Hacker News new | ask | show | jobs
by xrayarx 1198 days ago
There is a sophisticated scam targeting apple iPhone users, that starts with stealing the phone and ends with draining all financial accounts, there are hundreds of cases with damage in the five digits and apple doesn't care.

The remediations recommended are:

  - alphanumeric passcode

  - different passcodes for financial apps

  - not using the native password manager

  - not storing credentials for financial apps in any password manager

  - if you have to enter the code do not do so in public or hide it
How an alphanumeric code helps defeat this adversaries is beyond me, because the video describes the attackers recording the code from over the shoulder.

Why MFA or tokens are not recommended, I do not know.
2 comments
qaz_plm 1198 days ago
There was a thread yesterday where someone suggested using a screen time pin, different from device pin, and disabling access to iCloud settings as a potential way to protect yourself too.
link
xrayarx 1198 days ago
Where was that? Might be interesting
link
qaz_plm 1198 days ago
Thread here: https://news.ycombinator.com/item?id=34936304
link
fckgw 1198 days ago
What would you like Apple to do?
link
xrayarx 1198 days ago
I'd say real MFA, so buy an iPhone and get at least to tokens for free.

Immediately deliver a software update that remedies the various steps in the attack.

The victims loose all iCloud data including all photos of sometimes ten years or more. There needs to be another layer to protect backups.

Have two pins like with the SIM cards with pin and puk. Should actually be something that apple should have thought of from the getgo.

link
kobalsky 1198 days ago
not letting banking or TOPT apps work or showing validation sms codes without biometric unlocking even if you type in the password or pin.

I wouldn't mind it a bit if biometric face id triggers every time I need to read a validation sms or use a security sensitive app, even if the phone is unlocked.

time lock important changes like biometric info or anything that may result in an account takeover.

link
newaccount74 1198 days ago
Add a time delay to the password reset feature, and notify all other devices that a password reset was attempted.
link
upbeat_general 1198 days ago
Not allow resetting from a device only with the pin?

Also don’t allow the pin for some operations (or let you disable this). E.g. for viewing passwords or other sensitive operations besides login, it’d be safer for me to not allow pin access and only Face ID.

link
randyrand 1198 days ago
Don’t allow PIN as valid login for for password managers or apple id changing?
link