Every few months my husband and I travel to Las Vegas to visit my mostly retired parents. While visiting, we dine out, shop in the outlet malls, cruise around, take in a show, and wonder why everyone we know leaves Vegas with more money than they had when they arrived. At least, that’s what they say.
This recent trip was much the same except for one interesting, almost innocuous comment from my mother; one that turned on my husband’s spidey sense and got a deep sigh and a mild groan from me. “Why does my Mac keep asking for my email address and passwords all the time?” Uh oh.
Go Phishing Much?
The pre-story is simple and one you may have engaged in yourself. A number of years ago we switched my parents from their creaky old Windows XP PC to a Mac. When the iPhone and iPad came along we made sure they were setup with the latest Apple mobile devices, too, including an iCloud account, email, and everything else that required… insert a drum roll right here and right now… passwords.
My mom had received a number of email messages which asked for username and passwords for a few of her accounts, including iCloud. She dutifully complied, clicked the link, filled in the form with the requested information, and thought all was good. She had just gone phishing. Not once, but a number of times.
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting victims. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Does that sound familiar?
Phishing seems to have become as common as spam (and a lot of spam is phishing) and it preys upon those who are trusting and don’t fully understand the social engineering behind such attacks. My parents were victims. So, we sat down immediately, checked out every online account they use, logged into each one, and changed their passwords; a laborious and tedious process that caused me to miss my expected meal at The Bellagio Buffet. In the end, no harm, no foul, and my parents received a real life lesson on the dangers of trust such email messages even when they look and feel legitimate. The end result was a simple rule to call me or Ben whenever another such message pops up on screen.
What Can Apple Do?
Generally speaking, Apple does a good job in Safari and Mail of blocking such phishing attempts but often their responses are little more than closing the barn door after the horse was stolen. Two-factor authentication isn’t going to stop many phishing attempts which prey upon the innocent and less informed. An experienced and tech savvy co-worker had exactly the same happen a few months ago because the pop up window looked absolutely, positively legitimate.
What can Apple do? Our very own Wil Gomez offered a few ideas in his missive ‘Dear Apple, Please Kill Passwords‘ but I would add one more rather simple layer which might help prevent some phishing attempts.
Just as Apple made mobile payment a thing where Google could not, Apple could add a security question to the login process. Such security questions are common these days.
- Name of your first pet?
- Your mother’s maiden name?
- The brand of your first car?
- Where were you born?
Simple enough, right. But make it more commonplace and make it in reverse where the pop up screen asks you the question and gives the answer, but with a simple yes or no check box. If the keyword given isn’t the right word, click no.
Unfortunately, this is yet another layer on an already overburdened process to protect personal data. Wil is correct. Passwords need to be killed, but in favor of what?