Can an iPhone be hacked? A breakdown of common hacks and cyber hygiene best practices

person looking at phone kitchen counter
To avoid being hacked, make sure you stay away from suspicious links and spam messages.

  • Your iPhone can be hacked in various ways, although iPhones are safer than Androids.
  • Experts say the best way to stay safe from hacks is to be vigilant of strange links or sketchy apps and to only give out information when necessary.
  • Poor battery life and sluggish performance can be indicators of an iPhone hack.
  • You might need to restore your iPhone to factory settings or get a replacement if it’s been seriously hacked.
  • Visit Insider’s Tech Reference library for more stories.

iPhone hacks aren’t incredibly common, but they can still occur if you aren’t careful.

From malware and trickster apps downloaded from the App Store to targeted attacks on a specific device, your information can be stolen in myriad ways.

Here we’ll break down the common types of hacks, how to tell if you’ve been hacked, and what to do about it.

How an iPhone can be hacked

Hacking occurs when someone else gains access to private information on your device or controls it without your consent. It’s a broad term, and lies on a gradient of bad to very serious. Some hackers want to make a quick buck selling advertising. Others want to hurt you.

Experts said there are a few main types of iPhone hacks:

Suspicious websites or links

Just like on your computer, your iPhone can be hacked by clicking on a suspicious website or link. If a website looks or feels “off” check the logos, the spelling, or the URL.

Try to avoid connecting to a password-free public Wi-Fi network, which opens the possibility of a hacker accessing unencrypted traffic on your device or redirecting you to a fraudulent site to access login credentials.

Messages from numbers you don’t recognize are also suspect.

Fortunately, modern smartphones are good at resisting malware and ransomware.

Suspicious apps on the App Store

Apple devices exist in a much more closed and monitored digital ecosystem when compared to Android devices.

The company has a vetting process for apps on its store, but it’s not bulletproof.

Ning Zhang, who leads the Computer Security and Privacy Laboratory at Washington University in Saint Louis, said to watch out for apps that ask for more information than they’ll need to function.

For example, if you’ve downloaded a wallpaper or flashlight app and it’s asking for your location or contact list, camera, or microphone, that’s a red flag. Likely, the developers are tricking you into giving out this information so it can be sold.

“I’d be a little bit skeptical about it and consider if I really want that wallpaper app,” he said. “Being vigilant, even with official apps, is helpful. If we are able to do that, I think for the average person, you should be fairly safe.”

app
It’s important to keep track of even the official apps on your phone and to check for any suspiciously downloaded apps, as well.

Intimate partner hacks

Abusive partners can grab your phone and download spyware (or stalkerware) when you’re not looking. This malicious software can be used to track your location, or make private information like texts, your call history, and emails accessible to them.

All they need is your password and physical access to your phone. Experts we spoke to said that this is unfortunately common. This abuse can be psychologically traumatizing and devastating to someone’s personal and public life. If you notice apps that you don’t remember downloading, this could be a sign – although many times the spyware app is invisible on the home screen.

Sadly, this problem isn’t easy to fix. Victims can risk their safety by deleting the apps or checking for malware if and when abusers notice these actions.

Targeted attacks

The average person probably won’t be singled out and remotely targeted by hackers because it’s expensive, sometimes costing millions for hacks of newer phones, said Matthew Green, an associate professor at the Johns Hopkins Internet Security Institute.

Journalists and activists are most at risk for this kind of hack.

One form of a targetted hack works like this: Hackers exploit unknown flaws in the iOS programming that even its developers don’t yet know about. With this knowledge, hackers can install malware to get data from targetted sources.

“This is a very sophisticated set of hacks and oftentimes you won’t even know this happened to you,” Green said. “If it’s someone who is really sophisticated, they’ll send you an invisible text message and then your phone is going to be compromised for awhile.”

The bugs are known as “zero-day” exploits, corresponding with the fact that Apple will find out about a possible security issue in their software on the same day it’ll work to patch it. The minute the world knows, it’s only a matter of time before the hack is obsolete. That’s why these pricey hacks are often kept under wraps by the people, or governments, who purchase them, Green said.

Ways to protect yourself from an iPhone hack

iPhones can absolutely be hacked, but they’re safer than most Android phones.

Some budget Android smartphones may never receive an update, whereas Apple supports older iPhone models with software updates for years, maintaining their security. That’s why it’s important to update your iPhone.

Apps on the App Store are also vetted for malware (though there are questionable apps that go unnoticed).

However, if you’re considering “jailbreaking” your iPhone – removing the software restrictions imposed on iOS – you’re opening yourself up to potential vulnerabilities in the software because you’ve eliminated some of Apple’s existing security measures. It is possible to download incompatible spyware or malware apps on a jailbroken phone, and this is also how remote takeovers can occur with iPhones. A jailbroken phone should be avoided as it can dangerously allow malicious apps to go undetected.

If you backup your phone in iCloud, make sure to have a strong password. If someone gets ahold of your password, they don’t even need to hack your phone because they can download a backup from the cloud.

Cloud Storage
Hackers can access your information by downloading a backup from the cloud, which eliminates the need to jailbreak or get access to your phone.

Turning on Apple’s two factor authentication is another good way to stay safe and can prevent your iCloud account (Apple ID) from being hacked by requiring another step of verification.

Vyas Sekar, a professor of electrical and computer engineering at Carnegie Mellon University, said staying safe is all about “good digital hygiene.”

“Install apps from trustworthy sources and unless you know what you’re doing, you probably don’t want to jailbreak your phone,” Sekar said. “Be careful. Don’t click on attachments you don’t want to open and keep your phone up to date.”

How to tell if your iPhone has been hacked

You can’t always tell if your iPhone has been hacked, Sekar said. But you may notice a few things.

  • Your phone is unusually hot, or frequently dying.
  • Your phone is sluggish when trying to load websites.
  • The battery is draining even when you’re not touching your phone.

These symptoms indicate the phone is running all the time, even when you’re not using it. Sometimes, the best indicators come from the outside, such as when friends say they’re getting odd messages from you. However, the most sophisticated hacks can be somewhat invisible.

There’s no definite way to check for every type of hack. Experts told us that one reliable way to investigate is to download a mobile security app called iVerify, which scans your phone’s operating system for suspicious behavior and can also detect if your phone has been jailbroken.

What to do when your iPhone has been hacked

If you know your phone has been hacked, you have a few options depending on what happened.

For minor problems, like an app stealing your information, delete the app and update your software.

In serious cases, you’ll want to wipe your iPhone and restore it to factory settings. But even if you do that, it may note be completely clear if you’ve gotten rid of the malware installed on your phone – especially if it has been jailbroken.

Man iphone
If you suspect your phone has been hacked, sometimes the safest bet is to get a new phone, depending on the severity of the breach.

Finding an expert for inspection may be the best solution. Green from Johns Hopkins said your phone can’t always be cured.

“I hate to say this, but if you really, really need to be safe, get a new phone,” Green said. “If somebody actually gets on your phone, and it’s a really high barrier for iPhones, they can install stuff like keyloggers, which means every key press, every letter you type in is being sent to somebody. Until you’re sure that’s gone, you can’t be sure you have any privacy.”

If you can’t get a new phone right away, a hacked iPhone is likely not safe to use, so you’re best to leave it turned off.

How to factory reset your iPhone and wipe its data, whether you’re selling it or troubleshooting issuesWhat is cybersecurity? A guide to the methods used to protect computer systems and dataWhat is malware? Everything you need to know about malicious software and viruses, and how to protect your computerHow to diagnose and remove any virus from your iPhone

Read the original article on Business Insider

A guide to two-factor authentication, the two-part security test for your online accounts and devices

woman using laptop and cell phone at home working
Two-factor authentication, or 2FA, uses multiple tests or devices to keep your accounts secure.

  • Two-factor authentication is a security measure that makes you pass two security tests before gaining access to your account or device.
  • As hackers and hacking systems become more advanced, experts say passwords alone are not enough to keep your data secure.
  • Many apps and websites give users the option to use two-factor authentication, but it’s also something users can set up for themselves.
  • Visit Insider’s Tech Reference library for more stories.

You can never be too careful with your information online.

Hackers are becoming more sophisticated, and while developers continually come up with new methods to make sites and devices more secure, hackers can still find ways around them. As a result, a password alone may not be enough to protect your important accounts from cybercriminals.

Lately, more businesses and services have been adding two-factor authentication as an optional feature for their online logins. Certain industries require two-factor authentication as a security practice, and most internet security experts would tell you that adding two-factor authentication is not only a good idea but an increasingly necessary step for ensuring your online security.

What to know about two-factor authentication

Two-factor authentication, also referred to as 2FA or two-step verification, is a method of confirming your identity by asking you to pass two security tests. It’s a way for a site or a system to ensure that it’s really you logging in and not a sophisticated robot or a hacker.

After you enter your password, you’ll be asked to pass a second test, which will vary depending on the site you’re using.

2FA forces hackers to come up with solutions to two unique problems, rather than one. It’s also constantly evolving because hackers seem to eventually come up with solutions to said problems. One early form of 2FA was the security question, but years of predictable questions and answers left that method vulnerable to hackers.

Types of two-factor authentication

Things have gotten more complex since the days of the security question – hackers and robots have gotten more advanced, so security challenges have, too. There are now five common types of 2FA.

Text or voice-based 2FA

This type of two-factor authentication will usually prompt you to enter your phone number and choose whether you would like to receive a text message or a phone call to have your identity verified.

If you’re logging in to a multi-use account, once you have done this once, your preferences will usually be remembered for next time, with your permission.

If you choose a phone call, an automated system will call your number and ask you to verbally confirm that you are logging in.

If you choose text, you will most likely be sent a text message with a link that will automatically log you in and redirect to the site or app’s landing page. However, some older forms of this feature may simply send you a text asking you to send a reply text confirming that you logged in.

It’s important to note that, even if you know a site utilizes this form of authentication, they will never ask you for information like your username or password over SMS or a voice call. If you are ever asked for this info, you should block the number immediately – this is a common phishing scam.

Additionally, if a site you use has an option to set up this feature and you haven’t done so yet, you should do it as soon as possible, or set up some form of 2FA for that account immediately. If you don’t, a hacker who was able to get in using only your password might be able to set it up with their own number.

Hardware tokens

Hardware tokens are the oldest form of 2FA out there and they are relatively uncommon today, mostly because they’re expensive, easy to lose, and are, while still incredibly secure, not entirely invulnerable to hacking.

A hardware token is a device that generates a new, randomized code every 30 seconds. When you want to log into the associated account, you simply look at the device and enter the code displayed on it. With newer versions, you plug the device into your USB port and it enters the code for you.

Other tokens seek to authenticate your identity, but hardware tokens sidestep that issue entirely, operating under the assumption that whoever has it is already qualified to get into the system.

Software tokens

These tokens combine the best factors of SMS and hardware-based 2FA, while eliminating some significant issues each of the other methods face.

Software tokens work exactly like hardware tokens, as described above, but rather than using a physical device to generate a password, they’re an application that you install to generate a password automatically.

These tokens are sometimes attached to specific websites; CAPTCHA is one method employed by many sites in order to confuse robot password hackers with a visual question. However, you can also download and set up your own software token application – they’re an excellent and reliable way to stay secure online, and they work whether you’re using a desktop computer, a smartwatch, or anything in between.

Push notifications

When you’re logging into a website, chances are you’re using what’s called a secure connection. Basically, this means that, during the time your device and the site are communicating, the site is masking all of the communications involved to make them difficult for hackers to penetrate.

Push-notification 2FA merely takes advantage of this secure connection while you’re using it. Essentially, when you log in, it sends a signal to the server to send a push notification with a unique one-time code that completes your login.

This is basically an improved form of the SMS-based 2FA outlined earlier – the difference is that this one eliminates opportunities for phishing scams to take advantage of unsuspecting users, and, more importantly, stops man-in-the-middle attackers from intercepting login links.

The only drawback to this method is that it doesn’t work very well in areas with spotty internet service.

Biometrics

There’s an even more secure way to confirm your identity than any of these 2FA methods though, and people have been using it since even before there were computers – we just didn’t figure out how to implement it digitally until recently.

Once used as a sci-fi trope and associated with top-secret access, fingerprint scanners can be found on a number of devices people use every day, like phones and laptops. Other forms of biometric identification – methods of confirming your identity using factors unique to your biology – are also on the rise, most notably facial recognition.

Some organizations, especially apps on your phone that deal with money, like PayPal or whatever virtual banking app you may use, already use two-factor authentication, in a sense. If you have a phone that allows for fingerprint or facial recognition, these apps work with its software to allow you to store your username and password in your device, and have the device fill it in for you as long as it recognizes you.

Currently, the only issues with this technology are that not all devices have a fingerprint scanner or facial-recognition technology, and facial recognition is relatively in its infancy.

Why two-factor authentication is important

Two-factor authentication has become an increasingly important security measure as hackers and hacking systems have become more sophisticated over time. In fact, advanced hackers can easily use one unlocked account to unlock dozens, if not hundreds, of others.

These days, hackers aren’t just sitting at the computer typing away, hoping and guessing at random numbers and letters. They have algorithmic programs that test hundreds of common patterns and combinations in seconds. If your specific username or password hasn’t been guessed by these machines already, it’s most likely sheer luck. Once one password has been guessed, chances are they’ll be able to use that combo to hack into other common sites as well.

Related Article Module: What is cybersecurity? A guide to the methods used to protect computer systems and data

Even if you’re taking all the proper precautions and using the smartest, most obscure usernames and passwords you can think of, making them unique every time, you’re still vulnerable. You’re just a little less vulnerable than other people with simpler ones – and even then, you’re making way more work for yourself than you need to.

Human memory is faulty, and the more we get comfortable online, the more passwords we’ll have to create and remember to stay secure. Setting up two-factor authentication frees you from that burden, while still giving you the peace of mind of knowing you’re much more secure against cyberattacks.

How to enable two-factor authentication

If you’re not looking to buy a hardware token or download and install a separate software token in order to protect your accounts, there’s still good news for you. Most major websites, apps, and devices already have 2FA capability that you have the option to set up with your account.

Here’s a brief list of guides on how to set up two-factor authentication on some of the most popular sites, apps, and devices:

What is a computer worm? Here’s how to protect yourself from the replicating malwareWhat is spyware? 5 ways to protect your computer from being infectedWhat is a computer virus? Here’s how to spot signs of viruses and avoid themWhat is malware? Everything you need to know about malicious software and viruses, and how to protect your computer

Advertisement

Read the original article on Business Insider