Apple is an innovative company that is widely emulated around the world. But the advanced security of its products and their associated user accounts remain highly vulnerable to compromise because AFAICT Apple will not let you remove a mobile phone number from your account.
I've long advised readers to move away from relying on phone numbers for ANY form of authentication, and I've written time again about how many companies require a mobile number on signup, but allow you to remove the number from your profile after the account is set up. This is advisable if you have the option for more robust forms of 2FA, like security keys, app-based or OTP/push authentication.
The reason for this advice is that phone numbers are not great for security or authentication (they are transient and not property you control) and your phone company will not help you if one of their employees is tricked into navigating to a phishing page and giving away credentials that allow thieves to sim-swap your number to a device they control, and then request password reset links via SMS to all your important accounts.
But it doesn't seem like you can do that with Apple. And it's leading to stuff like this, without giving victims much in the way of anything they can do about it -- except maybe change their number to another number that isn't already tied to their identity.
https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/
As a heavy Apple user, I hope I am wrong about this and that someone will set me straight. Because this is really bothering me right now.
BrianKrebs /
npub1vc…0axsh
2024-03-27 17:13:22
Author Public Key
npub1vc39pnjdqd77zzdxff4qyv8h3x0ey2mkx33c3vl8egr0a9ysxkxsk0axshPublished at
2024-03-27 17:13:22Event JSON
{
"id": "e593b98e6f1c7a526f2643c7afe7894c7fd9431a436f064752f6400feefb3a70",
"pubkey": "662250ce4d037de109a64a6a0230f7899f922b76346388b3e7ca06fe9490358d",
"created_at": 1711559602,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/briankrebs/statuses/112168770101436461",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/briankrebs/statuses/112168770101436461",
"pink.momostr"
]
],
"content": "Apple is an innovative company that is widely emulated around the world. But the advanced security of its products and their associated user accounts remain highly vulnerable to compromise because AFAICT Apple will not let you remove a mobile phone number from your account.\n\nI've long advised readers to move away from relying on phone numbers for ANY form of authentication, and I've written time again about how many companies require a mobile number on signup, but allow you to remove the number from your profile after the account is set up. This is advisable if you have the option for more robust forms of 2FA, like security keys, app-based or OTP/push authentication.\n\nThe reason for this advice is that phone numbers are not great for security or authentication (they are transient and not property you control) and your phone company will not help you if one of their employees is tricked into navigating to a phishing page and giving away credentials that allow thieves to sim-swap your number to a device they control, and then request password reset links via SMS to all your important accounts. \n\nBut it doesn't seem like you can do that with Apple. And it's leading to stuff like this, without giving victims much in the way of anything they can do about it -- except maybe change their number to another number that isn't already tied to their identity.\n\nhttps://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/\n\nAs a heavy Apple user, I hope I am wrong about this and that someone will set me straight. Because this is really bothering me right now.",
"sig": "eaf1084888a7ee69205c17dc26e01f9bc8108792a1d9780f6137b9b6d02489b2c258d74837794c865f129506ed00c0541ddb23cb1bc5487ef491d9788f852e74"
}