Following the recent hack attempts against its iCloud service in China, Apple has published a reminder page to inform you of how to detect fraudulent sites that are pretending to be legitimate ones, by determining if the remote server is using valid certificates and proper encryption.
While Apple’s servers were not compromised and iCloud data and passwords were not revealed in the recent attacks, this event serves as a good reminder to check for the validity of any Web site you are connecting to, especially if it contains private or sensitive information.
To help with security, services like banks, and online identities like social media and Apple’s iCloud often host secured certificates with a feature called Extended Verification. This feature allows for you to quickly check a certificate by glancing at your browser’s address bar. If a Web site’s Extended Verification certificate is valid, then you will see the company’s name appear in green color in the browser address bar, and also see a lock next to its name. This is true for every major and current Web browser, and so when you are connecting to online services through Safari, be sure you check for this feature.
Keep in mind that if a Web site does not have a certificate and show a green lock in your browser’s bar, it does not mean the site is fraudulent. However, if the site is expected to have this validation but you do not see it, then you should be suspicious of it. Unfortunately since not all online services use this feature, you might not know when to expect it; however, one way is to check for this security whenever you first visit your sites and then expect it from then on.
Overall, when visiting your various online sites, you can take four steps to ensure you are secure:
- Manually type in your site’s Web URL, instead of clicking any links in emails or on other Web sites.
- Check for the validity of your site’s certificate.
- Only use a trusted Web browser and be sure you keep it updated to its latest version.
- Keep your computer’s OS up to date, to ensure you have the latest root certificates and other security routines installed.
iCloud keychain is actually quite helpful when it comes to phishing — because if you know that your Apple devices have saved your password, not seeing it prefilled in the field at least can put you on alert that something may be amiss.