How to Stop Hackers From Ransoming Your Mac or IPhone [updated]
According to MacRumors, hackers are using Apple ‘s Find My service to hold devices remotely for ransom. Over the past week, several people have tweeted about the stolen accounts. Two-factor authentication does not prevent hacking.
The Find Me service is designed to help you recover your phone or computer if it is lost or stolen. It also allows you to remotely lock your device. This should prevent theft as it renders the stolen phone useless. It also allows you to send a personalized message to your lost device, such as “$ 50 reward if found” or “Please return to st. Pine, 55 “.
But since it’s remotely activated, Find My Device is also a great way to lock your device from anywhere while you have it . All they need is your username and password. (Two-factor authentication doesn’t prevent this; Apple doesn’t require Find My Device two-factor verification because you don’t have a device at hand.)
But how did the hackers get these people’s passwords? As MacRumors reports, it is likely that the hacked users used the same password for their Mac and for other sites. So when some third-party site was hacked and the passwords were revealed, the hackers skimmed the list, trying to use the same information to log into iCloud accounts. And they found poor suckers who reuse passwords.
This is what a ransom note looks like on a jailbroken Mac, according to one Twitter user. The hacker asks for Bitcoin, the preferred currency for ransom , as it is difficult to track:
I tested this technique on my own device that had Find My iPhone enabled earlier. I went to iCloud.com and signed in with my username and password. When the site asked for my two-factor authentication, I clicked Find My iPhone and turned on Lost Mode. I entered a message and sent it to my currently locked phone:
Very simple!
So how do you prevent this from happening to you? As MacRumors suggests, if you’ve ever reused your iCloud password for any other service, change your password immediately.
But Find Me is also inherently insecure due to Apple’s weakness: customer service representatives. Journalist Mat Honan was hacked in 2012 ; The hacker called Apple Support, posing as Honan, using his billing address and the last four digits of his credit card number to “verify” his identity, and changing the password.
So (unless Apple has addressed this issue and its support staff are closely monitoring this policy change), if you have Find My Device enabled, an outsider can remotely lock your device with just a few pieces of information: your name and account name. records (often publicly available), the last four digits of your credit card number (often printed on receipts), and your billing address (available in a public directory such as Whitepages or StreetEasy). Thus, anyone with a store or restaurant receipt can lock your physical devices without any special knowledge or software.
For this reason, we ( like Slate after the Honan jailbreak ) recommend that all Apple users turn off Find My Device unless absolutely necessary . And if you’ve ever used your iCloud password for another service, change it now.
To turn off Find My iPhone, go to the Settings app on your phone, tap the line at the top with your name and profile picture, and scroll down to the list of devices. Tap the device you are on. Tap Find iPhone and flip the switch to Off. (You will be prompted for your iCloud password.)
To turn off Find My Mac on your computer, go to System Preferences, click iCloud, and uncheck Find My Mac. (You will be prompted for a password.)
You can only turn off Find Me for the device you are currently using, so turn it off on each device.
Instead of Find My Device, use a passcode or password on all of your devices. For added security, you can encrypt your hard drive with FileVault , but be sure to back up your data elsewhere.
Create a secure, unique iCloud password and save it in a third-party password management app such as 1Password . We do not recommend using iCloud Keychain because Apple Support is so easy to give out your iCloud password. We also do not recommend saving your password in your browser.
Remember that because of this hack, you are not reusing passwords. Your password is as strong as the weakest site you use it on. Don’t let the BullshitSocialMediaSite.biz hack give people access to your bank account.
If you get hacked, don’t pay the ransom as there is no guarantee that the hacker will get your device back. Call Apple Support immediately.
Update 09/21/2017 12:00 PM ET: We have continued testing Find My Device. We found that Find My iPhone cannot lock an iPhone that already had password protection. But he could activate a new password on the phone, which was not there before.
We have successfully used Find Mac to remotely lock a password-protected Mac with a new password.
Update 09/21/2017 5:00 PM ET: We’ve updated the title to not suggest a one-step quick fix. As always, we recommend a few steps to keep your devices secure, such as an iPhone passcode and a strong and unique iCloud password.
We follow our advice to turn off Find My Mac. In the absence of compelling evidence that Apple has reformed customer service security, Find My Device continues to represent a potential loophole for remote attacks on any Mac or iPhone without a password. However, many readers will prefer the risk of remote attacks to the risk of never getting a stolen device back.