Protect against iPhone password reset attacks: How-to

Share via:


One of the latest attacks on iPhone sees malicious parties abuse the Apple ID password reset system to inundate users with iOS prompts to take over their accounts. Here’s how you can protect against iPhone password reset attacks (often called “MFA bombing”).

We’ve recently heard about Apple users being targeted with MFA bombing (also called MFA fatigue or push bombing). It’s not a new attack, but it can be a convincing scam as it pushes official iOS password reset prompts to victims.

As detailed by Krebs on Security (via Parth Patel), attackers abusing this vulnerability appear to be doing so through an Apple user’s phone number which can bomb your iPhone and other Apple devices with 100+ MFA (multi-factor authentication) system prompts to reset your Apple ID password.


Update 2:40 pm PT: 9to5Mac has heard from an Apple spokesperson about this issue. The company knows about the few recent cases of these phishing attacks and Apple has taken action to solve the problem.


How to protect against iPhone password reset attacks

  1. Decline, decline, decline
    • Because the reset password requests are a system-level alert, it feels convincing – but make sure to choose “Don’t Allow” for all of them
    • One way attackers wear victims down is by bombing them with hundreds of prompts, sometimes over multiple days – keep choosing “Don’t Allow” and optionally use step 3 below
    • Note: If you see a password reset prompt on the web that may be a different phishing scam, close the page as either button could lead to a malicious link
  2. Don’t answer phone calls – even if caller ID says “Apple Support” or similar
    • Attackers are using call spoofing which can make the incoming number appear as the official Apple Support phone number and they may be able to verify personal information making the scam sound legitimate
    • Next, they try to get a one-time passcode from you to take over your Apple account
    • If in any doubt, decline the call – and call Apple back (800.275.2273 in the US) – call spoofing shouldn’t be able to intercept your outgoing call to the real Apple
    • Apple highlights it will not make outbound calls “unless the customer requests to be contacted” and that you should never share one-time codes with anyone
  3. Temporarily change your phone number associated with your Apple ID
    • If you continue to get the prompts, changing your phone number tied to your Apple ID should stop them
    • However, keep in mind this will interfere with iMessage and FaceTime

More details

Protect against iPhone password reset attacks how to

As noted in Krebs on Security’s article, it appears there is a rate limit problem with the Apple ID password reset system.

What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven’t even been acted on by the user? Could this be the result of a bug in Apple’s systems?

Hopefully, Apple is working on a fix so malicious parties can’t abuse this system. But unfortunately, the password reset scam has been highlighted by users for at least two years (likely more).

One recent victim shared that a senior engineer at Apple advised him to turn on the Recovery Key feature for his Apple ID to stop the password reset notifications. However, in further testing, that turned out to not be the case and Krebs on Security verified Apple Recovery Key does not prevent reset password prompts.

Related:

Images by 9to5Mac

FTC: We use income earning auto affiliate links. More.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Popular

More Like this

Protect against iPhone password reset attacks: How-to


One of the latest attacks on iPhone sees malicious parties abuse the Apple ID password reset system to inundate users with iOS prompts to take over their accounts. Here’s how you can protect against iPhone password reset attacks (often called “MFA bombing”).

We’ve recently heard about Apple users being targeted with MFA bombing (also called MFA fatigue or push bombing). It’s not a new attack, but it can be a convincing scam as it pushes official iOS password reset prompts to victims.

As detailed by Krebs on Security (via Parth Patel), attackers abusing this vulnerability appear to be doing so through an Apple user’s phone number which can bomb your iPhone and other Apple devices with 100+ MFA (multi-factor authentication) system prompts to reset your Apple ID password.


Update 2:40 pm PT: 9to5Mac has heard from an Apple spokesperson about this issue. The company knows about the few recent cases of these phishing attacks and Apple has taken action to solve the problem.


How to protect against iPhone password reset attacks

  1. Decline, decline, decline
    • Because the reset password requests are a system-level alert, it feels convincing – but make sure to choose “Don’t Allow” for all of them
    • One way attackers wear victims down is by bombing them with hundreds of prompts, sometimes over multiple days – keep choosing “Don’t Allow” and optionally use step 3 below
    • Note: If you see a password reset prompt on the web that may be a different phishing scam, close the page as either button could lead to a malicious link
  2. Don’t answer phone calls – even if caller ID says “Apple Support” or similar
    • Attackers are using call spoofing which can make the incoming number appear as the official Apple Support phone number and they may be able to verify personal information making the scam sound legitimate
    • Next, they try to get a one-time passcode from you to take over your Apple account
    • If in any doubt, decline the call – and call Apple back (800.275.2273 in the US) – call spoofing shouldn’t be able to intercept your outgoing call to the real Apple
    • Apple highlights it will not make outbound calls “unless the customer requests to be contacted” and that you should never share one-time codes with anyone
  3. Temporarily change your phone number associated with your Apple ID
    • If you continue to get the prompts, changing your phone number tied to your Apple ID should stop them
    • However, keep in mind this will interfere with iMessage and FaceTime

More details

Protect against iPhone password reset attacks how to

As noted in Krebs on Security’s article, it appears there is a rate limit problem with the Apple ID password reset system.

What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven’t even been acted on by the user? Could this be the result of a bug in Apple’s systems?

Hopefully, Apple is working on a fix so malicious parties can’t abuse this system. But unfortunately, the password reset scam has been highlighted by users for at least two years (likely more).

One recent victim shared that a senior engineer at Apple advised him to turn on the Recovery Key feature for his Apple ID to stop the password reset notifications. However, in further testing, that turned out to not be the case and Krebs on Security verified Apple Recovery Key does not prevent reset password prompts.

Related:

Images by 9to5Mac

FTC: We use income earning auto affiliate links. More.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

More like this

Amazon India Shifts Base In Bengaluru In Cost Cutting...

SUMMARY Ecommerce giant Amazon India is shifting its home...

Oyo founder seeks new investment at $3.8 billion valuation

Oyo founder Ritesh Agarwal’s investment vehicle has proposed...

Solana-based DApps rake in record fees as memecoin frenzy...

Five of the top 10 crypto protocols by...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!