So, what does this say about Apple security? There's a lot of speculation and insinuation that all the security lapses started with the purchase of a refurbished MacBook, but there's zero evidence other than some coincidental timing. The author clearly wasn't using many security precautions prior to being compromised. They had many interconnected accounts; reused passwords; limited use of 2FA; phone/SMS-based 2FA in the few places they had it; no separate password for Chrome browser sync's DB; no secure password management app; and kept the keys to their crypto accounts in the cloud. The list of compounded failures is long. There's no reason to think this has anything to do with Apple at all.

They haven't learned any lesson, either. Their advice after this? Turn your laptop off when you're not using it (useless) and use Google Voice for 2FA. This is worse than useless; this is actively bad advice and you should not follow it.

The average user should install 1Password and use a TOTP application. Anyone can learn to do that, and it's really all you need. More advanced users, those with particularly extreme security needs, and pedantic nerds can use YubiKeys, hardware wallets, self-hosted password vaults, PGP-encrypted backup codes, and other measures that are worth considering, but aren't as approachable for everyone.

That article doesn’t say anything at all about Apple’s security.

Inevitable torrent of "It was your fault for X, Y or Z reason".

Nobody is perfect.

Every system has known or unknown vulnerabilities.

We need to be building systems that are forgiving of errors, and store important data redundantly.

I've been wondering a lot about how to truly secure an identity. Is there a way to have a meaningful and secure digital life if all your devices could be compromised and your memory is not perfect? I wouldn't want to trust my entire economic life to any single point of failure.

I've noticed that he has an app called "Whoscall" installed providing Caller ID in the Phone app. I wonder if this has access to Messages on the phone and is able to read/upload SMS?

A quick search online suggests that this is a Chinese app.

> Do not save passwords in your Chrome. Or, if you do, make sure your Google account has multiple levels of 2FA. SMS is not one of them.

I stopped using Chrome but now realize I never thought to check into what it has saved for me. I’ll have to check into that and erase it all if I can.

Setting up a new device is a very vulnerable time. You’re downloading and installing new software and signing into all your accounts. It’s very easy to do the wrong thing, like click through the wrong dialog while you’re blasting through it all.

Hi HN, the author of the article here.

Can someone explain how Telegram 2FA, Yahoo 2FA and Apple 2FA were bypassed?

Especially Apple 2FA - I received a 2FA call from Apple, picked it up, and the attacker logged in right after.

Please note, this was not a (typical) SIM swap. I was still receiving SMS and calls during the attack.

p.s. thanks for all the comments!

Why would you store cryto wallets in iCloud unencrypted? OS X makes it easy to create AES-256 encrypted sparsebundle disk images.

How was 2FA bypassed here?

Well, not you key, not your money. Isn't that what crypto currency advocates always tell us? Being your own bank carries high risks and in this case the risk got to the author.

Hello everyone, I want to share with you all vital information on trading of stocks and forex are expected to put a large amount on my trading account, I’ve watched how my balance would go higher and higher. And of course, seeing this “proof” of how I’m good at it, my manager Peter made me invest over 85,000Euro. After a couple weeks of such magnificent trading, my account ended up over 400,000Euro. An excellent opportunity to file a withdrawal, no? No!! They released only 500 in order to trick me to invest more than 200,000Euro. I didn’t have such money at the moment and I was put on hold....Weeks after nobody would even answer my calls or my emails. It became very clear that I’ve become a victim of a huge and shameless scam. Time passed by and I was growing disappointed and very angry with my own naiveness. Only in August 2017 I came across CONTACT@ACTIVEBONORUM.COM, a company which works against binary criminals. They didn’t charge any upfront payment . It was a little hard to believe someone over the internet and phone again, but I lost too much money and lost just a little bit more, in case if it's another scam, it was not that painful. I’ve provided their team with all documents related to my trading and waited. After few weeks i got all my money back and have to send their percentage commission after I was able to withdraw all the recovered funds as agreed, i recommend www.activebonorum.com

Getting your money back isn’t a big deal if you get the right person to help you out but with the rate at which a lot of scammers come online to rip people off, it becomes difficult to get the right person. This is why I’m going to recommend to you a legitimate private investigator and recovery expert team via Email: contact@activebonorum.com

It’s time to recover the money you lost with Binary Options!

If the company does not return your money, you should approach your credit card company or issuing bank and fill out the paperwork for a chargeback, citing fraud, misrepresentation and breach of contract as the reasons or you can seek the assistance of a private investigator and asset recovery expert, former industry insiders said. (binary options brokers routinely lie about their identity, location and financial experience) www.activebonorum.com

Please beware there are many fake bitcoin mining/clouding out there, I got scammed twice before I met a genius hacker who helped retrieve my bitcoin. The whole plan was so smooth I could not doubt it. Bitcoin is actually a great investment option but one thing I discovered over time is that it is not possible to mine bitcoin so don’t be deceived. I invested $25000 on a particular website called eurekaminingblock, I monitored the profit yielding but got locked out of the account before I could withdraw. I went online and met this hacker bitcoin-retrieval genius who helped me retrieve my bitcoins back in a few hours. You saved my life and I will forever be grateful. I referred my friends whom we got scammed together right away and they got help too.

www.activebonorum.com

I want to share vital information about recovery of funds and bitcoins if you think you’re losing out due to some unexpected factors or you’re scammed on social media like wechat and Facebook, or by a romance military scammer. I’m here to recommend an expert and a recovery professional organization Activebonorum.com with 100% assurance that helped with recovery of 48 bitcoins. - render LOANS, . Bank jobs - Stolen or Lost BTC, TBC and ETH recovery . you can send emails to contact@activebonorum.com

hello, i got caught up in a romance scam some years ago. I had thought all hope was lost. I made several payments to military men, offshore bank accounts via credit cards to Asia and North Africa. I looked for help until I came across a Hacker and private investigator. He did a lot of work and helped me recover about 80% of the money back. The culprits were brought to justice in their respective countries. I am recommending www.activebonorum.com , you need help with lost money without an upfront fee. contact info is CONTACT@ACTIVEBONORUM.COM

HAHA

The fact Apple uses SMS for 2FA tells you everything you need to know: it's pure security theater.