Protecting yourself from the Turkish Crime Family through 2FA

Come April 7, your iPhones, iPads, and Macs will be at the mercy of the Turkish Crime Family — unless Apple pays a ransom.

This is the story as broken earlier this week by Motherboard, which says the group (who nobody has heard of until now) has threatened to remotely wipe at least 200 million Apple devices unless the company pays extortion of $75,000-$100,000. In this matter, Apple has latitude: By paying in Bitcoin — the global criminal currency of choice — it would, as it were, be getting a discount. If Apple chooses to pay the piper in iTunes gift cards, however (yes, seriously), the demand is 33% higher to presumably make up for the cost of money-laundering all those easy-to-trace gift cards.

It seems highly unlikely Apple has any intention of paying anything to this group – allegedly, Apple responded to the group with the simple statement of “we do not reward cyber criminals for breaking the law,” which is really the only possible answer to such a demand. Paying any small amount of extortion is like paying the Danegeld – other people will come and make similar demands if Apple gives in.

What does this all mean to you? One could assume that somehow the Turkish Crime Family has gotten access to Apple credentials through a weakness in Apple’s security or through some other sort of leak of their member database. More likely, in my opinion, is that these folks have simply compiled a large database of the terrible passwords people use for everything and also have email addresses and passwords based on many of the other exploits, leaks, and hacks that have occurred over the past few years.

The crackers could even have been slowly testing and verifying these credentials over a long period of time and could feel confident they have access to a lengthy list of valid accounts they can sample to Apple to prove they mean business, get their ransom, then hell, even still rent a botnet for pennies and use the botnet to mass-wipe devices with abandon.

How can we protect ourselves? Well, Apple could (and probably has) put in place some mitigation. One smart move would be to limit how many self-service wipes can be conducted per day without a human reviewing the activity patterns and making sure that they’re legitimate. Or everyone who uses an Apple device could change their iCloud password to something unique and then enable two-factor authentication.

I have a lot of opinions on password security, which I’ll have to write about another time. But the one thing you need to know is that you need to use a unique password for your ‘master’ accounts – your email and your iCloud/Google account – since these accounts grant access to so many others. For your iCloud/Google account, this also includes the potential for someone who gets the password to lock, erase, or disable your phone or computer.

On top of having a unique password, the second thing you should do is turn on two-factor authentication (2FA) for your Apple ID. If you have a remotely recent Apple device, you should have the ability to turn on 2FA, which you can do by following these instructions. Once you’ve turned on 2FA, anybody who does get your password can’t do anything with it unless they also have access to one of your other enrolled 2FA devices. It’s a simple security best practice.

Using a unique password and turning on 2FA for the accounts and services you really care about can help keep you safe. While nothing is 100% safe from the Turkish Crime Family, it would be a real surprise if they were able to bypass 2FA on Apple accounts.