undefined | Better HN

0 pointsjasode1y ago0 comments

>phone numbers.

On the official Apple reset form, the "phone number" is one of the id options the hackers can use to MFA bomb the target:

https://iforgot.apple.com/password/verify/appleid

The gp proposes a different "private identification string" that's not public. Public IDs such as "email address" or "phone number" are susceptible to what this article is talking about.

0 comments

consp1y ago

> On the official Apple reset form, the "phone number" is one of the id options the hackers can use to MFA bomb the target

Funny thing is you cannot set a passphrase or equivalent recovery code unless you have an apple device. So users who have an apple account for development purposes (I hate apple device UX and wont ever use anything apple again other than to approve releases and manage certificates) and have no apple products are cursed to use ones phone number.

EasyMark1y ago

I used to be hardcore about stuff like this, but as I grew older I guess I gave up some of my morality and bought things like $150 iphone # and moved on with life if it was making me $$$.

gruez1y ago

Given that the gp was talking about victims being "SIM swapped", I strongly suspect he's referring to the classic sim swap attack where you sim swap, then use the newly registered sim to receive a password reset code. If it just involves discovering your phone number, you wouldn't need to sim swap at all.

>The gp proposes a different "private identification string" that's not public. Public IDs such as "email address" or "phone number" are susceptible to what this article is talking about.

This is a non-starter for the general public. If they can barely remember their password what are the chances they'll remember a "private identification string" or whatever?

xamarin1y ago

Yes, like password :)

j / k navigate · click thread line to collapse