Due to the complexity and recursive nature of modern digital authentication, it turns out that often all that is really really actually protecting a user's identity at the end of the day is a 4 digit PIN code that they happily type in front of anyone and everyone hundreds of times per day.
An attacker with knowledge of someone's PIN can use it to gain temporary access to a user's device, and then they have both auth factors necessary for a complete takeover of the account associated with the device, which is very often being used as the IdP for many other accounts and services. Commence lateral movement.
It's plainly evident to anyone with half a brain that a two factor scheme that authenticates the second factor with the first factor is not, in fact, a two factor scheme. When the first factor is so weak that it can be broken by looking at some smudges on the screen, well, here we are.
But consumers are idiots, and if you actually forced them to use proper authentication schemes then most people would simply lock themselves out of everything and lose all of their data permanently multiple times per year. As a practical matter, I don't really see a good way to overcome user irresponsibility.
Thieves are watching people input their PINs into phones and then stealing the phones. They can then gain access to any apps that use the "sign-in with Apple" feature that uses Face ID or PIN to log instead of the app's own login.
1) Criminals work in groups to steal iPhones. One person will watch you or take a video of you entering your passcode, another person will snatch the phone from you.
2) Within 3 minutes, the criminals will use the phone passcode to reset your Apple ID password, change the trusted phone number of your Apple ID, and set a recovery key.
3) Now they can deactivate "Find my iPhone"
4) And they can log out all your other devices, lock them, or even erase them remotely
5) Now you have no way to access your iCloud account, and the thieves have completely taken over your digital identity
6) Using passwords saved on the phone, and with SMS 2FA, they can now transfer money from all your accounts
7) Using other data stored on your phone (eg. in photos), they can apply for Apple Credit Card and use that to steal more money from you
Joanna Stern recommends these steps steps:
1) Use a complex passcode
2) Use a 3rd party password manager with a different passcode
3) Check your photos to make sure there are no photos of sensitive documents
It does stay on the device; the iPhone passcode is entered and authenticated locally, then the iPhone authorizes the AppleID password change since you're "authentic."
There is a sophisticated scam targeting apple iPhone users, that starts with stealing the phone and ends with draining all financial accounts, there are hundreds of cases with damage in the five digits and apple doesn't care.
The remediations recommended are:
- alphanumeric passcode
- different passcodes for financial apps
- not using the native password manager
- not storing credentials for financial apps in any password manager
- if you have to enter the code do not do so in public or hide it
How an alphanumeric code helps defeat this adversaries is beyond me, because the video describes the attackers recording the code from over the shoulder.
Why MFA or tokens are not recommended, I do not know.
There was a thread yesterday where someone suggested using a screen time pin, different from device pin, and disabling access to iCloud settings as a potential way to protect yourself too.
not letting banking or TOPT apps work or showing validation sms codes without biometric unlocking even if you type in the password or pin.
I wouldn't mind it a bit if biometric face id triggers every time I need to read a validation sms or use a security sensitive app, even if the phone is unlocked.
time lock important changes like biometric info or anything that may result in an account takeover.
Not allow resetting from a device only with the pin?
Also don’t allow the pin for some operations (or let you disable this). E.g. for viewing passwords or other sensitive operations besides login, it’d be safer for me to not allow pin access and only Face ID.
Wow, I just tried and it’s very easy. Seems like a huge miss of privilege escalation allowing someone with the pin and phone to escalate to full password. This should require the old password or more steps.
