Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Now Sending Alert Emails When iCloud Accounts Accessed via Web

this news helps phishing!

This news is terrible. I am now getting fake phishing emails claiming to be suspicious iCloud sign-in warnings. Forwarded them to spoof@...
 
What's the email address for these alerts? I received one but it was unlike any email from Apple I'd received. Reading this post, the email wasn't too dissimilar. I wish Apple would be more clear with not only security protocols regarding iCloud, but with the service itself to customers who signup when they purchase a device or Mac.

Way back in the day, when I was a wee lad, selling .Mac's with system purchases I would spend 15-20 minutes with clients on setting it up and explaining all the services. I feel as though since it's free, there aren't enough [educated] floor specialists taking the time. While waiting in line this summer, I helped a customer who just purchased a 5S, no one told her she should create a current iCloud backup to restore before switching devices, losing her a lot of current info. She didn't even know she had backups! I spent an hour with her as no one was able or wanted to assist her, and that's bad service.

Better retail customer service for iCloud accounts would lead to fewer people coming to the bar for help and less crowding. My mother and her friends (in their late 60's and 70's) understand how it works once they are walked through it. Most don't and some use non-iCloud accounts, which means they don't get the full services offered. It's a mess but it's primarily a mess because retail first responders aren't addressing it as it's a free service and not counted towards their sales UPT's and bottom line.
 
Hmmm

DipDog3 said:
Apple should place access from new devices on a 24 hour delay unless the email is acknowledged. That way you can stop people from stealing your data instead of reacting after the fact.
Click to expand...

Not quite sure I personally would like that. I often save iWork documents in iCloud, and access them trough my school's computer for printing, and if I constantly had to accept the school's computer that'd be an incredibly great hassle. You already have two-step verification to basically do what you want.
 
bedifferent said:
What's the email address for these alerts? I received one but it was unlike any email from Apple I'd received. Reading this post, the email wasn't too dissimilar. I wish Apple would be more clear with not only security protocols regarding iCloud, but with the service itself to customers who signup when they purchase a device or Mac.

Way back in the day, when I was a wee lad, selling .Mac's with system purchases I would spend 15-20 minutes with clients on setting it up and explaining all the services. I feel as though since it's free, there aren't enough [educated] floor specialists taking the time. While waiting in line this summer, I helped a customer who just purchased a 5S, no one told her she should create a current iCloud backup to restore before switching devices, losing her a lot of current info. She didn't even know she had backups! I spent an hour with her as no one was able or wanted to assist her, and that's bad service.

Better retail customer service for iCloud accounts would lead to fewer people coming to the bar for help and less crowding. My mother and her friends (in their late 60's and 70's) understand how it works once they are walked through it. Most don't and some use non-iCloud accounts, which means they don't get the full services offered. It's a mess but it's primarily a mess because retail first responders aren't addressing it as it's a free service and not counted towards their sales UPT's and bottom line.
Click to expand...

Once helped a woman who got a fake "please update your Apple ID info" phishing email. The link was to a website that looked a lot like appleid.apple.com. Both the site and email were pretty good fakes.

So I opened the link. It had a login form and when you "logged in" it asked for EVERYTHING: Address, Social Security, phone numbers, credit card numbers, Bank Account info -- including bank login, account and routing numbers (!) -- everything.

I said to her, "You didn't fill this out...right?" She said, "Oh yes, I filled it all out. I thought Apple needed this info." I didn't know whether to laugh or cry. I told her this was all fake, this was a scam and Apple would NEVER ask for this information. I showed her how if you clicked the "From" name in the email, it was actually some weird, definitely non-Apple domain. I showed her that the website address was NOT at apple.com, and that you could put any gibberish in the login fields and it would work. Told her never to click on links in an email and I said "If a stranger on the street walked up to you and said they were from the bank and needed all your account info, would you blindly trust that they were from the bank and give it to them? Of course not."

Of course she freaked out and said she was going to the airport right afterwards to fly to Europe for a month. I told her to call her banks immediately, I helped her change all her passwords right there before she left, I said keep a very close eye on your accounts now and immediately report anything.

The lesson to take away here is that there are a LOT of people like that woman -- seemingly intelligent people that can be totally clueless. That's why security should rely on the user as little as possible. People are dumb and cannot be expected to manage their own security (even though they should). These emails are good, but most people will get hundreds of them (every time they log in) and eventually just ignore them, like they do with the Facebook ones.

I don't have the answer but I hope we'll see more security improvements going forward.
 
Two factor?

As someone has already said, two-factor auth should be enable for all accounts *by default*. I know, I know, makes things a little more awkward. If done right though, you should be able to say, turn two factor off (for some period) when accessed from a known device.
 
rorschach said:
Once helped a woman who got a fake "please update your Apple ID info" phishing email. The link was to a website that looked a lot like appleid.apple.com. Both the site and email were pretty good fakes.

So I opened the link. It had a login form and when you "logged in" it asked for EVERYTHING: Address, Social Security, phone numbers, credit card numbers, Bank Account info -- including bank login, account and routing numbers (!) -- everything.

I said to her, "You didn't fill this out...right?" She said, "Oh yes, I filled it all out. I thought Apple needed this info." I didn't know whether to laugh or cry. I told her this was all fake, this was a scam and Apple would NEVER ask for this information. I showed her how if you clicked the "From" name in the email, it was actually some weird, definitely non-Apple domain. I showed her that the website address was NOT at apple.com, and that you could put any gibberish in the login fields and it would work. Told her never to click on links in an email and I said "If a stranger on the street walked up to you and said they were from the bank and needed all your account info, would you blindly trust that they were from the bank and give it to them? Of course not."

Of course she freaked out and said she was going to the airport right afterwards to fly to Europe for a month. I told her to call her banks immediately, I helped her change all her passwords right there before she left, I said keep a very close eye on your accounts now and immediately report anything.

The lesson to take away here is that there are a LOT of people like that woman -- seemingly intelligent people that can be totally clueless. That's why security should rely on the user as little as possible. People are dumb and cannot be expected to manage their own security (even though they should). These emails are good, but most people will get hundreds of them (every time they log in) and eventually just ignore them, like they do with the Facebook ones.

I don't have the answer but I hope we'll see more security improvements going forward.
Click to expand...

Loads, if not most people are technologically challenged especially if they're from a generation where they've had little to no interaction with computers for most of their lives. That hardly makes them "dumb". What's stupidly easy and common sense for you is an entirely foreign concept to someone else. I think some people need to realize that not everyone has spent all their lives tinkering with computers and learning the ins and outs of them. A little patience can be afforded in educating the ignorant.
 
Someone who hacks your iCloud account could simply delete these alert emails via IMAP. I'd much prefer to get a text alert on my iOS devices...
 
BruiserB said:
I just confirmed this works. I logged into my icloud.com account. Within a few minutes I had the warning e-mail in my icloud mail. I deleted it from the web interface and looked at my phone and there is no evidence of me having received the email.

EDIT: Actually I can look in the Trash for my icloud email on my phone and see it there. But if I had deleted it from the trash in the web interface, it wouldn't show there either.
Click to expand...
You would think they would be using a different email address, like the one I believe they have you put in for password recovery purposes or something of that sort, which can't be an iCloud email address, as I recall.
 
BruiserB said:
If the e-mail associated with your account is your @icloud.com email, wouldn't the unauthorized person have access to this email account via logging into icloud and then they would simply be able to delete the alert email as soon as they log in?
Click to expand...

Use the 2 part-authentication. If a new device accesses or a login from an unrecognized system, it requires a code to be sent to your phone in order to continue.
 
Would be better if apple enforced adding another email to your account or not allow these emails to be deleted by anyone except an authorised user.

It's so obvious that Apple has implemented this as fast as possible to get the media off their backs but haven't clearly thought it through, a lot more needs to be implemented.

Serban said:
seems that works even in EU. But you get the email after 4-5 minutes after you signed out
Click to expand...

Just enough time to download everything.
 
Yep, I just received an e-mail from Apple saying iMessage has been turned off on my phone.
 
This is obviously just a stopgap measure until they are ready to enable 2-factor authentication for icloud.com. It's also finally an acknowledgement that there is a problem ...
 
i-John said:
Use the 2 part-authentication. If a new device accesses or a login from an unrecognized system, it requires a code to be sent to your phone in order to continue.
Click to expand...

I have the 2 part authentication. The machine I logged into from the web is one I've used before. I only received the notification e-mail, but didn't get any push notification on my other devices.
 
Email alerts of past login attempts are horrible and provide no benefit.

Worse yet, they can easily be forged.

They should instead get sent via push notification (which I thought Tim Cook said).

But even better they should include a temporary PIN for 2-factor authentication. Sent via email if users' iOS device is not available.

Seriously, what use are these emails if they're sent 15-30 minutes after the hacker has already successfully gained entry?
 
WilliamG said:
I was thinking the same thing. It's not a security measure to tell the bank they've been robbed, - after the bank is robbed.
Click to expand...

This is different. If you act quick enough, you can reset your password to prevent an intruder from accessing/deleting a huge amount of stuff.
 
WilliamG said:
I was thinking the same thing. It's not a security measure to tell the bank they've been robbed, - after the bank is robbed.
Click to expand...
As someone enters the bank, not after that or after they already left.
 
Does it work if you use find my iPhone!

I don't want to lose my iPhone, log in to find it, and alert the person who has got it that I am coming to get my iPhone back again. If they see an alert, they're likely to throw it in the river.
 
AxoNeuron said:
This is different. If you act quick enough, you can reset your password to prevent an intruder from accessing/deleting a huge amount of stuff.
Click to expand...

C DM said:
As someone enters the bank, not after that or after they already left.
Click to expand...

Let me rephrase. It's like getting an email telling you your bank is being robbed, and if you happen to be on your email at the time - maybe you can do something about it.
 
WilliamG said:
Let me rephrase. It's like getting an email telling you your bank is being robbed, and if you happen to be on your email at the time - maybe you can do something about it.
Click to expand...
Various security systems are set up that way too where they notify you that sowmtbing happened as it happens and it's up to you to take some action. Not a new or that strange of a concept.
 
Just got this mail today, someone logged in through a web browser. Can Apple trace who did it? I really want to know who did it.
 
Be great to hear if an IP address for whoever logged into the account can be obtained? Has anyone tried to get it from Apple?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back