They haven't learned any lesson, either. Their advice after this? Turn your laptop off when you're not using it (useless) and use Google Voice for 2FA. This is worse than useless; this is actively bad advice and you should not follow it.
The average user should install 1Password and use a TOTP application. Anyone can learn to do that, and it's really all you need. More advanced users, those with particularly extreme security needs, and pedantic nerds can use YubiKeys, hardware wallets, self-hosted password vaults, PGP-encrypted backup codes, and other measures that are worth considering, but aren't as approachable for everyone.
I don't recommend using its browser add-on though, so this only fixes your case if you have two (or more) devices to use that will be active at the same time, so that any one (all but one) can die.
Also, have multiple forms of 2FA (as in any one may be used) such as a FIDO key or printed codes.
I use one of these https://www.yubico.com/product/security-key-by-yubico/
The keys are generated by the service and you must make a note of them ahead of time. And keep them secure obviously. You get about 10 possible keys from GitHub iirc.
Also, some services (Google, apple) allow you to perform 2FA over multiple options like one of TOTP, phone call, SMS or other device interaction (in apple's case).
So if the device gets bricked, find a cheap replacement and Bob's your auntie.
Some apps also let you export the token (but definitely not Google Authenticator, that app's data doesn't even get backed up).
So I keep a spare phone at home i my safe with google auth setup. Just in case my primary is lost or stolen.
Your comment doesn't add any value to uncovering the root of the issue and just blaming the author without having the full picture.
> The author clearly wasn't using many security precautions prior to being compromised ...
Just because I don't mention the exact security precautions I use in the article, doesn't mean that I don't actually use them.
I spent 12+ years in tech. And started off my career by specialising in networks and security. And all my life I exhibited as much confidence as you are in your comment.
The moral of the story, is that if you are in tech, a security professional, or work in crypto - don't take for granted your security. No matter where you are in your career, what's your salary, or how many people report to you. Take time annually, bi-annually, or quarterly to review your online security. Especially if you've been on the internet since 90s. You might not even remember the websites you've sign up and emails you have.
> So, what does this say about Apple security?
If you can explain how Apple 2FA call was bypassed that you be helpful. What wasn't mentioned in the article is that I spoke with two Senior Advisors from Apple and they've haven't been taking this very seriously, to say the least. "Consider reinstalling the OS" and suggestions alike. It's an obvious next step to take, but it doesn't answer the question of how 2FA was breached. Reinstalling the OS or taking any other common measures in such sophisticated incidents don't prevent future incidents alike.
it can be anyone of course but after briefly looking in to u and what u said about everything I have a weird suspicion
Have u ever knowingly talked with someone or talked about maybe a site U were competing with at one point whether recently or years ago just at all? Especially related to crypto because I see too many similarities with something I was researching through a lot recently and found exciting info to say the least
Anyway gl with investigation. Be cautious ur other devices are not infected with something crazy
Cheap laptop might not have redundancy, so if your SSD dies, you might be in for a rough ride. Best case, you can recover your wallet, worst case you're SOL.
The problem here is the weakest link which I imagine is the recovery email assigned to his google account (ie probably the Yahoo account). That was likely compromised because of the phone/SMS-based 2fa.
That is nothing to do with Google as users should be aware of the security of their recovery emails.
There is no sign that the attacker had a keylogger on the user's laptops, for extracting passwords. If they did, they wouldn't have needed to do account recovery on all these accounts. So the master password of a traditional password manager would not have been compromised.
Storing passwords in the same account creates a single point of failure. If I get into your Gmail account I have total control of everything.
Third party stores separate passwords from logins, including for the email account itself.
Now I cannot get complete control of all your accounts just via your gmail/logins account. At best I can control them for a short period of time. Which means I maybe get your Skype account for a day or so.
It's all about making it harder for an attacker to get something valuable. The harder you make it the less likely they are to succeed.
Because the login accounts and passwords are separated an attacker has to do more work basically.
Addendum: the single point of failure actually becomes the third party password store. Which is good in some respects and bad in others.
Addendum 2: also, iirc, Google stuff doesn't ask if you want to create a password for the account, only if you want to store it. Which encourages password reuse.
Password managers often have the ability to generate a random password up to the maximum allowed length, meaning no account passwords are ever the the same and are harder to crack.
Furthermore some of them can automatically update your passwords for you if they've become stale.
So all I have to do is remember (and regularly change) my one super strong pass phrase for the password manager.
New logins to iCloud etc always pop up on my MacBook / iPhone with a map image showing me where the request came from and if I want to allow it, o my then can I get the code.
No idea what this article is on about.
The Apple 2fa model is built around trusted devices - essentially turning each trusted device into a yubikey style hardware 2fa dongle.
Verification prompts also include gps level “this is where the request is coming from”. So the attacker needs to know your exact location when they’re going after you.
Can someone explain how Telegram 2FA, Yahoo 2FA and Apple 2FA were bypassed?
Especially Apple 2FA - I received a 2FA call from Apple, picked it up, and the attacker logged in right after.
Please note, this was not a (typical) SIM swap. I was still receiving SMS and calls during the attack.
p.s. thanks for all the comments!
very likely a sim swap attack:
"A SIM swap scam is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message or call placed to a mobile telephone." [1]
If someone has a better explanation, that would be great.
A quick search online suggests that this is a Chinese app.
Nobody is perfect.
Every system has known or unknown vulnerabilities.
We need to be building systems that are forgiving of errors, and store important data redundantly.
I've been wondering a lot about how to truly secure an identity. Is there a way to have a meaningful and secure digital life if all your devices could be compromised and your memory is not perfect? I wouldn't want to trust my entire economic life to any single point of failure.
I stopped using Chrome but now realize I never thought to check into what it has saved for me. I’ll have to check into that and erase it all if I can.
