Even if you have the strongest password on planet Earth, it’s still possible to get screwed if you fall for a phishing attack – or, in other words, by typing your credentials into a scam website. And it doesn't matter which operating system you’re using – mobile or desktop – if you give out your password, it's like handing over the keys to your house with a clear instruction: “Take what you want.”
After pointing out the potential privacy risks that iOS users are exposed to, security researcher Felix Krause is seeking to draw attention of both users and Apple to a potential security threat that more than a billion iOS users could be a target of. He's doing so with a published proof-of-concept (POC), which highlights how hackers can replicate the familiar prompts that iOS users are used to seeing.
According to Krause, getting a user's Apple ID password has never been easier. To those who may be unaware, Apple users have at least one credit card or PayPal account connected to their Apple ID, so giving out the password would mean hackers could get access to financial information.
Why Are We Giving Out Our Passwords?
As Krause points out, half-jokingly, if you want a password, “just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so.” That's because iPhone or iPad owners are so used to typing in their passwords: whenever iOS prompts them for their Apple ID password, they simply enter it.
Just think about the older versions of iOS (not the currently available iOS 11), when a password was required to confirm a purchase, initiate a download, and more. Now things have changed slightly, especially with the introduction of biometric authentication.
Still, from time to time this prompt will appear, and if you don't pay attention to when and how it appears, you may well end up the victim of a scam because hackers can easily replicate the otherwise legitimate prompt that Apple displays.
How to Protect Yourself
Every unsolicited prompt for your password should raise a red flag and make users suspicious about its origins. That's the golden rule to follow to avoid phishing scams, and this one is no exception. To verify the validity of the password prompt, iOS users should hit the home button to close the app.
- If the app closes and the password prompt disappears, you should know that this was a phishing attack.
- If the prompt and the app are still visible after pushing the home button, you can be sure that this is a legitimate dialog box created by iOS. It won't disappear, since it runs on a separate process and is not part of any app.
- If the prompt is legitimate you can enter the password, but still Krause recommends hitting “Cancel”, then opening the Settings app and looking for iTunes and App Store, then entering the password when prompted.
How to Protect Yourself from Other Phishing Attacks
It's not news that scammers will try to get a user's credentials through various methods: fake emails, pop-up ads, text messages, and even phone calls. What you should know, though, is that Apple will never ask for your Apple ID password or temporary verification codes – if two-factor authentication or two-step verification is enabled – to provide support. In a support page dedicated to the topic of phishing scams Apple gives various pieces of advice to help users identify such attacks.
Still, if you think your Apple ID has been compromised, the first step you should take is to change the password immediately and, most importantly, activate two-factor authentication (2FA). That's different to two-step verification, and you should know why.
Apple strongly recommends reporting suspicious emails, and users can do that simply by forwarding the message to the company complete with its header information. It has different email addresses for spam or other suspicious emails received in iCloud.com, me.com, or mac.com inboxes, as well as suspicious messages received via iMessage.
We recommend the following: use a strong password to protect your Apple ID along with 2FA, and don't let scammers catch you off guard. Keep an eye on all your received emails for anything suspicious, and identify the signs of phishing scams.
Best Password Managers of 2019
|Editor's Choice 2019|