How to Removing icloud playing around 2FA social engineering

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

How to Removing icloud playing around 2FA and social engineering

icloud playing around 2FA and social engineering

First of all, Removing icloud playing around 2FA and social engineering.

because The sender in this screenshot asks to the phone number associated to apple id
account also, to send him the SMS code to reset apple id password.

he was trying to log in to an old account with 2FA enabled and he didn’t know the
old number was still associated with that account.

Customer service was already closed and decided to craft a phishing
SMS to see if I could get the code.

Here’s an example of getting around with iOS 2FA with social engineering.

Removing icloud playing around 2FA and social engineering

Removing icloud playing around 2FA and social engineering

The real problem isn’t the weakness of SMS.
Instead of SMS, you could use a pre-printed list of one-time passwords
securely delivered to you and it will have the same problem.

The problem is that the authentication isn’t performed
by two factors (something you know and something you have) but by two
steps, both involving the same factor as something you know, just obtained by different means.

However as you can see in the picture, there was no way for that person to know whether or not he was who was claiming to be. It could have been hacking into one of his/her accounts and he/she would not have known anyway.

Theoretically, this social method will not work for the most major account (icloud, apple id, FB, Google, Twitter, etc) as they usually identify themselves and the victim would realize.

Here’s an example of getting around with iOS 2FA with social engineering. 

16 total views, 4 views today

[Edit]