Many people love Apple’s iPhones, iPads or Macs, and they pay a lot of money to enjoy these products, to store important data on them (notes, text conversations, photos etc.). Apple knows how important these digital memories are, and it’s no secret that hackers are targeting VIPs or rich people who usually make online transactions, and in some cases, they manage to steal large sums of money, besides private photos or other delicate content. The two-factor authentication (2FA) system was supposed to be a secure one, but since it doesn’t apply to Find My iPhone service, hackers are able to remotely lock and wipe any Apple device, by cracking users’ iCloud account passwords.
2FA was introduced in 2015 and it added another of protection to users’ iCloud accounts. When logging into their iCloud accounts for the first time, users receive a one-time code on their iPhones, alongside the password which, even if they are cracked, they are no use to hackers, because they need the code.
Two weeks ago, a University of Waterloo cryptography and security student named Kapil Haresh was busy ding a cryptography assignment when, out of the sudden, he received this message on his iPhone: “Hey why did you lock my iPhone haha. Call me at (123) 456–7890.”
He realized that his Apple ID has been hacked and someone was trying to remotely wipe his device via the Find My iPhone service. The attack was a failure because he immediately took his iPhone offline, so the attacker didn’t have time to issue more remote wipe requests.
Haresh logged back into his iCloud account and he noticed that there were pending erase requests for his iPhone and for his Mac, and he cancelled them. He did the right thing and he prevented a catastrophe, because otherwise, he would have lost all data on both devices. The good thing about 2FA authentication is that when users lose their iPhones and want to log into their iCloud accounts, the code will be sent to that lost device and the person who finds it can’t unlock the iPhone and have access to that code.
Haresh suggests that security question authentications should be built-in to the Find My iPhone service, because this way, it will provide another level of protection.