Removing icloud playing around 2FA and social engineering. The sender in this screenshot ask to the phone number associated to apple id account to send him the SMS code to reset apple id password. he was trying to log in to an old account with 2FA enabled and he didn’t know the old number was still associated to that account. Customer service was already closed and decided to craft a phishing SMS to see if I could get the code.
The real problem isn’t the weakness of SMS. Instead of SMS, you could use a pre-printed list of one-time passwords securely delivered to you and it will have the same problem.
The problem is that the authentication isn’t performed by two factors (something you know and something you have) but by two steps, both involving the same factor something you know, just obtained by different means.
However as you can see in the picture, there was no way for that person to know whether or not he was who was claiming to be. It could have been hacking into one of his/her accounts and he/she would not have known anyways.
Theoretically, this social method will not work for the most major account (icloud, appleid, FB, Google, Twitter etc) as they usually identify themselves and the victim would realize.
The real problem isn’t the weakness of SMS. Instead of SMS, you could use a pre-printed list of one-time passwords securely delivered to you and it will have the same problem.
The problem is that the authentication isn’t performed by two factors (something you know and something you have) but by two steps, both involving the same factor something you know, just obtained by different means.
However as you can see in the picture, there was no way for that person to know whether or not he was who was claiming to be. It could have been hacking into one of his/her accounts and he/she would not have known anyways.
Theoretically, this social method will not work for the most major account (icloud, appleid, FB, Google, Twitter etc) as they usually identify themselves and the victim would realize.