Significant security alert for iPhone, iPad, Mac users

Update: this is now likely no longer happening to Apple Customers, since it was originally caused by a hacker that figure out how to get past security features on Apple “Forgot Password” page. However, this kind of attack continues to be a threat, so it now stands as a good example.

Beware of any out-of-the-blue “Reset Password” requests, especially lots of them. This is definitely an attack. “Do not allow” any such requests, taking tedious care not to let your finger to slip and “allow” even one of them! That’s the main thing to know.

More details…

You should never get even one unexpected request like this, but the attack usually involves many, dozens or even hundreds of them. They lock up your device until you answer them. The idea is to give you so many to deal with that you get clumsy and accidentally hit “allow” instead of “do not allow.” That may sound a bit ridiculous, but imagine having to stab the right button, and not the one right beside it, 200 times in a row! It’s surprisingly easy to miss after a while, and that’s the whole idea here: to make you do it so many times you screw it up.

This is known as an “MFA bombing” or “MFA fatigue” attack, where MFA is of course “multi-factor authentication.”

The defense, for now is just to very, very carefully tap “do not allow” way more times than you want to … or, apparently, you might be able to get rid of them by powering down your device (on all newer iPhones, holding the power button with either volume button until the power-off slider appears). Definitely try that first.

If “Apple” calls you up about this, it is not Apple! Not even if the call display says “Apple”! Not even if they seem to know significant details about you! And they will absolutely have some that they harvested from somewhere, that’s how this game is played.

Read more nerdy details from Ars Technica.