Image from Unsplash |
A
reader had ended up in a vicious circle and shared his story with me, with the
opening sentence: “Maybe I have a nice input for your blog.” Well, he was right.
His experiences are instructive and can prevent other readers from ending up in
the same situation.
Colleague
Mark de Wals's iPhone was broken. That in itself was annoying enough, but for
Mark it was only the beginning of a vortex that he struggled to get out of. Oddly
enough, that vortex was partly caused by two excellent security measures that
Mark had taken: he used a password manager and he applied two-factor
authentication (2FA, also known as MFA, with M for multi). How can these
measures, which I wholeheartedly recommend to everyone, get you into trouble?
And, more importantly: how do you stay out of trouble? Wait for it, but above
all: learn from it.
Mark
wanted his iPhone repaired (it wasn't completely dead, by the way). Before
handing over the device, he performed a reset. This ensures that all data,
including all accounts, are erased - it is then as if the device came fresh
from the factory. It's nice to know for sure that the repairman can't poke
around in your data, isn't it? The downside is of course that you have to set
up the device again after the repair. Many people don't like that; for many,
this is the main reason for postponing the purchase of a new device until the
old one can no longer be used. But since the repairman will often need access to
the device, you can hardly avoid such a reset.
When
the device came back, Mark sat down for it. One of the first things the iPhone
asked for was its Apple ID password (“Your Apple ID is the account that gives
you access to all Apple services and allows all your devices to work together
seamlessly.”) That password was in Mark’s password manager – which was not yet
accessible because the device had not yet been set up. But don't worry: thanks
to the cloud, the password vault could also be accessed via his laptop.
Mark
typed in his password, to which the iPhone responded with: fine, and now you
have to approve this login in your 2FA app. Ouch, that app was also on the
iPhone – and therefore inaccessible! Voilà a textbook example of a vicious
circle: you need that app to get the device going, but the app runs on the same
device.
Eventually
Mark requested a reset from Apple. That involved an email and a text message.
Fortunately, Mark was still able to receive and read the code from the text
message. Apple allows a few days to pass if you request a reset from them for
security reasons. Those were two scary days, but then Mark received an email
and a text message with verification codes. With that he was able to access his
account again.
Mark
has a few tips for us. The first one concerns the fact that he does not use a
real SIM card in this device, but an e-SIM – which stands for embedded SIM and
means that the card is built into the device. Your provider therefore does not
send a SIM card, but uses the e-SIM. What if you need to receive a text message
with a verificaation code, but you can't access your phone? With a physical SIM
card, you simply put it into another device and read the message there, but
that is not possible with an e-SIM. If the latter is secured with a PIN code,
you will not see the received code on the lock screen as long as you are not
logged in. Mark had turned off that PIN code since the device itself is
protected and you cannot remove the e-SIM from the device anyway.
The
next tip is the most important: make sure you keep your most important
passwords somewhere you can always access them. Marks password manager ( LastPass
) offers the possibility to share passwords with others. Through this option,
he can always retrieve the passwords of his email and his Apple ID. And if
another family member also has an Apple ID, you can authorize each other to
help each other reset your password.
Android
also works with email addresses and phone numbers for account recovery. For
this you need a different e-mail address than the address that is linked to the
account. But be careful not to use an address that only forwards incoming mail
to your primary account - after all, you cannot access it in such a situation.
Mark's
experiences teach us that it is important to take measures in advance to escape
from such a situation. Check this weekend if you have your affairs in order.
And in the big bad world…
This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.
- password managers are still under construction.
- Facebook's 2FA feature could be bypassed.
- this PoS malware blocks the contactless payment function, in order to then be able to read the details of the payment card.
- the
number of cases of payment request fraud on Dutch online market place Marktplaats
fell sharply. [DUTCH]
- many
webshops manipulate their customers.
[DUTCH]
- the
makers of ChatGPT now have a tool to recognize AI texts. [DUTCH]
- cyber criminal is an ordinary job these days.
No comments:
Post a Comment