Recent 'MFA Bombing' Attacks Targeting Apple Users

There&#x27;s an important omission in the article and the top comments here don&#x27;t mention it either: Accidentally tapping &quot;Allow&quot; does not allow the attacker to change the password on their web browser. When you tap Allow on your device, you are shown the 6-digit pin on <i>your</i> device and <i>you</i> can use it to change your password on <i>your</i> device. The final part of the attack is that the attacker calls you using a spoofed Apple phone number and asks <i>you</i> to read out the 6-digit pin to them. If <i>you</i> choose to give out the 6-digit pin to the attacker over an incoming phone call, then they can use it in their browser to reset your password.<p>It&#x27;s surprising that Krebs chose to omit this little detail in the security blog and instead seemed to confirm that someone could completely give away access to their account while sleeping.

&quot;recent&quot;?<p>This happened to me and my wife (each starting a few days apart) in 2021, or maybe 2022 but no later. It started with a couple requests a day, then ramped up to every hour or something. IIRC we also both got a couple SMS claiming to be from Apple.<p>As soon as it ramped up I set up both accounts to use recovery keys, which is a move I had planned anyway on grounds that it should not be in Apple&#x27;s (or someone coercing&#x2F;subverting Apple, be it law enforcement or a hacker) power to get access to our accounts. This obviously stopped the attackers dead in their track.<p>For similar reasons I set up advanced data protection as soon as it was available and disabled web access. Only trusted devices get to see our data, and only trusted devices get to enroll a new device.

That message is horribly designed if it allows a password reset to happen on any other device after you click allow. It specifically says &quot;Use this iPhone to reset&quot;. I&#x27;d have assumed it asks the person who clicked allow to set a new password, on the same device they clicked allow.<p>Then again if it shows on the watch too (and isn&#x27;t just mirroring a phone notification, since it ignores quiet mode), I can&#x27;t imagine the idea is you click allow on your watch and then type a password on its keyboard?

At some point the ability to trigger these prompts (or ones like them, like the Bluetooth-based setup new device prompts that were in the news last year) on Apple devices is itself the problem right?<p>Obviously it must be possible to reset ones password, but from the article it&#x27;s apparently possible to make 30 requests to reset ones password in a short amount of time.<p>What possible non-malicious reason could there be for that to happen?

I wonder how long it will take until another goal of these phone calls will be to gather enough samples to convincingly clone your voice.

I am confused. What does happen after clicking allow? Does Apple just provide a password reset form to the person on the iForgot website or does it show up only on the device?

&gt; he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line)<p>This happened to me exactly once, and it was two days after I ordered a new MacBook from the online Apple Store. Since I was expecting a shipment, I almost picked it up. But instead I called Apple Support myself, and asked if they had called me, and they said they had not.

Same problem with Instagram it&#x27;s insane that so many giant companies have no rate limits in their recovery flows.

I&#x27;ve been getting these on my LinkedIn account since a couple of days. Every few hours I get an email with a magic login link. They seem legitimate, originating from various locations around the globe.

I have hated Push MFA since it was introduced.<p>How hard is it to just type a code really. In the end to fight against push bombing you end up with push notification that ask you for a code anyway.

<i>he received a call on his iPhone that said it was from Apple support.</i><p><i>&quot;I said I would call them back and hung up,&quot; Chris said, demonstrating the proper response to such unbidden solicitations</i>.&quot;<p>We&#x27;re long-conditioned to assume that calling a large company and reaching a human will be difficult to impossible - and if we succeed, it will be an unpleasant experience. Much more so for a major tech company.<p>As far as this scam succeeds, it&#x27;s partially due to intentional business designs.

&gt; even though I have my Apple watch set to remain quiet during the time I’m usually sleeping at night, it woke me up with one of these alerts.<p>So... Apple Watch &quot;quiet&quot; is broken??

This seems like it is entirely a human problem, not any kind of technical failure. The fix is the same as it always was -- people need to be trained to say no by default, do not trust inbound calls <i>ever</i>, and never ever share your credentials.<p>If you follow that advice, this attack poses no risk other than annoyance. If you do not give your password to the creep who calls you claiming to be apple support, you will be okay.

This happened to me about 2 yrs ago. It catches you off guard when you receive a spoofed call from Apple Care as you are being bombarded with PW reset requests from your iCloud. Of course, the hacker is really good and answers all the Apple-related questions fluidly. I believe my account data came from the big Ledger hack, so they were targeting crypto holders. iCloud security was so weak back then!

I&#x27;ve been too immersed in university happenings recently. It took me clicking on the link and reading until &quot;password reset feature&quot; to realize that this wasn&#x27;t some bizarre phishing attack involving Masters of Fine Arts degrees.

I’m still disappointed by Apples implementation of security keys. I want to be able to prevent all 2FA methods other than security keys, but it still seems possible in certain flows to authorise a new login with another iOS device making it vulnerable to this attack.

my mfa applications do not work on any other device, even if it’s restored from icloud. However, this would still be incredibly concerning.

Yet another reason why phone number verification is the most insecure way to verify users and it doesn&#x27;t matter if a company like Apple is using it or your bank using so called &#x27;Military grade encryption&#x27;. The point still stands [4] with countless examples [0] [1] [2] [3].<p>Unless you want your users to be SIM swapped, there is no reason to use phone numbers for logins, verification and 2FA.<p>[0] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36133030">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36133030</a><p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34447883">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=34447883</a><p>[2] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27310112">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27310112</a><p>[3] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29254051">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29254051</a><p>[4] <a href="https:&#x2F;&#x2F;www.issms2fasecure.com" rel="nofollow">https:&#x2F;&#x2F;www.issms2fasecure.com</a>

It still seems wrong to me that we, as a society, have basically accepting this level of crime as just a constant sort of background noise in daily life.

The lack of rate limiting is surprising, either on the server side or the OS side (or both).<p>I mean they already lock my iPhone after too many failed attempts with my passcode and it gets longer each time, I feel like the lock here should be the same.<p>A better prompt would also go a long way.

I think the way the attacker probes if victim is using an iPhone is they Message SPAM using Beeper-style use of Messages servers and interpreting error codes.

I am posting this review here because I want to be of help to everyone out there, who in one or two ways has been scammed by online bitcoin investment platforms. After going through a lot to recover my bitcoin although many people told me it’s impossible. If you&#x27;ve lost your bitcoin as a result of investing in binary options, trading platforms, your account was hacked or other bitcoin related scams or lost money to scammers online in whichever ways then You’re not alone. I lost $97,950 to skyrockettrade. Being a scam victim myself, I tried several means to recover my funds all to no avail, till I came across a Cyber Asset Recovery. He literally saved my life, all i lost to these fake investors skyrockettrade was recouped in just a few days (a total of $97,950 USD was recovered, Kindly send a message to the contact below if you’ve been in such situations and you are seeking to recover your funds

The fatigue part: if you clicked allow, and the hackers called you for the second step, but you responded &quot;I understand you&#x27;re a hacker and are wanting to steal from me in some way, but I am only going to give you incorrect pin numbers, so please stop with the reset dialogs and update your database not to try it again with me&quot; .. would they stop? &#x2F;s

Quite shocking how oblivious a lot of ostensibly tech savvy people are to the existence of hardware security tokens. Yubikeys have been around for over 15 years now, although Apple only added support for hardware tokens recently.<p><a href="https:&#x2F;&#x2F;support.apple.com&#x2F;en-us&#x2F;HT213154" rel="nofollow">https:&#x2F;&#x2F;support.apple.com&#x2F;en-us&#x2F;HT213154</a>

B-but iPhones are secure and are the best and Apple spends so much money on security to keep us safe and don&#x27;t need any government&#x2F;EU oversight at all. Proof that Apple&#x27;s &quot;it&#x27;s for your own good&quot; has always just been marketing.<p>(Don&#x27;t get me wrong, let&#x27;s go after Google, MS, Sony, et al too!!!)