Criminals recently exploited Apple’s lack of two-step verification (2SV) for the “Find My Phone” feature, a move which nearly cost a student his digital life.
Kapil Haresh Vigneswaren, a computer science graduate student at the University of Waterloo, explains in a blog post that the trouble started on 24 July while he was doing some he was building a particularly geeky incidence matrix on a whiteboard:
“Everything seemed fine, until a rather odd sound started playing on my iPhone. I was pretty sure it was on silent, but I was quite surprised to see that it said ‘Find My iPhone Alert’ on the lock screen. That was odd.
[A minute later,] my iPhone’s lock screen changes. The screen dims, with the following message, ‘Hey why did you lock my iPhone haha. Call me at (123) 456–7890.’
Kapil quickly sprang into action to take both his iPhone and his Mac offline before the attacker, who had enabled Lost Mode on the student’s Apple ID, successfully wiped both devices clean.
Fortunately, he was able to take his devices offline just in time. When he logged back into iCloud, he saw a pending erase request for his Mac:
Some additional poking around led Kapil to identify how the attack had occurred.
First, he noticed Apple does not spot when a login comes from an unexpected part of the world. While he normally logs into his account from a Mac based in Canada, he saw the attacker had logged in from an IP based in Ireland on a Windows machine.
This should have raised a red flag for Apple, the student believes:
“Ideally, at this point, it would have been reasonable to check if this was a legitimate login — for example, using one of the secondary accounts nominated in the Apple ID.”
Second, while Apple does allow for the use of 2SV on iCloud, it does not do the same for Find My Phone. If there had been another login step, such as a secret security question, the student believes the attacker would not have been able to have almost wiped his devices.
A demonstration of that vulnerability is presented in a YouTube video below:
Kapil is still happy with Apple’s security features. But he does feel Apply should look into those shortcomings sooner rather later.
He also has a message for the hacker who almost ruined his digital life:
“To the hackers — please get English classes. That was quite a pathetic Lost Mode message. Not as bad as the Oleg Pliss attack message in 2014, though interestingly, that attack could have been prevented as well if there was a second factor of authentication for Lost Mode, as the 2FA that everyone suggested to turn on doesn’t protect Find My iPhone as seen here.”
Users should protect their Apple IDs as well as all of their web accounts with a strong password and with 2SV, if and when available.
Read more about two-step verification:
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security
- How to protect your Nintendo account from hackers with two-step verification (2SV)
- How to better protect your Roblox account from hackers with two-step verification (2SV)
This story emphasizes the importance of 2SV. Good.
BUT all the 2SV I've seen uses a mobile. If, like me (and many others who live in rural areas) you can't get a mobile signal in your home, that just isn't practical. If I wanted to use 2SV it would mean every time I logged in I would need to go across the road and spend some time finding the little patch of signal to get my code. How real is that?
Is there no alternative?
Two Factor Authentication (2FA) is better, if supported/implemented.
2SV 'in my opinion' can be intercepted, ie: email, SMS, voice call, etc… They're better than nothing, but a keen hacker can thwart these; email accounts can be hacked, mobile no's ported with little verification from the telco's, voice call's diverted, etc…
True 2FA is something on you that doesn't traverse over any medium/they work offline, but are tethered to your account, ie; Google Authenticator, Yubi keys, RSA/Vasco tokens/apps, etc…
Once released to the wild, these 'tokens' cannot be duplicated and requires a hacker to have limited physical access to utilise.
In any case, if someone wants in, they'll attempt every exploit, tactic, trick to gets their pound of flesh. 2FA just makes it way more difficult for them.
There are authentication apps that generate codes in place of sms, and most accounts will have can option for ten alternate code, pre-generated from the account page when you initiated 2sv. Those codes you keep in your wallet or purse. You can get those codes at any time too.
Apple's 2SV is so confusing I turned it off. For example, when updating an OS across multiple devices, the first login on an OS-X machine will bring up multiple, repetitive logins for the App Store, iTunes, iCloud, etc. These are impossible to postpone. Add in 2SV and you get caught in loops of what step you are on. Apple also has a penchant for using "ordinary" words in a flexible manner, so a password could be a PIN or a username for all I know. Then add in the use of app names likes "Photos" and "Mail" and it becomes a very confusing space in which to manage passwords.