raveenjain
Level 1 (4 points)

Q: Two Factor Authentication – A Huge Risk & Insecure

  • I bought an Apple Ipad Pro at the Apple Store and I logged in with my apple id at the store.
  • I did not have my other registered device, which was an iphone,  with me while I was travelling in USA.
  • It asked me for a verification code sent to my other device, but since I did not have access to it, I could not enter it.
  • A couple of minutes later I got an email from Apple saying that my registered other device phone number has been changed.
  • A few minutes later I got another email that my date of birth has been changed.
  • I tried logging in through the web, but it would ask me for the verification code or the new other device phone number. But since this had changed, there was no way it would let me go through.

 

I logged a case with Apple support but they claimed that they were unable to help and I would need to provide the changed phone number or else they could not verify my identity.

 

On coming back to India I see another device added to Find My Phone under the name Ayaan ****. I am worried because this hacker would now be accessing all my phone data, my icloud data and could also be using my credit card associated with the apple id. I logged another case with Apple support when I came back to India a few days later and again they could not do anything in the absence of the new phone number. I put an Erase on this other device of Ayaan **** through find my phone app. Apple would not help at all.

 

When I try logging in with my apple id, it lets me go through the 1st step if I use my original password and then it ask me the verification code. If I put an incorrect password it would not let me proceed saying incorrect password.

 

I still have access to the email associated with the apple id and the credit card details associated with the apple ID are still mine. I argued that a my email and my credit card would be a more secure way for verifying my id because they are more secure than a phone device. Apple insist that the only way they can verify my identity is if I give them the other device phone number. It is crazy that my id verification is restricted to a mere device that can be lost or stolen and accessed by almost anybody. And in case I happen to lose this, all my personal / business data and my finances are at the risk of being used by a hacker.

 

  • It is very surprising that the hacking happened from an Apple Store, which would mean their network is compromised.
  • The hacker changed the phone number – which means that the Two Factor Authentication is not as secure and has loop holes.
  • Apple ID is solely dependent on the other device which is the least secure device as it can be stolen, lost or accessed by anybody when left alone for a few moments.
  • Apple needs to add the email security also to its apple id authentication. Email are not mobile and would be more secure. 

 

I have lost complete trust in the Apple Two Form Authentication and would appreciate any help to recover by apple id


<Personal Information Edited by Host>

iPad Pro, iOS 9.3.2, null

Posted on May 26, 2016 10:46 AM

Close
raveenjain

Q: Two Factor Authentication – A Huge Risk & Insecure

  • All replies
  • Helpful answers

Previous Page 2

  • by LACAllen,

    LACAllen LACAllen May 27, 2016 12:01 AM in response to raveenjain
    Level 5 (4,884 points)
    iCloud
    May 27, 2016 12:01 AM in response to raveenjain

    Gail points out the only option available to you right now.

     

    FYI, the SIM of your phone holds nothing in terms of Apple security. All the encryption for the security is in the device itself. You can change carriers and still have 2FA on your Apple ID.

     

    That's why a thief or dishonest person can't simply jack your phone, put in their own SIM and have a functioning device. They would have to know your password to get past the activation lock. And your passcode to open the device. Although eh passcode can be removed, the activation lock can't.

  • by raveenjain,

    raveenjain raveenjain May 27, 2016 12:44 AM in response to LACAllen
    Level 1 (4 points)
    May 27, 2016 12:44 AM in response to LACAllen

    Account recovery does not work, because it ask me for the trusted phone number and that has been changed to the hackers number. So I guess no solution.

    The other phone shows on Find My IPhone and I have put an Erase on it. I hope when it gets erased it might work then.

  • by Michael Black,

    Michael Black Michael Black May 27, 2016 5:24 AM in response to raveenjain
    Level 7 (24,472 points)
    May 27, 2016 5:24 AM in response to raveenjain

    raveenjain wrote:

     

    What you say is correct. You need the applied password and the verification code both. That is what is baffling me !!

     

    My apple ID password was extra strong password and I have not shared with anybody.. Since I was travelling to USA, my iPhone had the US sim in the phone and the Indian sim was in my possession, but not in the phone.

     

    Common sense say it is not possible, but it happened. So there must be a bug. Since it happened the moment I logged in and that even after a few days gap, it had to be an instantaneous thing and not planned. Maybe the carrier delivered to an another device just as you have wrong numbers calls.

     

    The issue is not just this, but how I do I re-claim my id. I was highlighting that mobile device is not a secure device for 2 factor verification. An email id would be more secure but not easily accessible as a mobile device. Apple does not accept an email verification. 

    Earlier you said you did not have the other iPhone with you?  Now you say you had your iPhone but the SIM was not in it?  Was there another trusted device back in India and out of your control or not?

     

    I Don't think there is a bug at all. I think someone simply knows your password. Everything you have posted, and assuming the token was somehow actually illegally or unintentionally intercepted, could not have happened at all without someone else knowing your password.  That is the whole point of two step systems - someone in possession of just one part is barred from the account. Only someone with both token AND password can get in and change or do anything at all to your account.

     

    At this point all you can do is call Apple, ask for account servicees and see if they can help you regain control of your account.

  • by LACAllen,

    LACAllen LACAllen May 27, 2016 5:36 AM in response to Michael Black
    Level 5 (4,884 points)
    iCloud
    May 27, 2016 5:36 AM in response to Michael Black

    You can't even sign in to the communities here without a verification code when using 2FA.

     

    There could have browsers that were verified back home. Anywhere the Apple ID is used has to get verified.

  • by Michael Black,

    Michael Black Michael Black May 27, 2016 6:31 AM in response to LACAllen
    Level 7 (24,472 points)
    May 27, 2016 6:31 AM in response to LACAllen

    I Know.  I've been using 2 Step Verification for years, long before the 2 Factor Authentication system came into being and am more than passingly familiar with both systems.  I'm not saying the OP's account was not compromised, just that their explanation of how it occurred is difficult for me to swallow.  Something is either missing from this story, or is not being explained fully or clearly.

     

    i also use 2-step systems with my banking and investment apps and accounts, my google accounts and anything that offers it. These systems are all similar and use similar features and systems. And they are universally far more secure and reliable than any password-only security system.

  • by gail from maine,

    gail from maine gail from maine May 27, 2016 6:35 AM in response to raveenjain
    Level 7 (26,134 points)
    iCloud
    May 27, 2016 6:35 AM in response to raveenjain

    What is the phone number on the physical device that you have in your hands? That is the number you need to provide for the recovery. Or, if you have a different device that can receive text messages or a phone call, use that number. The instructions are very specific, and have nothing to do with the Trusted device that is on file:

     

    Follow these steps to begin the account recovery process:

    1. Choose Request Account Recovery.
    2. Provide a number where you can receive a text message or phone call when your account is ready for recovery.
    3. Enter the verification code we send to that number to verify the information is correct and you have access.

    You might be asked to verify other account information to help shorten your recovery period. After you verify your phone number, you'll see a confirmation that your request has been received and you'll be contacted when your account is ready for recovery.

     

     

    GB

  • by Tech198,

    Tech198 Tech198 May 27, 2016 7:25 AM in response to raveenjain
    Level 1 (48 points)
    Apple Pay
    May 27, 2016 7:25 AM in response to raveenjain

    You lost your password..... how can someone else change your phone number who had access to just your phone only ?  They need BOTH

     

    if someone has both. then all bets are off.. its users blame only... if u phone up Apple, they will tell u the same thing.

Previous Page 2