Comments on: Recent ‘MFA Bombing’ Attacks Targeting Apple Users

By: mori etsuro

mori etsuro — Thu, 11 Apr 2024 06:51:46 +0000

I found that my preceding post has missed the following words, which impressed me upon reading the newspaper:
“If the NFC card is lost or stolen, it does not work withount registered fingerprint.”
Best regards,
Etsuro Mori

By: Dylan

Dylan — Tue, 09 Apr 2024 00:14:32 +0000

In reply to Mahhn.

The play store is filled with open source software. But Android is another prime target for bad actors, I mean it’s the second largest smartphone operating system in the world. More users = more people to exploit. But… that makes us all kind of backed into a corner. I mean you only have a few options for alternative smartphones that have unlocked bootloaders, and come with a mobile linux distro(that isn’t android). It’s the way of the world, sadly. I think more than anything I’m trying to be like a jehovas witness, wanting to encourage people to take control of their digital presence and interaction. I think I’m mostly more comfortable with OSS because I am technically inclined, and I can skim thru the source code before I use it. With Apple? Microsoft? I don’t have that control. I have to blindly trust a company that views me as a financial asset.

By: Dylan

Dylan — Tue, 09 Apr 2024 00:02:48 +0000

In reply to mealy.

There is one good phone for linux called the PinePhone

By: Kurt

Kurt — Tue, 02 Apr 2024 20:30:30 +0000

Is there a way you can use AI to detect an accent of the person who is calling and show what region of the world that accent is from? Maybe a topic for a future article. I would love to have this whenever I get a call from my bank.

By: Byron

Byron — Tue, 02 Apr 2024 19:53:34 +0000

It’s a flaw in Apple’s password reset workflow that they need to address. Simply knowing Phone#/e-mail should NOT be enough to initiate the password reset process. Perhaps a generated recovery key serves that purpose. It should take e-mail/phone# + Recovery Key to initiate a password reset 2FA/Push notification to a device. For those who did not generate a recovery key and you receive a 2FA/Push password reset notification you did not initiate: Selecting Deny will auto-deny/ban any future password reset requests from that IP address. Any non-response to the 2FA/Push notification results in a time-delay/cooldown before an additional request can be sent: 1min, 2 min, 4 min, 8 min, 16 min, 32 min. etc.

By: bigp

bigp — Mon, 01 Apr 2024 19:32:45 +0000

In reply to Tim Alexander.

The password reset prompts are just to fatigue you… once fatigued you may then click on a similar looking multi-factor login verification link. Not sure if Apple sends those, or if you have to enter a number/code into the page. That attack would be the attacker using stolen username/password to login. If multi-factor is on, they may send you a link or a code to enter to complete the login. It’s that bit the attacker needs.

By: Oofy Prosser

Oofy Prosser — Mon, 01 Apr 2024 18:45:54 +0000

Apple could just add a line to that dialogue box “Apple will never call you unless you call us first.” Won’t stop the repeats but will warn people about the phishing phone call.

By: Jim Robertson

Jim Robertson — Mon, 01 Apr 2024 14:32:21 +0000

Is it the case that just turning off “allow websites to ask permission to send notifications” in Safari Settings>Websites>Notifications should stop the repetitive bombardment (which could be REALLY annoying, even if the target doesn’t fall for the request in the subsequent bogus phone call)?

By: ThemePro

ThemePro — Sun, 31 Mar 2024 11:28:08 +0000

Only an Apple user would think buying a new iPhone is the solution to a password reset attack. Even if Apple limits the reset requests to every X minutes, you’ll still need to change the phone number or email used for your Apple ID and avoid exposing that information to avoid such attacks. This is security 101-type stuff, not Pegasus.

By: Louise

Louise — Sun, 31 Mar 2024 01:36:46 +0000

In reply to Tim Alexander.

This article is interesting:

How To Detect A Keylogger On An iPhone
https://www.certosoftware.com/insights/how-to-detect-a-keylogger-on-an-iphone

I am NOT promoting certosoftware. The author makes practical suggestions:

Check for custom keyboards
On your iPhone, go to Settings > General > Keyboard > Keyboards. For most devices, you should see two keyboards called something like:

English (US).
Emoji.

If you see any other keyboards listed that you don’t recognize, it’s possible that it could be a keylogger.

and more.