Internet friend's mother-in-law was stolen and swiped 15000 times, and iPhone is no longer safe?

Information security has always been Apple's "gold lettered signboard". As a world-famous technology company, Apple protects users' personal information through relatively perfect encryption technology and privacy policy, and emphasizes that users' personal information is above everything.

However, just this week, some netizens Call yourself mother-in-law iPhone After enabling Apple ID dual authentication, he is still cheated by "phishing" Fifteen thousand yuan , one time It has caused users and the public to iPhone Security concerns.

So about the netizen's mother-in-law being cheated What happened to the fifteen thousand yuan event? Let's take a look at the parties, that is, V2EX community users What does airycanon say:

Let's give you a brief overview of the process:

Family members download An app named "Recipe Collection" was created, and the user chose to use Apple ID to authorize login.

Here's a key point. The family members of the person concerned did not choose to hide their Apple ID when logging in, which also led to the fraudster directly obtaining the user's complete Apple ID information. So when we use Apple ID to log in to third-party websites, we try to hide our email address.

Later, in the App A password input box pops up, and the liar gets all the accounts and passwords. And according to the emphasis of the parties In the whole process, there is no pop-up window of dual authentication 。

Note that the password popped up in the app The code input box is obviously A password input interface designed in imitation of the system interface is difficult for ordinary consumers to distinguish, even if practitioners like me do not observe carefully.

Why didn't it trigger Apple Dual authentication?

According to the test of the blogger @ BugOS technical group, this is because the fraudster pulls up the hidden WebView to access appleid.apple.com through the application in the trusted device, so there is no need for dual authentication, and the user only needs to perform simple Face ID authentication.

So far, the fraudster has obtained the user's account and password, successfully bypassed the dual authentication of Apple ID, and added his own mobile phone number. If the user's Apple ID is bound with Alipay WeChat In the form of payment, the fraudster's scam will form a successful closed loop and cash out crazily through shopping in the store.

In addition, it is worth noting that in order to prevent users from receiving SMS messages about payment transactions, the fraudsters here reset users' mobile phones remotely in advance. For many users who do not use iCloud daily for data backup, it may be more troublesome than the loss of money.

The above is the whole process of the netizen's mother-in-law being cheated. On the whole, the cheater's trick is not very clever, but only uses one of the Apple systems Logical vulnerability, obtaining the user's account and password, and Software Built in browser Successfully bypass the dual authentication and log in directly. Finally, bind the cheater's own mobile phone number and you're done.

So how can we avoid being cheated? We summarized the following points:

1. Do not download apps of unknown origin;

2. Try to hide your email address when logging in Apple ID on other websites;

3. Regularly change the password of Apple ID;

4. Regularly check the subscription services bound under your Apple ID;

5. Try not to store too much balance in the password free payment account bound by Apple ID.

In addition, The blogger @ BugOS technical team also provided a tip for anti fishing: When the window for entering the Apple ID password appears on the iPhone, press the Home key or the upward stroke gesture to try to exit. As long as you can exit, it is a phishing website!

This article is an original article. If it is reproduced, please indicate the source: Internet friend's mother-in-law was stolen and swiped 15000 times, and iPhone is no longer safe? https://mobile.zol.com.cn/826/8267264.html