Your Apple ID is like a key to a treasure trove of information. From the pictures and videos you store in iCloud to the exact location of your iPhone, there’s a lot of sensitive data stored on Apple’s platforms.
- Why iOS 12’s Security Code AutoFill is Risky + How to Protect Yourself
- 7 iOS privacy tips and tricks you didn’t know
- Apple ID Disabled for Security Reasons? Here’s What to Do
- iDevice Security and Privacy in the wake of NSA’s PRISM Report
Unfortunately, there’s no such thing as a completely secure online platform. But if you’re worried about your sensitive data being leaked or hacked, there are a number of things you can do to shore up the security on your Apple account.
Use a good password
Your password is the first line of defense against hackers and scammers. It’s also arguably one of the most important.
Because of that, you really want to use strong passwords crafted with the latest best practices. Here are some essential password tips.
- Use a strong password. Don’t go for “password” or “12345.” It’s also smart not to use anything about yourself in your password — like your profession, the names of your pets, or your street address. The best password is a random and long string of multiple character types.
- Don’t reuse passwords. It may be tempting to use one password for all of your important services, but it’s not a good idea. Even the most secure of passwords can be compromised or leaked in a data breach. And if a hacker has access to your one password, they could log into any of your accounts.
- Consider a password manager. The last two best practices may not be realistic for all of us — after all, not everybody has an excellent memory. Because of that, we strongly recommend you use a password manager to create and store your strong, unique passwords.
- Ditch the security questions. Your mother’s maiden name, the street address you grew up on, your first dog’s name. All of this information may be easily accessible online with just a little bit of effort. If at all possible, don’t use or rely on security questions. If you must, treat them like passwords and use random strings of characters for the answers. (Just be sure to write those answers down with the security question somewhere safe.)
Enable two-factor authentication
A good password goes a long way in protecting your Apple ID. But an attacker can steal or find even the best passwords if they’ve been compromised in a data breach. Because of that, it’s highly recommended that you enable two-factor authentication on your account.
Two-factor authentication is a security measure that requires an additional step when you log into Apple services on a new device.
Typically, this involves getting a code on one of your trusted devices and entering that code into a prompt.
While it’s a bit of additional effort and inconvenience, it’s highly recommended. Without physical access to one of your unlocked Apple devices, an attacker will not be able to gain access to your Apple accounts.
There is, of course, one exception to that rule. Apple, for pretty obvious reasons, doesn’t require 2FA verification when logging into Find My iPhone. If it did, users who lost their primary devices would be out of luck.
Find My iPhone isn’t an ideal attack vector for hackers, but it can result in your devices being remotely locked and held for ransom.
Avoid phishing & spear-phishing attempts
When it comes to cybersecurity, the weakest link is always the human element. A hacker doesn’t need to guess or brute force your password if they can just get you to hand it over willingly.
Think that can’t happen? Think again. Phishing is a common social engineering tactic that hackers use to get Apple users to essentially deliver their login credentials on a silver platter.
Typically, phishing attempts will come in the form of fraudulent emails or text messages. They can look like they’re from Apple with phone number spoofing and clever emails, so it can be hard for some to verify their authenticity.
The basic tactic is to say that an iCloud account has been “locked” or “compromised.” The recipient of the scam email will then be urged to go to some link to reactivate it or keep it from being closed down. Attackers usually add a sense of urgency to the emails or text messages.
Worse still, these fake login pages can sometimes look nearly identical to a legitimate Apple login page. Once a user enters their login credentials, a hacker can log into Find My iPhone and lock a user’s account — even if 2FA is enabled.
Spear-phishing relies on similar tactics, but is typically aimed at a single person. We’ve recent spear-phishing campaigns targeting users who have lost their iPhones.
Luckily, there’s a simple way to mitigate the risk of phishing and spear-phishing attacks. Just delete the emails. Apple doesn’t send unsolicited texts or emails to users. If you aren’t expecting an email from Apple, then you probably won’t receive one.
If you get an email you’re unsure of, we recommend deleting it and contacting Apple directly through a verified medium.
Take care in public places
One of the last basic steps to locking down your Apple ID is to practice good cybersecurity habits when you’re out and about.
For one, Apple’s devices are usually pretty secure. But the best hackers know that a few minutes of physical access is all it takes to cause some serious damage.
There’s also unsecured public Wi-Fi — something that is notoriously leaky when it comes to data. A good habit is to never log into anything sensitive, like a financial website or iCloud.com, when you’re using public Wi-Fi.
That’s because network traffic on unsecured Wi-Fi isn’t encrypted or protected by a password, meaning that just about anyone can “sniff” your network traffic with the right tools.
With the right know-how, someone on the same network as you can see the usernames and passwords you’re typing and sending to websites (even those secured with HTTPS).
If you have to use a public network to log into your Apple ID, try using a virtual private network (VPN) before doing so. While most of these options aren’t free, they do encrypt your network traffic — meaning that hackers can’t spy on what you’re doing.
Consider your other platforms
For the purposes of this article, we focused entirely on Apple’s own platforms. That’s because, for iPhone or Mac users, an Apple ID is one of the most critical accounts you can have.
But an Apple ID is not the only attack vector a hacker has if they want to get your data. Consider your email account, your cloud storage solutions or your social media pages.
We recommend applying these basic cybersecurity steps to your other important online accounts.
Mike is a freelance journalist from San Diego, California.
While he primarily covers Apple and consumer technology, he has past experience writing about public safety, local government, and education for a variety of publications.
He’s worn quite a few hats in the journalism field, including writer, editor, and news designer.