iCloud Hack Underscores Risk to Banks When Employees Use Cloud

The iCloud hack that made headlines this weekend, in which nude photos of about 100 celebrities were stolen from their Apple accounts and posted online, highlights an indirect threat to banks.

Granted, the risk that hackers would spend time trying to break into a bank employee's iCloud account to find compromising photos is remote.

But the very fact that hackers accessed sensitive content stored in a popular cloud service through individual cloud accounts is a warning sign to banks that let employees use any kind of consumer-oriented cloud backup service.

Especially if they're storing work-related documents or data on any such service.

"On its website, Apple says, 'iCloud helps give you peace of mind.' I think Jennifer Lawrence and everyone else that was hacked would beg to differ," said Mike Gualtieri, a principal analyst at Forrester Research. However, Gualtieri and other observers said they don't view Apple as any less safe than Google, Microsoft or any other cloud service.

"Vulnerabilities exist in all these platforms, whether they are known or unknown," he said. "Enterprises must have very specific plans when their employees or corporate information is hacked, including how to mitigate the liability, reputation, and financial loss. They must also be able to quickly shut down the use of a service that has a vulnerability exposed."

Employees at many banks use cloud storage services on devices they also use for work — sometimes unwittingly.

"If iCloud, Dropbox or any other service is enabled where data is stored externally, there's a potential security risk," said Jacob Jegher, senior analyst at Celent.

Some bankers, like James Gordon, the chief information officer at Needham Bank in Massachusetts, discourage employees from putting apps with cloud storage capabilities on devices used for work. If an employee installs a banned app on a phone, the bank automatically removes its email app from the device, he said in July. If the user uninstalls the problematic app, the company email software will be reinstated.

Many personal cloud storage services offer multi-factor authentication, or work with an app like Google Authenticator that creates one-time passwords and texts them to the user. This is a good feature for banks to take advantage of.

"Any time a user has the ability to turn on multi-factor, they should without a doubt," Jegher said. "It's yet another step [for hackers] to circumvent."

An option for banks that struggle to know, let alone control, what their employees are doing on their own or even on company issued devices, is to deploy mobile device management software that promises more secure backup. (Providers include VMware/AirWatch, BlackBerry, Citrix, MobileIron and Tangoe.)

However, Jegher pointed out that anything can be hacked.

"It doesn't matter where your stuff is backed up; if it's somewhere else, multi-factor authentication is extremely useful," he said.

The celebrity iCloud attack is believed to be a "brute force" hack, meaning the perpetrator ran through thousands of possible passwords before stumbling on one that worked. (One Twitter wag suggested, "Hackers guessed Kate Upton's iCloud password, starting with 1234 and then — oh wait, that was it." Although this was a joke, it's not far from the truth for many people.) This method is used in many cyberattacks, including those involving Backoff, the widely used malware that targets retailers and banks and has been the subject of two alerts from the Department of Homeland Security this year.

If brute force was the method used, then Apple made a basic mistake, according to Al Pascual, director of fraud and security at Javelin Strategy & Research.

"They failed to implement brute force protection, which subsequently allowed hackers to continuously enter new passwords until they gained access to an account," he said. "This is why trusting consumer-oriented cloud services to store sensitive personal or business data is unwise. Neither a consumer or business has any control over the security protocols or procedures in place with one of these services."

Such services tend to lack professional-grade security and fail to take responsibility for protecting their users' data, he said. "This is not to blame victims for being victimized, but they should not have been led to believe that Apple was looking out for them in any way."

In a statement released over BusinessWire, Apple said, "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone." Such findings are consistent with a brute force attack.

Apple advised customers to use strong passwords and enable two-factor verification.

A lesson learned from this event, according to Jegher, is that banks need to educate employees and customers about cloud storage, security and privacy. Having vacation photos hacked into through a cloud service is creepy. But letting hackers access a document that contains all their passwords or login credentials for bank servers could be downright dangerous.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER