Here is the blog:
Here is a scenario: a hacker figures out your iCloud/AppleID password and logs into your account over the web. He changes your password, immediately locking you out of your account, breaking your ability to send email and messages via your iCloud account. He takes note of your birthday, billing address, alternate email addresses, and that you have a credit card stored. He looks at your sent and received emails, notes, calendar entries, iCloud drive documents, contacts, etc. He appreciates your photos and takes note of the places you like to visit.
He will be very busy now seeing if he can hack into your other accounts using the same or a similar password and creating spam and/or viruses for all your contacts. But first, he needs to do a bit of shopping. He grabs an iPhone and logs into your iCloud account using his new password. He downloads all your past applications, songs, and movie purchases and then buys a bunch more, using the credit card associated with your account.
Pretty scary, huh? This actually happened to someone I know. She thought she had a strong password, but obviously it was not strong enough. Many of us use Apple’s iCloud because it is so convenient for storing our data and using that stored data to automatically synchronize that data across our various devices. But, because it is such a vast and varied repository of our personal information, it is also a keen target for hackers.
We all know by now that our passwords have to be long, made up of non-real words plus a mixture of upper case, lower case, and special characters. And, the password needs to be unique for every website. Unfortunately, I suspect that many of you do not follow this advice. Whether you do or don’t, what else can be done to keep hackers from being able to log into our web-based accounts?
The answer is Two Factor Authentication (commonly known as 2FA). 2FA provides an extra layer of security to help prevent unauthorized access to your web accounts. Some websites implement it by default, but most offer it as an option that you have to explicitly enable. Dashlane, Lastpass, Amazon, Dropbox, Facebook, Apple, Google, Microsoft, Yahoo, Wells Fargo, and Chase are examples of websites that offer 2FA.
The way 2FA works is to require one extra step in logging into your account. Once you have successfully entered the correct account id and password, the website will ask you for a code. That code can be set up in advance to be texted or emailed to a specific phone number or email address. If the code is not used within a short period of time, it will expire. The code is different with each login. That code represents the second factor in authentication and is delivered to you via something personal that presumably only your have (like your cell phone). No correct code entry, no successful login. So you can see that without this second piece of information, a hacker will not be able to log into your account. Most websites allow you to specify whether 2FA should be used with every login or only with logins from devices that have never accessed the website before.
What I have described is a simplified version of implementing 2FA and it can be a bit more complicated in actual set up. But regardless, if you care about protecting your web-accessible data, start using Two Factor Authentication NOW!!!