My account is fine and has 2FA. I just have empathy for people who aren't power users.
Do you blame poor people for being poor too?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Small Sample of iCloud Credentials Provided By Hackers Are Valid, But Questions Remain
- Thread starter MacRumors
- Start date
- Sort by reaction score
Do you blame poor people for being poor too?
What's with the lemon juice attitude? Everybody started somewhere. If you spent your energy and efforts trying to help people rather than patronising them or saying "serves you right", you might find it a rewarding experience.
At the absolute least, you'll assist people from falling victim to these phishing attempts.
Screw that. How else do you expect me to get my daily dose of 'feeling superior'? I mean, c'mon man. I know something someone else doesn't know. Therefore I am better than them. Thus, I can look down on them.
Seriously though, that's an f'd up attitude expressed by that poster.
Somewhat it is up to the individual themselves. That concept of personal responsibility that is not in vogue these days. But I think this is a place where the media/govt can play a role. Just like with the public service announcements on television and such there could easily be some PSAs broadcast regularly on media or streamed (with no skip) on youtube, etc.
anytime i don't know something, i google it or ask others to get as much information as possible. i don't do things blindly.
you can't assist people from falling for it because 99% of the time it's too late. the 1% that ask, are smart.
Apple should never include a password reset link in the email, because that's so easy to spoof and phish. They should only send you a password reset link if you requested one through iCloud or the Apple ID site.
So your parents are stupid. And don't get me started on your grandparents--real idiots. Right?
Is it possible to turn on 2FA for your Apple ID that is separate from your iCloud account though?
I'm still using Apple ID for iTunes store purchases and a separate Me.com account which was migrated to iCloud for everything - obviously the iCloud one is the main one and thats on, but I don't see anyway to do it for the iTunes account.
Technically they can't wipe anything on the latter, but they could add it to their devices and use all my purchased apps for free.
Also - how do people turn on 2FA if they only have one Apple device, like my 72 year old Mum? I presume it just works with a text message to their mobile phone (which they never use)...
Edit:
It seems if I want to add 2FA to my Apple ID I have to remove my iCloud account and add it as an iCloud account first, then set it up, then remove it, then re add my original iCloud account. Bit of a pain to say the least - there should be an option to set it up in the iTunes and App Store tab.
I'm still using Apple ID for iTunes store purchases and a separate Me.com account which was migrated to iCloud for everything - obviously the iCloud one is the main one and thats on, but I don't see anyway to do it for the iTunes account.
Technically they can't wipe anything on the latter, but they could add it to their devices and use all my purchased apps for free.
Also - how do people turn on 2FA if they only have one Apple device, like my 72 year old Mum? I presume it just works with a text message to their mobile phone (which they never use)...
Edit:
It seems if I want to add 2FA to my Apple ID I have to remove my iCloud account and add it as an iCloud account first, then set it up, then remove it, then re add my original iCloud account. Bit of a pain to say the least - there should be an option to set it up in the iTunes and App Store tab.
Last edited:
2FA will not save you from a man-in-the-middle attack. Practically nothing will, really. If I were to put up a fake website and pipe your username and password into another window, I can simulate a 2FA prompt on your devices, which you'll enter in the fake website and I'll also receive it.
This is why we have the "certificate authority" that ships with browsers, that theoretically guarantees that when you visit a website, it's legitimately that website due to the certs matching with what you actually see. Of course it's pretty damn easy to get any cert and call yourself "trusted", especially if you don't pay attention to the URL bar...
The code is only needed when you first add iCloud to that account, so it's not really a problem (you can add multiple phone numbers too if you need)
It just means whenever you try to add that iCloud account to another Mac or iOS device you have to verify it from a phone number or other device first to ensure its you and not someone with your password. It's a one time thing.
how are my parents stupid? now you're just assuming. just because yours might be, doesn't mean mine are.
my dad knows computers, he's not gonna fall for that stuff. my mom asks my dad or me when she is unsure about something, which can get annoying but it is what it is. she knows better than to go around clicking links from an Egyptian prince.
my grandparents don't use computers.
The 2FA prompt is embedded in iOS and macOS though its not on a webpage and no one can spoof yet unless they can into the OS's kernel, which they haven't.
I suppose what you're suggesting is that someone would be phising live? They'd have a fake 2FA box appear in the browser? So when they try and login their end with your stolen user and password causing the request to appear on your phone, they'd simulate the request box from the AppleID page, take the number and enter it into their device?
It's possible but phising isn't usually done one at a time and live and they'd have to do it live as that code is only valid briefly and only when the user presses done so you couldn't collect them. I guess this would be more likely to happen if someone was targeting a high profile victim or someone they really wanted to get, rather than phishers on the dark web mass collecting passwords.
Again it's a case of just being careful you're visiting a real website when you're typing in this information and the ONLY website on the internet which asks for the 2FA confirmation code is the Apple ID one.
I think part of the problem is that people think that the internet IS different. People who might be fully aware of how scammers/con artists work in the 'real' world completely let down their guard in the online world. People who are properly suspicious about a phone call may totally fall for an email or web page. "If it's on the Internet, it must be true."
The tools and techniques of the "confidence game" are as old as language itself. One of the key methods for gaining the confidence of others is to have a little bit of information about the target. "Your Uncle Bob told me you might be interested..."
There's a brisk trade in this sort of info. A few may legitimately hack (it is a specialized skill), obtaining info they can sell to garden-variety con artists. As others have noted, the entire "Turkish Crime Family" can be a con job. They have enough bits of information to maintain the "mark's" interest. The price they're asking may indicate how little they paid for the info they have.
[doublepost=1490371400][/doublepost]
Two-factor authentication allows for more than one "trusted device," and while it reduces security, having more than one trusted device is a huge convenience - if someone loses the use of their only trusted device, resetting passwords, setting up new devices, etc. can be quite challenging.
The code is only needed when setting up a "new" piece of gear or a service login (eg. signing back into iTunes or iCloud after signing out - once signed into iTunes, requests for the password for purchases do not require the two-factor code). The trick is that "new" can be an existing bit of gear that had to be erased/reset, or logging back into a signed-out account.
looks like you would have fallen for it. It isn't hard to make a link say one thing and go elsewhere as in this case shown... http://www.google.com just like shown here...
People should just take 5 minutes to change their password or enable 2FA on their accounts. I did because it's better to be safe than sorry.
Apple denying this problem is going to hurt its image, but then again they already have. Apple could care less if they compromised your password. It's up to the user to solve this problem.
Apple denying this problem is going to hurt its image, but then again they already have. Apple could care less if they compromised your password. It's up to the user to solve this problem.
So what I can do is that if I'm hosting the fake website, I can sit at the other end and see you entering your credentials in real time.
I'll input the same on my end, and it will trigger the 2FA prompt on your devices. In the meantime, I'll make my fake website look like it's requesting that you enter in the 2FA. If you enter that as well, I'll also have the 2FA and I can use it on my end, which completes the chain.
I am aware that Apple also shows the geolocation of the request, which is a good mitigation of this attack, but it's still not foolproof.
[doublepost=1490371743][/doublepost]As a layman explanation, a man-in-the-middle attack is basically like some form of shapeshifting alien. If you trust appearances completely and don't verify the identity, by shapeshifting into someone you trust I can steal practically any kind of private information as long as I can maintain appearances of being the real thing. So in this case, I would "shapeshift" into your trusted secretary, and would pretend to enter things on your behalf, and prompt you for the 2FA password when it appears on your device.
Yeah there is the location too as you say - but as I pointed out this requires a live phishing attack which I've never come across (and certainly isn't in the mass mailed out fake e-mails) to capture it. It wouldn't be worth a hackers resources or times unless they were specifically trying to hack someone in particular. They usually want to collect thousands of logins for sale, not just a few - and further more than attack wouldn't really be much use except they could bribe ONE user that they will wipe their devices. Think, they'd have to have an Apple device for every person they wanted to hack, it's not practical because they can only login into one 2FA account at a time. They can't sell that access unless they sell that device that is logged in.
Not Apple's responsibility to cyber educate. If you are using any type of computing device, you should already have a basic understanding of Internet safety. Computers and Internet been around for minimum 30 years.