back to article Apple fans deluged with phony password reset requests

Apple device owners, consider yourselves warned: a targeted multi-factor authentication bombing campaign is under way, with the goal of exhausting iUsers into allowing an unwanted password reset. First called out on X/Twitter by AI entrepreneur Parth Patel – and confirmed to be happening to others by security blogger Brian …

  1. Lee D Silver badge

    Apple still has atrocious user interfaces for such things. I manage school deployments, and there were some real doozies before they got wise to proper enrolment and forced everyone to Apple School Manager (which means buying iPads brand-new at full price, no choice) many years later.

    There was a point where I took over a batch of pre-purchased iPads that had had an app installed as a previous user, and then the iTunes account was changed. Whenever that app updated, it would decide to reprompt for the (long gone) user's iTunes password to update the app.

    '

    Again - system level, unskippable, recurring, the only thing to do was to concede and take over that account and sign in repeatedly to clear the warnings until we could wipe all the iPads on site (several hundred).

    Then there's their setup dialog which used to let you set up an iTunes account on a new iPad without entering a credit card number... at first it was literally a click, then they got increasing obfuscated and would only allow you to select the option the first time on that iPad and not ever again, and then it became a running battle of stupendous workarounds where you had to cancel the "Sign in with iTunes" dialog some 50+ times to get into the iPad, change the setting to a particular account that had been set up with no credit card, and then you were able to sort things out. But to get there - system-modal dialogs every few seconds, that take an age to clear and then you had to quickly progress a tiny amount to get into the settings dialogs in between more system-model dialogs, etc. etc. etc.

    After setting up 200 iPads that way, I banned iPad purchases from the site and they've not added one in 10 years. And that was one of the least of the issues we had with Apple.

    Everyone tells me that Apple products/software are so expensive and different because of the superior "design", and I have yet to find a single design feature in any Apple device, hardware or software, that I actually even like, let alone prefer. Some of their design is fecking atrocious.

    But, hey, I hear the next iOS will allow you to MOVE ICONS AROUND wherever you want (so long as you want them in a grid still, because we can't let you have too much control, but at least now they won't form a linear arrangement where you can have NO GAPS because Apple said no all those years).

    1. ecofeco Silver badge

      I see bad UX design everywhere.

      It is out of control.

      1. Dan 55 Silver badge

        "UX Engineers" need to be bludgened with Petzold and Apple's Human Interface Guidelines for classic Macs until they either get it or die, I don't mind which.

        1. DoctorNine

          At this point, I'd rather the latter honestly.

    2. Headley_Grange Silver badge

      Re- the moving icons: I can't remember where - maybe Gadgeteer - but about ten-ish years ago there was an article about buying a new phone and making the difficult choice between Android and Apple. She chose Android specifically because she could put the icons where she wanted. I'm not making any assumptions about Apple listening to users, but I bet there are a lot more people worried about pretty things than about background performance and management.

      For me, as a user well ensconced in the Apple garden, the main problem with their products is the "it just works" thing and the fact that even Apple believe it. When I first got a Mac (2009?) I'd spent ages unsuccessfully trying to get a MS PC with Acronis to do daily backups. It was a right royal pain. When I bought a Mac and Time Capsule it was a couple of clicks and it just worked - and has done ever since. I tried recovering a couple of files and it just worked. I was sold - an instant fanboi (I've grown up a bit since then). However, the problems come when things just don't work because the apps have no allowance for things ever going wrong. iCloud Files is a pain on Mac and iPhone. Sometimes it stops synching, or gets to 99% and stops, or files just don't appear on the phone. In a normal world there'd be a big "Just fucking synch everything now, no matter what you think the synch-state is" button - but there isn't in the Apple world because they assume it always just works. You head down rabbit holes of Terminal commands, stopping background apps, logging in and out of cloud accounts, creating dummy files, etc. none of which are any good when you're heading out to a meeting and needing a file on your phone or ipad; I just email stuff to myself now. I can't imagine what it must be like for Admins who have to look after a bunch of iDevices when they just stop working.

    3. Hubert Cumberdale Silver badge

      Well, the crooks at least know their target market: they clearly think Apple fans are more likely to click on a random email...

  2. Cincinnataroo

    I guess Apple has sufficient detail on those requesting the resets to identify many of them.

    Should they not release those to the victims? For one thing it's pretty much "confirm that you called from ...".

  3. Anonymous Coward
    Anonymous Coward

    I solved that years ago

    I was targeted years ago, and in those days breach attempts resulted in a locked account which then took effort to unlock (that's when the MFA idea started).

    The solution is to cut this off at the root: do not use an email address for your Apple ID that you also use publicly. My Apple ID is hooked up to an email address that I don't use for anything else (also because I tend to make aliases so I can track who is naughty and abused the privilege of having my email address for spam). If they don't have a starting point it gets kinda hard to be annoying.

    1. Fred Dibnah

      Re: I solved that years ago

      That’s a solution for you because you understand how this works, and that’s fine. Unfortunately 99% of people don’t have that level of knowledge, so unless you send them on a short infosec course when they buy a phone another solution is needed; that solution should be provided by Apple.

      1. Anonymous Coward
        Anonymous Coward

        Re: I solved that years ago

        The problem is that Apple does the same thing as Microsoft, only Microsoft managed to make the problem worse (plus ça change and all that).

        With Apple, you have an email address as your logon (read: 1/3rd of your authentication details - or 1/2 if you're not using MFA - is already public). You can set up aliases in iCloud for the address you get from Apple so it's doable to make an extra alias (and it means you still receive any Apple notifications as it's the same mailbox), and only the correct email address will log you into the Apple ID.

        Microsoft, however, demonstrated how well it understood security by allowing to use both your email address AND ITS ALIASES to log into your Microsoft account. I have no idea what harebrained moron came up with that idea but I would suggest that person to be removed from anything to do with software..

    2. werdsmith Silver badge

      Re: I solved that years ago

      It means you have to have constant access to another mailbox for mfa that uses email verification too.

      1. Tom Chiverton 1 Silver badge

        Re: I solved that years ago

        No, just plus addressing.

        1. AndrueC Silver badge
          Boffin

          Re: I solved that years ago

          Yup. I do something similar but because I'm the admin of my mail server I can use wildcards. It does occasionally cause confusion when speaking to a human who wonders why their employer's name is in my email address. I'm also having to use an old version of Thunderbird because the Virtual identity plugin hasn't been ported over to the newer API. I thought I'd found a replacement that worked with the current TBird API but it didn't quite make the grade for some reason.

      2. Anonymous Coward
        Anonymous Coward

        Re: I solved that years ago

        Sorry, used the wrong word. It's actually an alias. That way I still get all the auth requests in one place.

        I do have various mailboxes as well, but for the above trick it wasn't needed.

        As for aliases, I am approaching the 400 count. At some point I ought to take some of them offline :).

  4. IGotOut Silver badge

    "The fact the scammer called Patel "

    So is this what failed Home Secretaries do these days? At least it was good training for the new career.

  5. DS999 Silver badge

    App Store / Apple Pay authentication

    Uses a double click of the right side button to activate along with your Face ID. They should have an option to require the same thing for MFA acceptance. That would eliminate the possibility of accidental approval but with a bit less friction than Microsoft's two digit number (better to use a method iPhone users are already accustomed to)

    Neither system stops the possibility of that sort of "attack", but by eliminating its possible success scammers will no longer have any reason to attempt MFA exhaustion attacks - they are only doing it hoping that the dialog pops up at a time when someone is about the touch the screen in the right place to approve it.

    1. katrinab Silver badge
      Alert

      Re: App Store / Apple Pay authentication

      No. The point about the 2 digit authentication is that the scammer would need to know what number appears on your screen to continue, so they would need to ask you it via a different communication channel. Or you need to know which number appears on the scammer's screen in order to actually let them in. I forget which way round it is.

      1. Richard 12 Silver badge
        Boffin

        Not quite

        The 2 digit number is so you Let The Right One In.

        It's often pretty easy to predict when someone is likely to be logging in to some services - eg most people start work at the same time each day.

        So a miscreant can also make login attempts at job startin' time, and it's pretty likely that they'll send the request within the one minute or so time window when the user themselves is trying to log in.

        If you attempt to log in and get an MFA popup, you're rather likely to allow it - you cannot tell that it's not you.

        Requiring a number makes it possible to match requests to responses, and thus it's far more likely that both are the same user.

        It doesn't need to be a big number, because of rate limiting - if there can only be ten in-flight requests then 100 options is enough to verify.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like