iPhone, Mac owners: How to stymie hackers extorting Apple, threatening to wipe devices

Hackers claiming to have hundreds of millions of iCloud credentials have threatened to wipe date from iPhones, iPads and Macs if Apple does not fork over $150,000 within two weeks.

“This group is known for getting accounts and credentials, they have gotten credentials in the past,” said Lamar Bailey, director of security research and development at Tripwire, of the purported hackers. “But whether they have that many … who knows?”

There’s another reason for not panicking, Bailey said: People can quickly make their accounts more secure, assuming the criminals have only collected, not actually compromised the iCloud accounts by changing millions of passwords.

“The best thing to in this instance is to change the [iCloud account] password, especially if it’s a weak password,” said Bailey in an interview. Weak, in Bailey’s mind, was not necessarily simply short, but “one that was in the dictionary.”

Hackers can brute-force passwords that consist of a single real-world word — one in the dictionary — by relying on, not surprisingly, lists of words from the dictionary.

Bailey reiterated the long-standing advice to compose passwords from numbers, letters and special characters, such as & and ^.

Changing an iCloud account password is straight-forward; Apple spells out password reset on this page.

“They should also enable two-factor authentication,” Bailey continued, referring to the security layer available to those running iOS 9 or later on an iPhone or iPad, or OS X El Capitan (version 10.11) or later.

iCloud/Apple ID two-factor authentication — iCloud and Apple ID are synonymous for most users — prevents a hacker from changing credentials unless they have one of the user’s designated “trusted devices,” typically a smartphone. To access one’s iCloud/Apple ID account — say to change the password — a person must have not only the password, but also the trusted device, which receives a verification code that also must be entered before the password reset can be processed.

Apple outlines two-factor authentication on this web page.

Those with iPhones, iPads or Macs that don’t meet the operating system requirements for two-factor authentication — or who don’t have any Apple device — can substitute the similar, yet different two-step authentication. Instructions for enabling and using two-step authentication are available here.

Because two-factor authentication isn’t a good fit for everyone — there’s a trade-off between security and usability — Bailey suggested that those who hesitate to enable two-factor should instead change passwords on a frequent basis. Many companies mandate regular password resets, for example. By changing passwords, credentials stolen by criminals can be made obsolete.

“An alternative for two-factor is to change passwords fairly often,” said Bailey, who recommended a password manager — he used the label password vault that offers automated resets. Both LastPass, which Bailey hesitated to name because of a recent breach of its own, and Dashlane, include features that can reset multiple passwords at a time, although not for every website.

Bailey also urged iCloud account holders to back up their devices, not just to the cloud but to local storage as well. “You don’t want to lose your pictures,” Bailey said.