2 factor authentication...and Potential Lost iPhone

[krs]

Nothing is ever "ultimate security." And I don't think I've ever seen anyone claim 2FA is "ultimate security." Just better than not having 2FA. The SIM code fraud is a problem of the phone companies not having even mediocre security in place to prevent it. It's kind of unfair to blame Apple for the failings of a telecomm company who cannot be bothered to use even rudimentary security before transferring a phone number to some strange SIM card just because someone called them. At least Apple sends the codes to all of the registered devices so if I lose my iPhone (or someone tries to SIM card fraud me) I can use my wife's iPhone or my MBP or my iPad to lock it down.

As for not letting you turn 2FA off after two weeks, it's their policy. If you don't like it, don't use iCloud. An iPhone will work without iCloud, although the handiness will be reduced. But you will have SMS, the default apps, communications, etc., so the phone functionality will be there. It would be like having just an iPhone and no other Apple product, and you won't be able to add any apps to it other than the default. For some people, that's all it needs to have. If you want more, you have to play by Apple's rules to use Apple's services. And that means 2FA that cannot be turned off after two weeks.

I agree that there is no such thing as "ultimate security" if one needs to access the net, but it's a term that is used quite often when articles discuss 2FA.
This article, with a comment like "It’s very important to provide the ultimate security to your account in the wake of ever-rampaging online hacking or cyber crime, is an example.
Set Up Two-Step Verification for Google/Gmail on iPhone or iPad

People read that and think 2FA is the cat's meow.
And I'm not blaming Apple specifically, SIM fraud just makes 2FA in general less secure than it is claimed to be.
What I think is an Apple specific issue is that as a user I can't turn 2FA off again - don't really understand the rationale for that.
Interestingly enough, in all the news article I have seen so far over the last couple of years about the SIM swap fraud and subsequent financial loss, the user only noticed the issue when they were unable to access their cell phone service, at that time they tried to call their cell phone provider to find out what's wrong and depending on the time of day and access to their provider, the damage was already done.
I called my cell phone provider to see if I could somehow block my number from being transferred out and was told that this is illegal (in Canada).
Here is a sample of the news articles I'm referring to:
Social engineering is the new method of choice for hackers. Here'''s how it works. | CBC News

 

[MacInWin]

Basically, then, Canada has a law that allows SIM card fraud and prohibits the victim from protecting themselves. Nice. (Not)

I went to my provider, Verizon, and put on 2FA on any change in my account. But the Verizon 2FA uses email for the confirmation, not the device, so any change that is tried by a fraudster is going to get baulked because the email comes to me, not to them. Too bad Canada doesn't allow that.

As for people claiming ultimate security, bloggers are free to use whatever terms they want. And any blogger or pundit who uses the term "ultimate security" has lost all credibility just for that. I tend to read what the vendors say, as there is some responsibility on their part to get it right. Or at least try.

 

[chscag]

Fraud associated with a SIM card swap can be avoided by assigning a PIN number to your SIM card. (That option might not be available from all carriers) That way, any change of or swap out of the SIM card can only be done by entering the correct PIN number.

My carrier (T-Mobile) no longer supports that option but your carrier might.

 

[krs]

Basically, then, Canada has a law that allows SIM card fraud and prohibits the victim from protecting themselves. Nice. (Not)

Well, not exactly.
Used to be that cell phone users in Canada typically had to sign a 3-year contract and the phones were locked to the specific provider one had the contract with.
People got upset being locked in for such a long time, they also felt that the providers were gouging and the fees were too high, so they put a lot of pressure on the government for change.
Two key things that came out of that is
a. All cell phones sold in Canada have to be unlocked, and
b. One can very easily change from one cell phone provider to another at any time while retaining one's phone number
Switch Providers and Keep your Number | CRTC

It's the "b"part that has the potential of SIM Swap - people simply have too much information about themselves on the net and even if they are not on Facebook etc., there were enough breaches that compromised private personal information.

One way I think would make SIM swap harder if there was some delay built into the process, say a couple of days where the current provider can verify with the existing customer that they actually initiated the provider change.

 

[Sawday]

I know I've made this point before in a similar thread but when I need to enter my Apple ID on my mac (usually because, once again, my iCloud mail has 'forgotten' it), the 2 FA code comes up on the mac itself, completely overturning any supposed security. It's just stupid.

 

[ferrarr]

I know I've made this point before in a similar thread but when I need to enter my Apple ID on my mac (usually because, once again, my iCloud mail has 'forgotten' it), the 2 FA code comes up on the mac itself, completely overturning any supposed security. It's just stupid.

The reason the 2FA code appears there is because you are already signed in to your iCloud account, and your Mac is a trusted device. If someone has your device, hopefully they don't also know your passcode/password.

 

[chscag]

I don't think there is any question that Apple could make improvements to 2FA. However, Apple finds themselves in the middle of either making it too difficult or not fool proof enough.

The theft of iPhones and iPads is a real problem here in the US and I'm sure also in other areas of the world. But it's not only the theft of the devices which is a problem, it may also involve an Apple account or other accounts.

Apple to their credit have tried to explain what 2FA does and how it works.

Two-factor authentication for Apple ID - Apple Support

 

[krs]

Apple to their credit have tried to explain what 2FA does and how it works.

Two-factor authentication for Apple ID - Apple Support

I read this article a few days ago.
Maybe I missed it, but nowhere in the body of the article does it mention the rather important fact that one cannot turn off 2FA once activated (the subject of this thread). That only comes up on the second to last Q&A

As far as I'm concerned, that fact should have been made clear in the very first paragraph of the description.

 

[pm-r]

I read this article a few days ago.
Maybe I missed it, but nowhere in the body of the article does it mention the rather important fact that one cannot turn off 2FA once activated (the subject of this thread). That only comes up on the second to last Q&A

As far as I'm concerned, that fact should have been made clear in the very first paragraph of the description.

Golly gee, if they had done that to make it clear in the beginning, that would have probably discouraged a lot of users from enabling 2FA i would think.

The bottom line recently seems to be - trust no one!!!





- Patrick
======

 

[chscag]

Originally, when Apple first set up 2FA after they abandoned 2 step verification, it (2FA) could be turned on and turned off by going to iCloud with your Apple ID and select/unselect the option. You would then be asked to set up 3 security questions to help verify your identity.

Later on Apple changed the policy for 2FA and stated that it could not be turned off after 2 weeks. I'm not sure whether or not it was announced by Apple.

Either way, 2FA is here to stay. If you do not wish to use it and already have an Apple ID iCloud account, you won't be forced (as of now) to implement it.

However, if you want one of those fancy Titanium Apple Cards, you must implement 2FA.

 

[MacInWin]

2FA is here to stay. Not only is it more security (not perfect, just more), but it also protects Apple from legal claims that they "didn't do enough." Remember the celebrity nude photos that were stolen from iCloud iCloud leaks of celebrity photos - Wikipedia
and the furor that was initially directed at Apple because iCloud was "hacked?" Turned out the victims were spear phished for passwords, and then those used to get the images from iCloud. Apple started offering 2FA shortly after that. Later it became mandatory. And it's not just Apple. My bank uses it, my insurance company, my credit union, my doctor, my cellphone service provider, even some "frequent user" accounts now have it. It's a PITA, but then again so are locks on the doors on my house and my car. Security is always a pain.

I use long (18-24 characters) randomly generated passwords, never use one twice, use a password keeper to hold them all, and then 2FA adds one more layer.

As for the code showing up on a Mac when you are on the Mac and it is required, if you want you can remove the Mac from the list of trusted devices and it will no longer show up there. Of course, if you use Messages and have it open when the code comes in to your phone, it will show up in Messages. The security for that is to have a strong login password and a short time before the screen goes dark and the password is required to open the Mac. That way, even if someone steals it while running, as long as you have put it to sleep before you walked away (you DO do that, right? I mean, that's just basic security), they cannot do anything with it because it's locked.

As for "perfect" security, I know of ONE maybe close to perfect system. It was run by the CIA, in a vault in a shielded building, with two armed guards on the doors, inner and outer, at all times, a triple filtered power system, no external connections, no printer, no removable storage and no connections inside the vault, one terminal and a requirement that two people had to be in the room at a time, to prevent anyone from wandering through the system. Nothing was allowed to be taken into or out of the room. Basically, the user and escort would sit at the terminal, get the information, memorize it, then walk out. ID required both ways through the door. Pockets emptied, no watches, phones, no electronics at all allowed in the vault.

Short of that, nothing is really secure.

 

[krs]

I actually thought the European banks had a very secure on-line banking system with their TAN (Transaction Number) approach - something I wish the banks in Canada would implement.
Makes it impossible for anyone except the account holder to transfer money out of their account even if somebody managed to log in and have full access to that account.

 

[IWT]

As a result of the excellent comments and opinions expressed in this thread, I have registered my wife's iPhone number as an addition to my own.

Does anyone know whether, if a verification code was required, it would go to both phones simultaneously? In the list of numbers in my account, my number is first on the list, her's second. Does that make a difference?

Ian

 

[mf409]

im pleased to see my post solicited so many good opinions.

i am a BIG proponent of 2fa for banking, brokerage accounts and such which i try to keep isolated.
however i am not in the demographic that "runs their entire life" from the phone, which is why this 2fa is nothing but a nuisance for me personally.

that said, my wife and i did add each other as trusted phone numbers.
when we tested it out neither of us got the push notification for the other, we only received it on our own device and the second number listed received nothing.
what might i be overlooking?

thanks

 

[ferrarr]

As a result of the excellent comments and opinions expressed in this thread, I have registered my wife's iPhone number as an addition to my own.

Does anyone know whether, if a verification code was required, it would go to both phones simultaneously? In the list of numbers in my account, my number is first on the list, her's second. Does that make a difference?

Ian

Yes, the code goes to all "trusted devices" at the same time.

Edit: You would need to add the device as a trusted device, in your Apple/iCloud account.

View and manage your Apple ID trusted devices on Mac - Apple Support

 

[IWT]

Thanks, Bob. Much appreciated.

Ian

PS My wife and I share my Apple ID so her iPhone is "technically" mine though with her own SIM card and number.

 

[chscag]

My wife and I share my Apple ID so her iPhone is "technically" mine though with her own SIM card and number.

We have our phones set up the same way Ian. I find it more convenient to do it that way rather than separate Apple IDs.

 

[Lifeisabeach]

Yes, the code goes to all "trusted devices" at the same time.

Edit: You would need to add the device as a trusted device, in your Apple/iCloud account.

View and manage your Apple ID trusted devices on Mac - Apple Support

Just to elaborate on this more... adding a phone number does not make the other phone a "trusted device". It instead is a "trusted number". Adding phone numbers is for use with SMS verification only, and codes only go to a single number that you pick out of the "trusted numbers" if you choose to use the SMS option to get a code.

 

[Cr00zng]

Here is a sample of the news articles I'm referring to:
Social engineering is the new method of choice for hackers. Here'''s how it works. | CBC News

Wait a minute, quote from article:

Once the hackers had executed the SIM swap, they were able to use their own phone to gain access to a number of Tomlinson's sensitive accounts, including those tied to her finances.

The 2FA authentication is, as it states, an additional authentication level. There's also a first level of authentication, in most cases it is UID/PWD. The article also mentions this, quote:

Tomlinson used two-factor authentication on her sensitive accounts, an extra security step* that sends a message to your cellphone before granting access. Tomlinson believes the SIM swap allowed the hackers to divert those incoming messages to a new device, effectively bypassing her security measures.

*Emphasis mine

In my view, this means that Tomlinson's account name and password had also been compromised. While the SIM swapping is a contributing factor, let's not forget that the primary authentication credentials also had been stolen. That has nothing to do with the SWIM swapping. Unless, she stored all of her account information in the iCloud and the hacker had full access to the primary authentication details, once the SIM swap completed.

If you want to protect yourself against SIM swapping, protect the primary authentication, like UID/PWD. Change your password frequently and you should not store it in the iCloud, or backup the password manager in the iCloud.

I do understand that SIM swapping is an issue in Canada, but people should understand, that it is not "maximum security". It is rather just a speed bump for determined hackers.

 

[krs]

In my view, this means that Tomlinson's account name and password had also been compromised.

I don't think so - name - yes, picked up from the net along with other identifying information, but not the password.

As I understand it, one basically invokes a password reset and the reset info is sent via SMS to the now swapped account.
Because I read (and this is just one example of many of these cases) once that happens, the account holder is locked out of their own accounts.
There are probably a bunch of variations of the SIM swap fraud - the issue that was really the subject of this thread was the fact that Apple does not offer an option to delete 2FA once activated. I still don't understand the rationale for that.

I wonder if that is also the case for other companies - I rather doubt it.

BTW - This is not just a Canadian issue, the FBI warned against this last year citing cases from years before:
FBI warns about attacks that bypass multi-factor authentication (MFA) | ZDNet