iPhone password reset attacks are real – how to protect yourself
We’re hearing more and more about password reset attacks being used to target Apple iPhone users.
As Mashable reported last month, hackers are attacking iPhones via a method that inundates them with password reset prompts. These hacking campaigns have also been called MFA (multi-factor authentication) bombing or fatigue attacks.
These attacks aren’t new. Reports about them online have been shared for a few years now. However, based on online discussions around them, there seems to be an uptick in cases now.
Basically, in this attack, an iPhone user is asked through dozens of notification pop-ups to reset their Apple ID password. As X user @parth220 shared in his retelling of being the target of this attack, this renders a user’s iPhone inoperable — unless the user chooses the “Don’t Allow” option for every reset password notification.
The attack takes it up a notch in the next step. The hacker then spoofs an official Apple phone number and calls the target about the password issue, presenting themself as an Apple employee. According to KrebsonSecurity, individuals impacted by the attack report that the malicious actor possesses personal data gleaned from the web about the target, enabling them to construct a persuasive facade as a genuine Apple employee. The hacker then attempts to use that trust to gain access to the target’s phone and its data remotely.
However, iPhone users don’t have to fall for this. A few outlets, such as 9to5Mac, have now put out guides on how to avoid being a successful target of a MFA bombing attack.
And here’s Mashable’s guide to making sure you avoid being a victim of the password reset attack.
Avoid the iPhone password reset attack
Don’t trust outbound calls
This is an extremely important rule — and it is a tried-and-tested method to avoid getting hacked or scammed in a multitude of different attacks.
In this particular attack, the phone call from someone claiming to work at Apple is a key component to scamming their target. But take a moment to think about this. Why would Apple call you? When has Apple ever called you before on their own when you are going through real, legit technical difficulties? Never! Apple doesn’t make outbound calls to users without an Apple customer calling them first and requesting a callback.
As a rule of thumb, don’t trust a call you receive claiming to be from a company, even if the number checks out because that can be spoofed. If you’re worried about it being legit, hang up on the call you received, go to the company’s website, and call their official number back. That way, because you initiated the call, you know you are actually connected to the real company’s official number. Next, you can ask about your issue and check if they actually called you first. Very often you’ll find out that they did not.
With so many scam calls, the best way to be safe is to just not answer a call from a number you’re not familiar with. Let them leave a message if it’s that important. Then, if they say they are from Apple in the voicemail, you can just directly call Apple’s official phone number yourself to check on the supposed issue.
‘Don’t allow’ the password reset option
The password reset prompts are, at the same time, annoying and convincing. These are the same official system notifications you receive for legitimate issues.
But don’t be fooled. There’s a bad actor trying to use these prompts to gain access to your device. Click “Don’t Allow” each and every time.
Eventually, the attacker will give up.
Change your Apple ID phone number
As 9to5Mac points out, users can also change the phone number connected to their Apple ID, which will stop these notifications.
This should really be a last resort as this will mess up with your current iPhone settings. For example, you won’t be able to use features such as iMessage or FaceTime until the number is set back.
Ideally, it won’t come to this. Just don’t give these attackers the time of day. If they see that they are wasting their time trying to gain access to your phone, and you aren’t falling for the notifications nor answering their phone calls, they will very likely move on to a new target.