"recent"?
This happened to me and my wife (each starting a few days apart) in 2021, or maybe 2022 but no later. It started with a couple requests a day, then ramped up to every hour or something. IIRC we also both got a couple SMS claiming to be from Apple.
As soon as it ramped up I set up both accounts to use recovery keys, which is a move I had planned anyway on grounds that it should not be in Apple's (or someone coercing/subverting Apple, be it law enforcement or a hacker) power to get access to our accounts. This obviously stopped the attackers dead in their track.
For similar reasons I set up advanced data protection as soon as it was available and disabled web access. Only trusted devices get to see our data, and only trusted devices get to enroll a new device.
I was unsure what this Recovery Key was: https://support.apple.com/en-us/109345
It is kind of scary too — lose the key and no one can get you back in to your account.
That's easy to backup. You can even print it and bury it in a sealed box in the garden or put it in a book or whatever. It depends who you are protecting against.
But you shouldn't ONLY store it in a box or in your house.
That means you're one natural disaster away from losing everything.
As much as it can "weaken" security, an electronic backup is still recommended for most
As much as it can "weaken" security, an electronic backup is still recommended for most
Maybe I'm being dense (probably), but where would you save it?
iCloud? No, that doesn't work - you need the key to access iCloud.
Some other cloud storage service? No, that doesn't work - you need your phone to generate a token for access and your phone was destroyed in the same fire as the paper backup.
Seems like the safe choice is a lock box at a bank or similar. Or a fireproof safe at home.
Engraved onto something like titanium would be better than a fireproof safe - they're only safe for X amount of time (I want to take a stab in the dark and say about 90 minutes?). This is how I have backed up some (since retired) crypto seed phrases in the past.
Where do you keep the titanium plate? I'd be more worried about losing it due to a natural disaster than merely having it destroyed beyond readability in a natural disaster.
What happens if there's a typo in the engraving? Who's doing the engraving? How much do you trust the people you are providing the key to do it? When does the paranoia kick in vs being diligent?
This was at least an innovation in the bitcoin community. Several assemble at home systems where you can build a physical manifestation of a secret. Metal cards you punch with a hammer and nail. Another is essentially a tube where you string along metal letters of the password.
Sure, sounds perfect. Let me send some crypto person that has invested in a home stamping kit the secret to my crypto wallet. At least they won't know what it's for to be able to hijack my wallet. phew. had me nervous that committing the cardinal sin of sharing my secret with someone I don't know isn't going to come back to haunt me.
You assemble it at home? You do not send anyone your secrets.
Also, the idea is simple enough you could DIY your own version with stuff from any hardware store.
You can use a beer can. https://bitcan.world
Personally, I encrypt my backup/recovery/setup keys in a CSV file using a password that I have memorized, and send them to family members to store in their accounts/cloud storage.
But safety deposit boxes are a good choice too, just be careful to balance your own convenience. If you can't easily update your backups, you're really unlikely to include new accounts in them
That also means you can't easily update passwords.
You could put your passwords in 1Password or iCloud Keychain, so you only need to back up those credentials.
What happens if you suffer a TBI and can't remember the password?
I guess you'd have bigger problems at that point.
Perhaps an estate lawyer could be trusted with the information in case you become incapacitated or dead.
Doesn't that just mean that Apple's X character key is protected only by a password presumably of lesser length?
I suppose a phrase works too, and easy to remember.
Get it tattooed on a (normally not seen) part of your body. Like under your hair! ;)
Of course, a code like that can be in multiple places, possibly where it won’t be recognized as such.
And pray you never need to update the passcode!
I'm imagining this spiraled around somebody's upper thigh... "fakePassw0rdo̶n̶e̶t̶w̶o̶t̶h̶r̶e̶e̶four"
Keep one copy in your fire-resistant safe at home. Then encrypt a copy, give the encrypted copy to your best friend and the decryption key to a family member, or keep one of these things in your desk at work. Neither of them have access unless they both figure out what it is and collude with each other, but you have a recovery system in case you lose your own copy.
One possibility is to encrypt a copy with a key that you are pretty sure you can remember, and store that encrypted copy someplace public on the web. Periodically check that you do still remember the key.
The conventional way to do this would be encrypt it with a symmetric cipher keyed from a password or passphrase. I've been using an unconventional approach where the secret you have to memorize is an algorithm rather than a password/phrase. Programmers might find an algorithm easier to memorize than a passphrase.
Here's an example of this general idea. The algorithm is going to be a hash. This one will take a count and a string, and output a hex string. In English the algorithm is:
The recovery code I want to backup is 3FAEAB4D-BA00-4735-8010-ADF45B33B736.I'd pick a count (say 1969) and a string (say "one giant leap for mankind"), actually implement that algorithm, run it on that input and string. That would give me a 512 bit number. I'd take "3FAEAB4D-BA00-4735-8010-ADF45B33B736" and turn it into a number too (by treating at as 36 base 256 digits). I'd xor those two numbers, print the result in hex, and split it into 2 smaller strings so it wouldn't be annoyingly wide.
Then I'd save the input count, input string, and the output:
I'd then delete my code.I could then do a variety of things with the "1969 one giant leap for mankind" and the two hex strings. Put then in my HN description. Include then in a Reddit comment. Put them on Pastebin. Take a screenshot of them and put it on Imgur.
To recover the code from one of those backups, the procedure is to implement the algorithm from above, run it with the count and string from the backup to get the 512 bit hash, take the 512 bits of hex from the backup, xor them, and then treat the bytes of the result as ASCII.
Then delete the implementation of the algorithm. With this approach the algorithm is the secret, so should never exist outside your head except when you are actually making or restoring from backup.
When picking the algorithm take into account the circumstances you might be in when you need to use it for recovery. Since you'd probably only be needing this if something so bad happened that you most of your devices and things like your fireproof safe, you might want to pick an algorithm that does not require a fancy computer setup or software that would not be in a basic operating system installation.
The algorithm from this example just needs a basic Unix-like system that you have shell access to:
You definitely don't need your phone for access. I use Yubico security keys for everything like this. I have several of them that are on all my accounts and I don't keep them in the same place.
Why can't you bury a 2nd box in your friends yard who lives across the country?
Okay, and when your friend moves, and you buried it years ago, so they forgot to dig it up what with everything else going on in their life at moving time?
Never underestimate the security and safety of a hidden piece of paper! If it's good enough for wills for the last 500 years, it's good enough for a password.
A better analogy would be a piece of paper with your username.
Finding somebody’s will doesn’t give you access to any of their data or funds.
I keep one-time keys between pages of some books on my shelf, and a copy in a safe deposit box. I suppose if I were publically known to have tons of money in "crypto" or were a target of a nation-state, this wouldn't be safe enough. But I think it's OK for my gmail and OneDrive, etc.
Such a high risk of being locked out permanently is more than most people can stomach. Why can't they offer a last-resort option like showing up in person at an Apple Store with government-issued photo ID?
Because they aren’t required to by law. I have filed comments with the FTC that this recovery path should be legally mandated for digital accounts, I encourage others to do the same. It doesn’t have to be an Apple Store (insider risk, see SIM swapping analogy); could be USPS or another government identity proofer they partner with. Login.gov uses USPS for in person identity proofing, for example.
Your data and account ownership interest doesn’t disappear because of failure to possess the right sequence of bytes or a string. Can you imagine if your real estate or securities ownership evaporated because you didn't have the right password? Silliness.
This should not be required by law because many people specifically don't want it. I'm content to keep my own redundant copies of a recovery key and suffer the consequences of my own actions, rather than allowing someone to steal my account just because they made a convincing fake ID or hacked some government system. In general centralized identity systems are a single point of failure and hooking more things into them is a bad thing.
Somehow you have to establish that you are the owner of the account, in a way that nobody else can do it. This is very much not a trivial problem, and government IDs don't provide any kind of solution to it.
If you need a driver's license, how do you get a driver's license? With a birth certificate? Okay, how do you get a copy of your birth certificate when you don't have a driver's license?
If there is a path to go from your house burning down and you having zero documents to you having a valid ID again without proving you've memorized or otherwise backed up any kind of secrets, an attacker can do the same thing and get an ID in your name. This is why identity theft is a thing in every system that relies on government ID. Requiring all systems to accept government ID is requiring all systems to be subject to identity theft.
I argue for and advocate that this capability should exist, but not be mandatory. If you do not want to tie your personal identity to your digital identity, certainly, you should be able to not do so and rely solely on a cryptographic primitive, recovery key, or other digital mechanism to govern access of last resort. If your account access is lost forever, it's on you and that was a choice that was made.
This is actually very easy. You can identity proof someone through Stripe Identity [1] for ~$2/transaction. There are of course other private companies who will do this. You bind this identity to the digital identity once, when you have a high identity assurance level (IAL). Account recovery is then trivial.
This is government's problem luckily, not that of private companies who would need to offer account identity bootstrapping. Does the liquor store or bar care where you got your government ID? The notary? The bank? They do not, because they trust the government to issue these credentials. They simply require the state of federal government credential. Based on the amount of crypto fraud that has occurred (~$72B and counting [2]), government identity web of trust is much more robust than "not your keys, not your crypto" and similar digital only primitives.
NIST 800-63 should answer any questions you might have I have not already answered: https://pages.nist.gov/800-63-3/ (NIST Digital Identity Guidelines)
[1] https://stripe.com/identity
[2] https://www.web3isgoinggreat.com/charts/top
(customer identity is a component of my work in financial services)
Using vitalchek, you can order a BC with a notarized document, using two people who have valid IDs as people to vouch for your identity. I've done it for multiple clients.
Interesting to see a modern variant of compurgation still in active use.
So if I'm understanding this correctly, if me and one of my friends both have a valid ID, we can get anybody's birth certificate?
There also has to be someone that needs the BC to see the notary. But, for the most part, yes, it's that easy to obtain a BC using vitalchek.
Note: The notary will record the ID #s and other info of the two ID holders. So if something goes wrong, the two ID holders will be on the hook as well.
Once the notarized document is submitted to vitalchek, they'll process the request.
Of course, one would still have to know a few details from the BC (parents, location, etc) to get vitalchek to submit the request to the county/city registrar.
"Pay someone else to do it" is easy in the sense that doing the hard thing is now somebody else's problem, not in the sense that doing it is not hard. That also seems like a compliance service -- you are required to KYC, service provides box-checking for the regulatory requirement -- not something that can actually determine if someone is using a fraudulent ID, e.g. because they breached some DMV or some other company's servers and now have access to their customers' IDs.
But it's actually the user's problem if it means the government's system has poor security and allows someone else to gain access to their account.
The vast majority of these are from custodial services, i.e. the things that don't keep the important keys in the hands of the users. Notably this number (which is global) is less than the losses from identity theft in the US alone.
The general problem also stems from "crypto transactions are irreversible" rather than "crypto transactions are secured by secrets". Systems with irreversible transactions are suitable for storing and transferring moderate amounts of value, as for example the amount of ordinary cash a person might keep in their wallet. People storing a hundred million dollars in a crypto wallet and not physically securing the keys like they're a hundred million dollars in gold bars are the fools from the saying about fools and their money.
Well previously when stock trades involved exchanging physical certificates, I could imagine that ownership could evaporate if you lost that piece of paper. Or just think about cash: you do lose that ownership when you lose that magical piece of paper. It's a simpler world when what you have physically determines what you own.
People want a just world (imho, n=1, based on all available evidence, etc), recourse, and protections, not a simple world. Interestingly, cash will likely be the last to go in the near future from a “possession of value” as the world goes cashless (although whether this is "good" or "bad" can be argued in another thread).
https://en.wikipedia.org/wiki/Cashless_society
Physical certificates are not a thing of the past and can be restored upon loss or destruction: https://www.investor.gov/introduction-investing/investing-ba...
If the deed to land or the title to a car gets destroyed, what happens? It doesn't suddenly forever become unownable.
How would this work? If this was possible, that would mean an Apple employee is verifying the ID. This has failure modes. See SIM swapping attacks.
Aren't SIM swapping attacks only such a problem because you can get a new SIM without showing up in person with ID?
No, they're also a problem because you can run into a storefront and snatch the employee's authenticated tablet, regardless of what company policy is.
There's a wide set of possible approaches between "let any employee validate any ID" and "never let someone into an account that they have lost the credential to."
E.g. you could make it costly to attempt, require a notarized proof of identity -and- showing up at the Apple store, and enforce a n-day waiting period. A different employee does the unlock (from a customer service queue) than accepts the paperwork.
We don't lock people out of financial accounts forever when they forget a credential. It could definitely be solved for other types of accounts.
Have you seen how easy it is to get fake government ID? It’s damn near a rite of passage for teenagers so they can buy alcohol. $20-$50 if you know the right person or can wander the dark web right.
I’m not sure you want that to be the absolute best digital security you can get.
Yes it is vulnerable to an attacker who is willing to present himself in person with a fake ID to target a specific account. However it's not scalable or remotely exploitable.
Since it requires a human looking at an ID and then pressing a button, the system triggered by the button press is likely quite exploitable no? Or even worse, scanning and storing an ID, which allows spoofing if those get compromised.
Recovery key isn’t susceptible to that - and isn’t susceptible to fake-id-spotting-ability or bribeability of staff either.
Okay, then also require a photo when opting in to this, and make sure the person who shows up looks like said photo too.
Only because you don't have proper IDs over there in the US?
I'd say a lot of identity problems are there because companies have to identify people without an official ID somehow...
I think their option for last resort is the trusted contact.
This is the default behavior if you don't turn this stuff on. They store your account recovery key in an escrow device.
The main problem is that walking into an apple store with a government-issued warrant works just as well as walking in with a government-issued ID.
You can setup a recovery contact incase you do loose the key. I just set that up with my partner and the chance of loosing the key and both of us losing all of our apple devices I think is fairly slim.
I also stuck that key in 1Password (sure it's less safe, but if my 1Password was breached I have far bigger problems than this key being retrieved).
Then keep a hard copy in a safe. Been contemplating sending my parents a safe (who live several states away) with keys on a sheet of paper without context that only I have the combination too. But not sure yet.
A friend of mine who was (maybe is? he knows I'm not a fan so we don't talk about it much) big into crypto stores his secrets in similar safes with trusted friends and family around the country. I think it's a good idea for things like this tbh.
I think it is a good idea in theory also, there I just that voice that says "well now that key is out of my possession" and it scares me a bit.
I think I might need to look up to see if there is a known pattern to these keys that it could be easily figured out what it is even if it is just on a sheet with no context. Particularly 1Password which I think is a pattern if I remember correctly.
What does that mean?
Probably that the key has features that allows 1Password (and potentially anyone) to recognize that its a 1Password key. E.g. Fixed size, patterns of spaces or dashes, specific digits, embedded error correction, etc.
Yeah that is what I mean.
Similar to how a lot of package companies have a certain pattern, length, whatever for their tracking numbers. If there was a somewhat reliable way to say "This is a 1Password key" or "This is an iCloud key" it makes it means even without context it could be an issue.
You could split the key a few ways if you don't want to trust that one of your stores won't be compromised https://en.m.wikipedia.org/wiki/Shamir%27s_secret_sharing
Or, just apply some simple, easy to remember permutation to the key that no one would be likely to guess - eg rot13 the key, or add 1 to every character, move the first 14 characters of the key to the end of the key, etc.
How many people own a safe? I personally don’t know anybody that does. I do know that safes sometimes get stolen.
You personally don’t know anyone who obviously discloses that they have a safe. If you have a safe you are keeping something valuable secure. The fewer people know that you have something valuable that needs to be secured the better. If people don’t even know your safe exists then that reduces the chances of it being compromised.
I know for a fact that many of my friends don’t own a safe, and I don’t think I’m an outlier here.
I don’t doubt that many people do, but it’s still not a solution for the majority of Apple users.
Hard copy? edge the string in a hard surface. My favorite is a rock in my garden. The characters are facing the ground to shield from erosion. The visible surface of the rocks (all of them) is painted white for aesthetic.
Survives a fire, earthquake. No tornadoes or tsunamis here. Nobody has stolen any such rocks from here.
sounds like a feature
"want to totally restart your entire digital life? just rip up your key :) never worry about something from your past coming back to you ever again!
Only if you do everything at Apple.
You make posts on twitter, it's not protected the same way.
I want to be upset that you've made a comment so obvious, yet sadly, there will be people in the wild that don't understand the silos platforms build. However, I doubt any of them are here reading this, but you never know.
Go read any thread about passkeys. :-)
That seems like the worst option. Everything up to the free tier would stay there forever with no way for you to ever request it to be deleted.
Turn on Advanced Data Protection before you rip up the key. Then it's all as good as deleted.
I considered it before but I think it's just too much risk as I rely heavily on iCloud. On the other hand, I don't see the risk with the current method if you're smart enough not to fall for things like MFA bombing tactics.
The security researcher in the article was concerned about accidently confirming the prompt on his watch.
I don't think its a matter of being "smart enough". Human error can easily creep in when dismissing 10's or 100's of prompts.
The prompt UX should step into a special "bombed" mode when a frequency threshold is crossed, at which point accepting a prompt has fat-finger protection such as double confirmation steps, and declining all (or perhaps all that share a commonality, like same initiating IP address) becomes possible.
Or you know, not allow this kind of brute forcing at all?
You can regenerate a new key from any logged in device, so you have to lose the key AND every device.
Except if Apple decides, based on undocumented heuristics, that you do in fact need the key, as far as I’ve heard.
Put in safe deposit boxes at 2 different banks or something, I guess.
That raises the TCO of iCloud considerably.
Incorrect: only Apple cannot.
You can voluntarily declare:
- recovery accounts: these trusted accounts can help you authenticate anytime.
https://support.apple.com/en-us/HT212513
- legacy contacts: these trusted contacts can access your account in the event of your death.
https://support.apple.com/en-us/102631
As for the "lose recovery key" situation is no different than hardware token 2FA + recovery codes. Print multiple copies and spread them to trusted third parties.
“ If you use Advanced Data Protection and set up both a recovery key and a recovery contact, you can use either your recovery key or recovery contact to regain access to your account.”
Also, buy some (at least three) YubiKeys and use them for your Apple ID verification instead of the dumb push MFA.
https://support.apple.com/en-gb/HT213154
But is it the case that the Yubikey is essentially treated the same as a trusted device? What if I want to untrust my devices and only trust ubikeys (without removing the device from my icloud account?)
I don’t seem to have the push option now
Yes but my understanding is that you can remove the Yubikey without possessing it, just with a “trusted device”. I want to mark all of my devices untrusted (wrt icloud account changes) and rely only on Yubikeys
From your apple doc:
“ When you use Security Keys for Apple ID, you’ll need a trusted device or a security key to:
Sign in with your Apple ID on a new device or on the web
Reset your Apple ID password or unlock your Apple ID
Add additional security keys or remove a security key”
Yubikeys do nothing except enlarge your attack surface.
Wow! You'd think they'd rate limit these! Once you've done it twice, go to once every 15 minutes, then hour, then 4 hours, than day, etc. Like bad logins.
That would allow me to log you out of your accounts
No, it would affect login status. Just a delay between reset attempts.
No reset actually occurs until one prompt is accepted.
Krebs notes that the recovery form does have some form of CAPTCHA on them, which mostly just goes to show that CAPTCHA systems are a poor and increasingly deficient rate limiter.
ETA: Also from a user experience even once a week between attempts is still enough to deeply annoy a user getting popups on their devices. This is one of those cases where rate limits probably still can't solve the user irritation.
It's not a recent approach, but this is a recent campaign using it against many people. Someone likely got a list of hacked passwords from some recent dump and is going through the apple accounts from it.
I ventured as much. Given the amount of messages and the personal details gathered, I also guess attacker tools have significantly been improved or streamlined.
How would that explain Chris’ experience at the Genius Bar?
Interesting that using the recovery key stopped the issue for you, but does not seem to do its job now. From the article "Ken said he enabled a recovery key for his account as instructed, but that it hasn’t stopped the unbidden system alerts from appearing on all of his devices every few days.
KrebsOnSecurity tested Ken’s experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices. "
A password reset prompt is sent to the devices, but unfortunately the article leaves out that the prompt only enables you to reset the password on the device that receives the prompt. So it is not a security issue, just an annoyance.