The gp proposes a different "private identification string" that's not public. Public IDs such as "email address" or "phone number" are susceptible to what this article is talking about.
> On the official Apple reset form, the "phone number" is one of the id options the hackers can use to MFA bomb the target
Funny thing is you cannot set a passphrase or equivalent recovery code unless you have an apple device. So users who have an apple account for development purposes (I hate apple device UX and wont ever use anything apple again other than to approve releases and manage certificates) and have no apple products are cursed to use ones phone number.
I used to be hardcore about stuff like this, but as I grew older I guess I gave up some of my morality and bought things like $150 iphone # and moved on with life if it was making me $$$.
Given that the gp was talking about victims being "SIM swapped", I strongly suspect he's referring to the classic sim swap attack where you sim swap, then use the newly registered sim to receive a password reset code. If it just involves discovering your phone number, you wouldn't need to sim swap at all.
>The gp proposes a different "private identification string" that's not public. Public IDs such as "email address" or "phone number" are susceptible to what this article is talking about.
This is a non-starter for the general public. If they can barely remember their password what are the chances they'll remember a "private identification string" or whatever?
That is not true. Please read article, he even bought new phone, and this did not stop attack, because of same phone number.
I woul not even call this MFA attack, as they did not need his password. It is more like recovery password attack.
TFA talks specifically about a victim buying a brand new phone, registering a new appleid, and getting MFA bombed immediately when putting in his old SIM...
> and getting MFA bombed immediately when putting in his old SIM...
I think it’s technically unrelated to the SIM, but rather to create the new Apple ID he used his existing (compromised, lol) phone number for “verification” or something. Which is weird in a way because then Apple must allow multiple accounts per phone number?
On the official Apple reset form, the "phone number" is one of the id options the hackers can use to MFA bomb the target:
https://iforgot.apple.com/password/verify/appleid
The gp proposes a different "private identification string" that's not public. Public IDs such as "email address" or "phone number" are susceptible to what this article is talking about.