How a flaw in iPhone’s security could leave you locked out

There’s a common misconception that Apple products come with more security than Android. Whatever side of the argument you’re on, don’t let that idea prevent you from keeping your guard up. There’s a new scam out there going after iPhone users, and if you’re unprepared, you might find yourself permanently locked out.

 

What is the “push bombing”/”MFA fatigue” scam?

If you suddenly see a “Reset Password” notification on your iPhone screen that only gives you the option to “Allow” or “Don’t Allow”, you may be a victim of this latest “push bombing” scam. Scammers have supposedly found a way to exploit this new bug in Apple (though, it’s not totally clear if the bug is the reason).

If you see this notification and you hit “Don’t Allow” (as you should), it only prompts more of these notifications to pop-up, like those annoying pop-up window attacks that we used to get back in the day. As you frantically click “Don’t Allow” over and over again, your finger could accidentally slip, clicking “Allow”. If you do click “Allow”, scammers will be given access to your iPhone account, and you can be permanently locked out of your phone.

Credit: Krebs On Security

 

MORE: HOW TO UPDATE YOUR PASSCODE ON YOUR IPHONE  

 

Warnings if you’re in the Apple ecosystem

This scam isn’t just stopping at your iPhone. if you’re dedicated to the Apple ecosystem, then it’s important to note that users reported experiencing this scam on their other Apple devices; even their Apple Watch.

Not only this, but one user reported that after clicking “Don’t Allow” over and over again and the notifications eventually going away, the scammers actually called his iPhone as another attempt to catch him. Generally, Apple Support won’t call you out of nowhere.

 

 

Credit: Krebs On Security

 

MORE: HOW TO PROTECT YOUR IPHONE CALENDAR FROM DISTRACTING SPAM INVITATIONS

 

Apple’s response to the ‘reset password’ notification scam

Apple acknowledges the issue and is actively addressing it. A spokesperson for the company tells us,
We are aware of reports that a small number of iPhone users are receiving a high volume of alerts asking if they are attempting to reset their password and have taken steps to address the reported issue.

How to outsmart this scam and protect yourself

If you do happen to be targeted by this attack, it’s of the utmost importance that you don’t tap “Allow” on any of these password reset notifications. Dismissing them one after the next will take a while, but they will go away.

If you give up and click “Allow”, it will give the hackers behind this campaign complete control over your Apple account. So don’t click ‘Allow’ whatever you do. If you need help you can always reach out to Apple by logging on here.

 

MORE: 8 WAYS TO LOCK UP YOUR IPHONE’S PRIVATE STUFF

 

What to do if the prompts persist? 

If the prompts persist, temporarily change your phone number associated with your Apple ID. Keep in mind that this may affect iMessage and FaceTime functionality.

 

Watch out for scammers posing as Apple support

If you manage to eliminate the notifications and then get a call from someone claiming to be from Apple Support, it’s likely the scammers. Just hang up. Whatever you do, don’t give any information to them. If you gave out any personal information like a social security number, follow the steps at IdentityTheft.gov. You’ll be able to make a report there and the website will help come up with a recovery plan for you and walk you through each step of gaining your identity back. You can also call Apple directly at 800.275.2273 (in the US) to verify any communication.

 

Reporting scam phone calls 

You can report scam phone calls to the Federal Trade Commission at reportfraud.ftc.gov or to your local law enforcement agency.

 

Is turning on ‘Apple Recovery Key’ a solution?

According to Krebs on Security, real Apple Support suggests turning on Apple Recovery Key to avoid the notifications, but when one of the victims tried it, it did not stop them. But, stay tuned at Apple Support’s page for updates.

 

Safeguarding your Apple account

When setting up an Apple account, it’s common knowledge that a phone number is required. However, once the account is established, this phone number doesn’t necessarily have to be a mobile one. Apple accepts VOIP numbers (such as Google Voice) as valid alternatives. Therefore, one potential mitigation strategy is to change your account phone number to a lesser-known VOIP number.

Important Note: If you opt for a VOIP number, be aware that Apple’s iMessage and FaceTime applications will be disabled for that device unless you also include a real mobile number.

Additionally, Apple’s password reset system accommodates email aliases. By appending a “+” character after the username portion of your email address and adding a site-specific notation (e.g., cyberguy+example@use.startmail.com), you can create an unlimited number of unique email addresses associated with the same account. This technique allows for better organization and tracking of incoming emails.

Tip: When choosing an alias, consider using something less obvious than “+apple” to enhance security and privacy.

 

Kurt’s key takeaways

Security is a never-ending game of cat and mouse, and no device is ever truly invincible. Apple’s on the case, but until a fix is here, vigilance is key.  If you are bombarded with “Reset Password” prompts, stay calm, resist clicking ‘Allow’ at all costs, and patiently dismiss each notification. Also, be sure to stay updated on Apple’s progress for a permanent solution. By following these steps, you can outsmart this scam and keep your Apple ecosystem safe.

Do you think companies like Apple should be held more accountable for security vulnerabilities? Why or why not? Let us know in the comments below.

FOR MORE OF MY SECURITY TIPS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE.

 

RELATED: DON’T CLICK THAT LINK! HOW TO SPOT AND PREVENT PHISHING ATTACKS IN YOUR INBOX

Don’t click that link! How to spot and prevent phishing attacks in your inbox

 



Related posts

Best last minute holiday gifts

Understanding brushing scams and how to protect yourself

From TikTok to trouble: How your online data can be weaponized against you

4 comments

Angie M March 31, 2024 - 7:03 am
Tech companies should definitely be held accountable for keeping their devices safe. If a hacker-proof device cannot be made, tech companies need to rethink the whole system. Is there a way to deliver without using the WWW? Don’t ask for personal info that you cannot keep secure.
A.B. April 1, 2024 - 9:05 am
No matter how hard they try hackers love nothing better than a challenge. As long as they’re vigilant about security breaches I’m okay with their efforts.
Sue G April 2, 2024 - 4:16 am
Tech companies (particularly iPhone) should absolutely be responsible for the breaches. Part of that $1000+ that people for iPhones should be security. It is iPhone who promotes the security of their phones.
N. D. September 23, 2024 - 1:04 am
This exact thing happened Oct 2023 to my MacBook Pro, my iPhone and my iPad. At some point my iPad had rain music and I could not power it off. After being on the phone for hours the entire month, I had to tell Apple they must realize something is wrong for all 3 of my devices to act up. A Supervisor stated 'They/Apple are not allowed to take responsibility'. 1 yr later, my phone # was stolen, along with all of my apps on the phone.. including MFA authenticator app which had my passwords. The problem is that the tech companies are only putting 'band-aids' on the problem while they continue to come out w/patches or the latest tech. It's only going to get worst.
Add Comment