iOS Device Ransom Attacks Continue to Target Users in U.S. and Europe

[Thunderhawks]

Erase the phone or erase the phone and leave it locked?

New sim ?

 

[jonblatho]

iCloud didn't launch until after SJ's death.

And never forget the mess that was MobileMe, which Steve did oversee.

 

[Thunderhawks]

He could send them an email gently reminding them to change passwords every now and then.

My bank has a "feature" which annoys the hell out of me, because it is not well thought out.

You log in , but it doesn't make a distinction between upper or lower case, but one gets a picture
to verify that it is the account you want to log into.

Every 6 months one MUST change the password. If somebody forgets, the account becomes unaccessible.
Then one has to call the bank, they reset things and the "feature" starts over.

Only problem is that after they reset I can use my old password again.

Imagine the outcry if Apple would automatically block all access after 6 months w/o password change.

 

[AlexH]

I think the time has come that Apple and other tech companies make two step verification mandatory.

I wholeheartedly agree.

 

[venom600]

This actually happened to me a few months ago. I (stupidly) had used the same password on a variety of different sites. It was secure, but one of the sites was breached a while back and I didn't change them. I woke up to a message that said my iPhone was locked. Fortunately I was able to reset my Apple ID password because of the personal questions, but they locked my computer, ipad, and iPhone. They also took over several other sites that used the same username and password combination and I had to get those back. Point is, before it happens to you, start using a password database. I use Dashlane now.

 

[routine_analyst]

Damn Mr Leg Piss, at it again! *shakes fist*

 

[naeS1Sean]

That's ***** frightening.

 

[ItsGavinC]

Well this convinced me it's time for me to set up two factor authentication finally.

So I go into my Apple account page and it immediately prompts me to change my password since it's been a while since I changed it. OK, so I change it. Then I go to set up two-factor authentication and it says "sorry, you have to wait three days after changing your password."

Gee, thanks. Grrr....

Understand the frustration, but it's for your safety, to prevent the very thing you are trying to prevent.

 

[mildocjr]

phrases people, phrases. it's really easy, just say iCloud.comIsThe1ToRuleThemAll and outlook.comIsThe1ToRuleThemAll (bonus points if you add spaces, no one said you couldn't)

You do stuff like this, and you aren't reusing your password, the password is easy to remember, and a hacker is going to have a great time trying to break your password. Yes it takes a bit of time, but that's what keychain and similar programs are for.

 

[macfacts]

The Macrumors summary says the problems were 1) people used same passwords on other sites and those sites got hacked (not Apple's fault if other sites get hacked), and 2) phishing scams. For phishing scams, I think Apple can do better. Most are sms messages or imessages with a web link to a fake Apple site from people not in your address book. Apple should make it hard to launch links from unknown people by displaying "are you sure" prompt or something.

 

[Jayson A]

Aren't you notified if someone tries to change your iCloud password? If they don't actually change your iCloud password, then can't you just go to Find My iPhone and unlock it yourself?

What am I missing?

 

[npmacuser5]

Apple has on file all the data like MAC addresses etc for each device owned by the user. A simple start, No access to AppleId from any device except those registered. Like two-factor without all the hassles. Then add additional lyers for other access if needed. Not perfect but maybe a good place to start.

 

[31 Flavas]

For the hacker to do anything such as lock your device, the hacker would need physical access to an approved device first before initiating a lock.

Correct me here, but can't Find my iPhone can only ever use password (one factor) authentication? They can't very well ask you to receive a text or notification on a phone that you can't find / lost or was stolen.

Or am I missing something?

With your recovery key you could reset your password to recover your account, however, the phone would remain locked. Or can you unlock the phone with your account password? I've never had to lock my phone before.

 

[MH01]

You aren't. Just use a trusted phone number to receive the verification SMS text or phone call with the code.

View attachment 639494

What do you know cheers, it's been that kind that I've setup a new phone instead of doing a restore

 

[Schwyz]

Apple under Tim Cook is slipping...

Had a lot of trouble finding a comment quoting this. Thought I'd help out.

 

[PipSeg]

I could see this happening a lot more to Androids but an iPhone ransom is a good idea

 

[MrNomNoms]

He could send them an email gently reminding them to change passwords every now and then.

Great, so some idiot changes their password from Password1 to Password2 thus believing that they're doing the 'right thing' but doesn't actually fix anything. The real solution is to actually punish idiots whose accounts are hacked because of moronic passwords - $500 fine, and then you'd suddenly start to see people take choosing a password seriously. Oh, and to people who keep saying, "OMG! I have so many passwords to remember" - so you have enough memory capacity to remember inane crap about celebrity gossip or some sports trivia but something incredibly important like your own security becomes a little too much? really?

 

[\-V-/]

Enable 2 factor authentication. Problem solved.

It's amazing to me how many people don't do this.

 

[Zirel]

He could send them an email gently reminding them to change passwords every now and then.

People are dumb and lazy.

An email wouldn't change anything.

People have to pay for their stupidity, it's a natural tax.

 

[uroshnor]

If your AppleID is breached, wouldn't the way Apple implements 2-step authentication be an issue too? Wouldn't iMessage. that is used for receiving the code, also be vulnerable? After all, they are part of the same eco system.

Just curious. I use it myself but it seems like an authenticator code would be more secure. I believe Apple has 2-step verification only, not 2-factor.

http://www.howtogeek.com/212219/here’s-how-an-attacker-can-bypass-your-two-factor-authentication/

Apple is 2 factor.

iMessage is end-end secure, unlike SMS, which is easily spoofed at the source, and due to lax phone company policies, easily spoofed at the client side as well.

If you enable 2FA on your AppleID, you must know the password, and a code sent by iMessage to the TRUSTED device you nominate for that message. You have to pick one device as trusted when you set up 2FA, and you can then use THAT trusted device to authorise other trusted devices. Not all of your devices need to be trusted.

It is just as secure as external authentication tokens IF:

- you are sending the one time code to iOS devices, AND
- you haven't jail broken those devices, AND
- you are using iMessage to send the code

If you send the code as an SMS, you are increasing your risk.

 

[thisisnotmyname]

That second one about security questions is really bothersome to me.....it seems 3/4 of the time when you select questions from a preset list that they are normally questions that would be easy for someone to dig up info on if they wanted to badly enough.

I generate 32+ character passwords as answers to any security question. The first time I have to provide one of those to a phone support tech they will hate me

 

[Mildredop]

I generate 32+ character passwords as answers to any security question. The first time I have to provide one of those to a phone support tech they will hate me

How do you remember them?

 

[thisisnotmyname]

How do you remember them?

1Password - https://1password.com

 

[Tech198]

Just use different passwords for all your accounts. But I share and recycle passwords between PayPal, eBay,gmail and so forth...laziness is costly I suppose

It would help, but 1) is people don't use password managers, and 2) they would use same password.

eg... why would u use a password manager to store the same in-sceure password for all sites ? Apart from syncing, u already know it, thus no reason for one. I'd be blaming the password manager itself for lack of security. A good password managers forces the user to have different password on all sites... No exceptions to this rule. And any 2 passwords the same is not ok.

But to remember passwords gets the better of all of us at one stage. All of this can be avoided.

I generate 32+ character passwords as answers to any security question. The first time I have to provide one of those to a phone support tech they will hate me

Well... I for one would even call 'knowing' security answers in-secure...

May be a second line of defense for forgetting stuff, but for me, there is never a second line .... If there is, there there also is for others too who get access to your account...

Only 1 way in, and one way out That's how i play my game..

 

[Rigby]

Enable 2 factor authentication. Problem solved.

Doesn't help against this ransom scam, since you can access "find my iphone" on icloud.com without entering a security code (Apple probably did this in case you lose your only trusted device, which would make it impossible to receive a security code).