded a security feature called two-step verification for users who wanted it. Under this feature, if you want to log into your iCloud account from a new device, you’ll need your phone.

That’s because Apple will text you a temporary numerical code, which you will need besides your Apple ID and password to get in.

But as it turns out: That doesn’t protect everything.

Even if you turn on two-step verification, someone can still get in on another device by using just your password to see your iMessage conversations and impersonate you on that chatting platform — and also see what you bought on the App Store and iTunes.

This is a real problem. Most passwords are easy to guess. And chances are, so are your security questions. That was already proven during the celebrity hacks.

Dani Grant, a computer programmer who spotted this, thinks that Apple’s approach to two-step verification is a half measure. This extra feature is supposed to enhance privacy. But if someone cracks just your password, they can not only see iMessages, but also see your billing address and part of your credit card numbers.

“It is amazing how much access one can get,” she said, pointing out what happens if someone breaks into a person’s iMessage. “Imagine that a hacker gained credentials of someone of power. They could make statements on (their) behalf.”

Grant’s point: Two-step verification should apply to all Apple services — not just some things.

Let’s remember why Apple expanded this security feature last year. In August, hackers were able to guess the passwords (or answers to security questions) to many celebrities’ iCloud accounts. As a result, their private, nude photos were exposed.

To its credit, Apple did beef up its security by expanding its two-step verification option. It now prevents someone from entering users’ iCloud accounts and downloading their photos. That was the main point of contention during the iCloud hacking episode.

But is it enough?

When reached by CNNMoney, Apple pointed out this extra security measure protects the most important stuff. Hackers need the numerals from the text to enter your iCloud account, make purchases on your behalf and change your account details.

And Apple customers still get an email warning if someone is trying to sign into their iCloud, iMessage, FaceTime video chat from another device.

But Grant argues that users are still vulnerable and the company needs to do more.

Consider this another case of security versus convenience. Sure, Apple could enforce this extra security for every feature. But some customers would find the extra 30 seconds annoying.

Then again, the kind of people who are turning on the extra security feature probably don’t mind the annoyance.

“Users that turn on two-step verification have the expectation that every access point to their account is protected by more than just their password,” she said.

An Apple spokesman acknowledged that she has a point. But the company declined to comment about any plans to expand the feature.