Small Sample of iCloud Credentials Provided By Hackers Are Valid, But Questions Remain

[masotime]

Yeah there is the location too as you say - but as I pointed out this requires a live phishing attack which I've never come across (and certainly isn't in the mass mailed out fake e-mails) to capture it. It wouldn't be worth a hackers resources or times unless they were specifically trying to hack someone in particular. They usually want to collect thousands of logins for sale, not just a few - and further more than attack wouldn't really be much use except they could bribe ONE user that they will wipe their devices. Think, they'd have to have an Apple device for every person they wanted to hack, it's not practical because they can only login into one 2FA account at a time. They can't sell that access unless they sell that device that is logged in.

They don't need an Apple device - they could just use the 2FA the user enters into the fake website to access their iCloud account.

However, my point is that 2FA doesn't protect against man-in-the-middle attacks. The issue of scale is a different matter, and frankly if you target the right people to phish it could still be worthwhile to hold that person's data ransom.

 

[Tzerlag]

No sympathy from me for those that fall for email scams. There's way too much information about it to be ignorant. At this point, you're just stupid.

Dunning-Kruger effect.
Q.E.D.

 

[dannys1]

They don't need an Apple device - they could just use the 2FA the user enters into the fake website to access their iCloud account.

The only place you can log in to with 2FA that isn't an Apple device is https://appleid.apple.com/ and that's pointless, you can't wipe a device from there, all you can do is change the password. Which would be no good without access to their e-mail address to click the reset link - and even then all it would do is lock them out not gain you access. You still couldn't wipe it. The only way to wipe is to log in on a Mac or iOS device.

 

[masotime]

The only place you can log in to with 2FA that isn't an Apple device is https://appleid.apple.com/ and that's pointless, you can't wipe a device from there, all you can do is change the password.

That's not true. I just tried icloud.com, logging in required 2FA, and on icloud.com I can use Find My iPhone to wipe my devices.

 

[purplehaze0]

Wonder if an email I got this morning is anything to do with this:

From: Apple (email address: neojacks@frankyhazard.com)

Dear Customer,

Your Apple ID (xxxxxxx@xxxxxx) was used to sign in tο iCloud οn an iPhοne 7.

Date and Time: March 24, 2017, 01:53 AM PST
Operating System: iOS 10.0.3

If you have nοt recently signed in tο an iPhοne 7 with your Apple ID and believe sοmeone may have accessed your account, gο tο Apple ID (https://appleid.apple.cοm) and update your information as sοon as possible.

I don't have an iPhone 7 and I am not on iOS 10.0.3

Wonder how many people fall for this

Sadly I fear many people will fall for this. Older, less IT savvy people of my parents generation. It's quite cruel .

 

[dannys1]

That's not true. I just tried icloud.com, logging in required 2FA, and on icloud.com I can use Find My iPhone to wipe my devices.

Yes you're right sorry. However what you've described is still a very elaborate and impractical live phishing attack. It certainly doesn't currently exist - and again, even if it did - whilst they don't need an Apple device as you've pointed out, they could still only log in to one account at a time, at the best 2-3 with different browsers (though IP address might log the others out regardless) and the login doesn't last long before you need to re-verify which doesn't' happen with an actual Apple device. So they'd need to ransom you straight away and get the money immediately.

Of course a second request of a pin from a registered device before a secure erase could be triggered would totally wipe out that already very very unlikely method.

Again, this isn't the tactic of the usual hackers/phishers. they go for low hanging fruit they can sell in mass - and as the original person who you replied to said "why, I've got 2FA turned on" he was right, in terms of this leaked data 2FA totally prevents it.

 

[Kabeyun]

2 stage authentication has been suggested by many, but I have a question.

If one has a family computer - picture an imac in a home office, that many people use. how would 2 stage authentication work? I assume just one mobile devise would get the code - which could be a problem if that person wasn't home. How often would the code be needed?

When someone on that computer tries to log in to iCloud or an AppleID, you're presented with a list of trusted devices (determined by that user in advance) and you choose on which one the code will appear. Yes, you're out of luck if you don't have one on you. That's the point.

You'll need to enter a fresh code every time you log out and back in again.

 

[julian8109]

I received this exact same email yesterday as well. Looked very legitimate, took me a few moments to realise it wasn't from Apple.

Wonder if an email I got this morning is anything to do with this:

From: Apple (email address: neojacks@frankyhazard.com)

Dear Customer,

Your Apple ID (xxxxxxx@xxxxxx) was used to sign in tο iCloud οn an iPhοne 7.

Date and Time: March 24, 2017, 01:53 AM PST
Operating System: iOS 10.0.3

If you have nοt recently signed in tο an iPhοne 7 with your Apple ID and believe sοmeone may have accessed your account, gο tο Apple ID (https://appleid.apple.cοm) and update your information as sοon as possible.

I don't have an iPhone 7 and I am not on iOS 10.0.3

Wonder how many people fall for this

I

 

[netwalker]

I think part of the problem is that people think that the internet IS different. People who might be fully aware of how scammers/con artists work in the 'real' world completely let down their guard in the online world.

Actually I read about cases were mostly elderly get scammed on the phone or at the door all the time.
I see it mostly as a technical knowledge issue. Most of the older generation that is getting online now doesn't understand a thing about computers and the internet with its services like email, web-pages etc. Try to explain that a link in an email might not be what is pretends to be and that it is easy to fake an email sender. Try to explain what https is and how to verify that a certificate is valid. Try to explain to an 80 year old why paypal.com is probably trustworthy and why click.fake.ru/paypal.com is certainly not.
Would be great if they all take some basic education courses but they are not as these products are being marketed to them in such ways that that they believe that is not necessary. It is up to the industry to come up with better solutions like username and password for authentication, build an email system that is better protected against hoax email, make browsers save so that you can't get your computer infected just by visiting a wrong link,...

 

[jdogg836]

This is why we have the "certificate authority" that ships with browsers, that theoretically guarantees that when you visit a website, it's legitimately that website due to the certs matching with what you actually see. Of course it's pretty damn easy to get any cert and call yourself "trusted", especially if you don't pay attention to the URL bar...

I remember reading your post earlier, and after reading this article I thought I'd share it here. Its seems the "theoretical" guarantee just got a whole lot weaker.....

http://boingboing.net/2017/03/24/symantec-considered-harmful.html

 

[sudo1996]

Agreed. If the same email address/password for their Apple ID were used on other compromised accounts, which happens more frequently than you'd imagine

I imagine it does happen very frequently. TBH, I use the same password for lots of sites because even though I have a password manager, I can't always have it available (e.g. if I'm using a school computer), and I can't feasibly remember 1000 different passwords.

To mitigate risk, I have maybe 6 different passwords where a few are reserved for only secure and important accounts like iCloud while many less important accounts use the same password. And my Mac's password is used for absolutely nothing else. But I'm sure most people aren't that careful. They probably don't use password managers and use the same password for everything.
[doublepost=1490425702][/doublepost]

2FA will not save you from a man-in-the-middle attack. Practically nothing will, really. If I were to put up a fake website and pipe your username and password into another window, I can simulate a 2FA prompt on your devices, which you'll enter in the fake website and I'll also receive it.

This is why we have the "certificate authority" that ships with browsers, that theoretically guarantees that when you visit a website, it's legitimately that website due to the certs matching with what you actually see. Of course it's pretty damn easy to get any cert and call yourself "trusted", especially if you don't pay attention to the URL bar...

Worse, even a legitimate URL like https://google.com could go to a fake site in rare cases. It happened in a region of Iran once because a CA was fooled.

By the way, another easy attack that I'm not sure if they fixed was that you could change someone's iCloud password purely by answering security questions, no email required, but I think this was only if 2FA was disabled. Sarah Palin's Yahoo! account was "hacked" that way in 2008 or so. Apple claims that they encrypt all your data with your password, so doesn't the combination of your security answers form a key for it too? That must be the case, or else they're lying.

 

[JVNeumann]

Even without 2FA, would security not shut out anyone attempting to get in from a foreign location, especially if the real user's devices are passively connected to the iCloud account at the other side of the world? Surely that would instigate the 3-question security barrier, no?

For instance, my phone and computer are both connected to iCloud and are in New Zealand (plus both have device IDs that have been linked to my account forever). So if someone did try to access it from Turkey or Armenia or whatever, even with the right password, would it not simply gate them out with my three security questions? I mean, how much more suspicious would a situation need to get before the three questions kicks in?

I'm on 2FA now, but I'm asking based on past issues I've had.

 

[gnasher729]

By the way, another easy attack that I'm not sure if they fixed was that you could change someone's iCloud password purely by answering security questions, no email required, but I think this was only if 2FA was disabled. Sarah Palin's Yahoo! account was "hacked" that way in 2008 or so. Apple claims that they encrypt all your data with your password, so doesn't the combination of your security answers form a key for it too? That must be the case, or else they're lying.

If you have the answers to the security questions or whatever is required, you can reset your password. Apple sends you an email with a special link that allows the receiver to change _your_ password; usually such a link works for a few minutes only.

Obviously there is a choice: Either people can reset their passwords without knowing their old passwords, or they can't - in the latter case, if you forget your password, you lost. Apple could make it harder to reset your password, for example require you to answer to your security question in an Apple Store, showing someone in the Apple Store your passport, and that someone has to enter their employee number as well. That would be rather safe.

I must say that the answers to my security questions are always a long random sequence of characters, so there is no chance whatsoever to guess that or to look it up on the internet if you know who I am.

 

[gnasher729]

They don't need an Apple device - they could just use the 2FA the user enters into the fake website to access their iCloud account.

That's not how Apple's 2FA works. How it works: I enter my apple id and genuine password on an Apple website. Since this isn't secure enough, Apple sends a 6 digit code to my phone, which I then enter on the same website. I don't know that code ahead. It's only valid for a very short time.
[doublepost=1490513771][/doublepost]

Even without 2FA, would security not shut out anyone attempting to get in from a foreign location, especially if the real user's devices are passively connected to the iCloud account at the other side of the world? Surely that would instigate the 3-question security barrier, no?

I have accessed my iCloud account from Turkey and Egypt. I know people who have accessed theirs from Russia, Belarus or the Ukraine. People travel.

 

[masotime]

That's not how Apple's 2FA works. How it works: I enter my apple id and genuine password on an Apple website. Since this isn't secure enough, Apple sends a 6 digit code to my phone, which I then enter on the same website. I don't know that code ahead. It's only valid for a very short time.

My point is that you entered it on the same website, which in this case is the fake website.

 

[JVNeumann]

That's not how Apple's 2FA works. How it works: I enter my apple id and genuine password on an Apple website. Since this isn't secure enough, Apple sends a 6 digit code to my phone, which I then enter on the same website. I don't know that code ahead. It's only valid for a very short time.
[doublepost=1490513771][/doublepost]
I have accessed my iCloud account from Turkey and Egypt. I know people who have accessed theirs from Russia, Belarus or the Ukraine. People travel.

Certainly, but if you're still logged in in one location, and at the same time there's an attempt to log in from a totally different country (especially one you've not visited before), that should surely at least trigger the second security level. I'm not saying it should lock your account entirely, just that it should go to the security questions. It's a minor inconvenience that single-handedly shuts the door on like 99% of illegitimate login attempts.

Frankly, it's hard to even think of why the three security questions exist if not for that kind of scenario.

 

[Shirasaki]

As a user keeping two accounts and actively using both of them on one device, enabling two factor could introduce tons of extra works everyday since I need to switch accounts quite often.
Don't know the actual meaning of "signing out completely" though.

 

[DoubleU]

Even without 2FA, would security not shut out anyone attempting to get in from a foreign location, especially if the real user's devices are passively connected to the iCloud account at the other side of the world? Surely that would instigate the 3-question security barrier, no?

For instance, my phone and computer are both connected to iCloud and are in New Zealand (plus both have device IDs that have been linked to my account forever). So if someone did try to access it from Turkey or Armenia or whatever, even with the right password, would it not simply gate them out with my three security questions? I mean, how much more suspicious would a situation need to get before the three questions kicks in?

I'm on 2FA now, but I'm asking based on past issues I've had.

Any time someone logs into the iTunes Store with an Apple ID on a device which hasn't been associated with it before they are asked to answer security questions but this doesn't happen with iCloud.

There's no specific group-location block as you might be logging in while on holiday or emigrating.

 

[SteveW928]

How long is it going to take people to realize they need a STRONG, UNIQUE password for each site/service they use? It would be a very good idea to change iCloud/AppleID password though. Hopefully that won't cause as much chaos as changing an Apple ID email address. Apple + cloud = sucks.
[doublepost=1490556616][/doublepost]

... are asked to answer security questions ...

They should probably be called anti-security questions. My advice is that people also make up random or false answers for the typical account security questions (and unique for each site/service as well).

If you do, you'll need a password manager to keep track of them all. I recommend PasswordWallet (by Selznick) or 1Password.

 

[sudo1996]

If you have the answers to the security questions or whatever is required, you can reset your password. Apple sends you an email with a special link that allows the receiver to change _your_ password; usually such a link works for a few minutes only.

The reason I was concerned is that there was no email verification like you're describing or otherwise. This was a couple of years ago, so I don't know what the current policy is, but I'm pretty sure you can still create an account without an email address at all, so I wonder what they do in that case.

I really would rather it just be a forever locked account if I forget my password so that I can worry less about possible ways in. Also, the fact that you even can reset your password means either your data isn't actually encrypted, or it's encrypted in a way they can still break because they obviously get you your data back when you reset the password. Or, as I said, the security answers form a key, which would be strange.