Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments
- Thread starter MacRumors
- Start date
- Sort by reaction score
That’s for Two Step Verification, not Two Factor Verification
https://support.apple.com/en-us/HT204152
You can have more than one trusted device. It is shame that Apple didn’t disable this hole for people with multiple registered devices, or, let them disable this feature. There are also other ways to get codes.
https://support.apple.com/en-us/HT204915
Are you recommending getting a new email address specifically to use with iCloud...?
Well now I'm just confused...
So 2FA is when you use something like a text code and 2SV is when you get the popup on your iPhone or other Apple device?
Apple's 2 Factor authentication is awful, Apple is generally good at UI, but they screwed up with this one. I like How Microsoft implemented this, just a simple app, and i can approve the devise in the app on my phone, i can even authorize the device on the lock screen, i get a notification when i log into the web from other device.
Maybe it's time to implement 3d face thing to bypass the lock for icloud.....
Come to think of it...yes!! If we can verify our face from home (iphone x or imacs with camera or mbp with cam...and hopefully mac pro) apple should implement the facial recognition to bypass it!!
Come to think of it...yes!! If we can verify our face from home (iphone x or imacs with camera or mbp with cam...and hopefully mac pro) apple should implement the facial recognition to bypass it!!
You have that backwards. Two step verification is the older version. 2FA brings up the pop up with a map, gives you the button to trust, then gives you the 6-digit code.
2 Factor is the newer standard.
For me, the fundamental problem is that iCloud is shared with your iTunes identify and your apple ID. Many of us first set up iTunes or apple IDs long, long ago. I use iCloud family sharing and have 7 devices there. I can't set up a complex random password for iCloud, because that is shared for iTunes too, and you end up having to type that password at times, when you can't really use a password manager. Like last night upgrading to 11, I got the system message to enter my iTunes password repeatedly on my phone and only with great persistence was able to get by that message to even use the phone (which may have taken 20+ attempts to dismiss and skip that log in).
Apple now requires app specific passwords for iMessage and other stuff, but doesn't allow that for iCloud, unless I am missing that. So using the same password to buy a movie on Appletv or a song in iTunes as the password required to lockout a MacBook Pro or iPhone seems like a really bad idea (but I can't avoid that right now).
Apple now requires app specific passwords for iMessage and other stuff, but doesn't allow that for iCloud, unless I am missing that. So using the same password to buy a movie on Appletv or a song in iTunes as the password required to lockout a MacBook Pro or iPhone seems like a really bad idea (but I can't avoid that right now).
What I just did.
Something that happened yesterday with the iOS 11 roll-out, and maybe a remote chance of why this has happened to users (betting more on phishing or some breach w/password re-use): updated the phone to v11 and got a message along the lines of "your iCloud password has been changed to device's password".
WTF?! My iPhone's password is fairly complicated, but easy to remember vs. iCloud was a random, long, password not used anywhere else. So, went in just now to change the iCloud/AppleID password to a new, even longer, random password (iCloud came back with message about re-using a previous password [tried to set to pre-v11 value]).
Two steps forward, one step back with Apple and 2FV/2FA/making everything one password (eg. when they temporarily allowed one to use their AppleID as their sign-in method on Macs, kinda similar bad things with that like we see today).
You got them switched. 2FA gets the popup on your Apple devices; 2SV gets the text code.
I don't know if this is a coincidence or not but I got an phishing email this morning. The content of the email was as follows:
It was from this address:
applesupportiBgPeYAxSkozwNimpNtB@iBgPeYAxSkozwNimpNtB dot sendgrid dot com
I've flagged and reported this to my email provider. I obviously didn't click on the link to change my password.
Dear Client,
Your7Apple3ID8(********@*****.***)9was6used9to9sign7in4to3iCloud1via1a3web4browser.
Date6and4Time:9Wed , 20/09/2017 ,76:415PM32 49
Browser:1Safari
Operating1System:7Windows4NT210
If9the3information8above1looks3familiar,9you5can4disregard4this6email.
If2you9have9not7signed1in7to6iCloud9recently9and8believe8someone4may7have8accessed9your9account.4You4must5change1your2password5and4change7your8apple1data4account,6If1you7do5not6change6it9then2the6Apple2ID2team5must5forcibly9close6your3account.
Your7Apple3ID8(********@*****.***)9was6used9to9sign7in4to3iCloud1via1a3web4browser.
Date6and4Time:9Wed , 20/09/2017 ,76:415PM32 49
Browser:1Safari
Operating1System:7Windows4NT210
If9the3information8above1looks3familiar,9you5can4disregard4this6email.
If2you9have9not7signed1in7to6iCloud9recently9and8believe8someone4may7have8accessed9your9account.4You4must5change1your2password5and4change7your8apple1data4account,6If1you7do5not6change6it9then2the6Apple2ID2team5must5forcibly9close6your3account.
It was from this address:
applesupportiBgPeYAxSkozwNimpNtB@iBgPeYAxSkozwNimpNtB dot sendgrid dot com
I've flagged and reported this to my email provider. I obviously didn't click on the link to change my password.
Just this past Saturday, my (four year college graduate)sister sent me these two pictures asking if this was a legit email from Apple. VERY OBVIOUSLY it was a phishing email, but it’s surprising how many people can’t figure it out.
Attachments
Thanks for the heads up! This is super useful to know.
My main Apple ID is protected with a very strong password, but my alternate account (used for iTunes) is not, because I'm constantly having to type the password in to purchase stuff.
But I guess thanks for family sharing, they are connecting, and you can use the alternate account on find my iPhone to lock or erase my devices on my main account.
I had assumed 2-factor authentication would protect me somewhat from a weak password, but apparently not. Changed it now. Thanks.
My main Apple ID is protected with a very strong password, but my alternate account (used for iTunes) is not, because I'm constantly having to type the password in to purchase stuff.
But I guess thanks for family sharing, they are connecting, and you can use the alternate account on find my iPhone to lock or erase my devices on my main account.
I had assumed 2-factor authentication would protect me somewhat from a weak password, but apparently not. Changed it now. Thanks.
This is true. It signs out of iMessage, FaceTime, on all devices, so even signing back in on one device you have to go and re-enable all the other services again on your other devices. It's a huge hassle.
I've read your post three times and I'm not sure what you're trying to say. It almost sounds like you think 2FA is an Apple product or something. And yes, 2FA is most definitely still secure, but this isn't a 2FA issue—at least based on what I've read. It sounds like people who use the same user ID and password across multiple sites are the ones who are vulnerable.
I'm sorry for any confusion about this. I've updated my post to remove that bit of info and to suggest anyone affected get in contact with Apple support.
Not sure that would help you if your Mac was locked in that way. Pretty sure it’s a firmware level lock.