One of the latest attacks on the iPhone sees attackers abusing the Apple ID password reset system to bombard iOS users with hints. which need to be completed. over their accounts. Here's how to protect yourself from iPhone passcode reset attacks (often called “MFA bombing”).
We& #8217;I recently heard that that Apple users are experiencing MFA bombing (also called MFA fatigue or bombing). This is not a new attack, but it can be a convincing scam because it sends victims official requests to reset their iOS password.
As detailed by Krebs from Security (via Parth Patel), attackers abuse this. The vulnerability appears to be the use of an Apple user's phone number, which could bomb your iPhone and other Apple devices with over 100 MFA (Multi-Factor Authentication) prompts to reset your Apple ID password.
Update in 14: 40 PT: 9to5Mac learned about this issue from an Apple representative. The company is aware of several recent cases of similar phishing attacks, and Apple has taken steps to address the issue.
How to protect yourself from iPhone password reset attacks
- Reject, reject, reject
- Because password reset requests are a warning to system level, this seems convincing, but be sure to select“Don't’ ;t Allow”for everyone.
- One way to wear down victims is to bombard them with hundreds of clues, sometimes for days – keep choosing “ Do not allow”and use step 3 below if necessary.
- Note: If you see a password reset prompt online that could be another phishing scam, close the page as any button may lead to a malicious link.
- Do not answer phone calls– even if the caller ID says “Apple Support”; or similar
- Attackers use call spoofing, whereby the incoming number may appear to be an official Apple support phone number, and they may be able to verify personal information, making the scam seem legitimate.
- Next, they try to get a one-time code from you access to take over your Apple account.
- If you have any doubts, reject the call and call Apple back (800.275.2273 in the US) – call spoofing should not be able to intercept your outgoing call to a real Apple.
- Apple emphasizes that it will not make outgoing calls “unless the customer asks to be contacted” and that you should never share OTPs with anyone
- Temporarily change the phone number associated with your Apple ID
- If you continue to receive prompts, changing the phone number associated with your Apple ID should stop them.
- However, be aware that this will interfere with iMessage and FaceTime
More details
As noted in Krebs's article on security, There seems to be a speed limiting issue with the Apple ID password reset system.
What intelligently designed authentication system would send dozens of password change requests in a few moments, when the first requests had not even been sent by user action? Could this be the result of a bug in Apple's systems?
Hopefully Apple is working on a fix to prevent attackers from abusing this system. But unfortunately, password reset scams have been reported by users for at least two years (probably more).
One recent victim said that a senior Apple engineer advised him to enable the recovery key feature for his Apple ID. to stop password reset notifications. However, further testing showed that this was not the case, and Krebs on Security confirmed that Apple Recovery Key does not prevent password reset requests.
Related:
- Here's how to protect yourself from GoldPickaxe, the first iPhone Trojan
- PSA: AI voice cloning and call spoofing create frighteningly convincing scams, here's how to protect yourself
- How to enable protection against stolen devices iPhone; and should you do it?
Images: 9to5Mac
