Why Apple’s improved 2FA protection matters to business

Apple has introduced a new layer of protection to its existing two-factor authentication (2FA) system, making it a little harder for phishing attacks to successfully steal valuable authentication credentials.

Given that Apple, PayPal, and Amazon were the top three brands used for successful phishing attacks last year, according to a recent Jamf report, this matters.

Phishing costs billions and is bad for business

Phishing is a huge problem. The scale of these attacks shot up during the pandemic. The FBI Internet Crime Report 2020 revealed that phishing attacks affected 241,342 victims in 2020, up from 114,702 in 2019, with adjusted losses of more than $54 billion. Verizon’s 2021 Data Breach Investigations Report confirmed that 36% of data breaches that year involved phishing.

That Jamf report confirmed threat actors to be targeting work-focused cloud services such as Office 365 or Google Workplace to penetrate overall enterprise security. No surprise that Apple users are targets, given that Apple is on course to becoming the most widely deployed enterprise tech hardware.

It’s easy to dismiss phishing attacks based on the utterly unconvincing attacks most people frequently find in their in-box. That’s unwise. While some attempts may be stupid, the ones that succeed most are smart enough to exploit existing security protections.

Some are highly targeted, socially engineered attacks aimed at individuals or people from a certain firm. Using a combination of target research and convincing fake communications, criminals seek to undermine the security of their targets.

What Apple has done to protect users better

To help secure its users, Apple has provided a two-factor authentication (2FA) system in which a user attempting to access a service on an unfamiliar device is required to enter their ID information and make use of another known device to provide an additional authorization code.

The company relatively recently improved its 2FA system with a feature which would automatically recognize a 2FA code and enter it into the relevant approval field (autofill). This made 2FA much more user friendly and means many now use this protection regularly. (It also now offers a built-in 2FA code creation tool.)

[Also read: One year on, developers still love Apple Silicon Macs]

The problem is that some phishing exploits have sought to exploit autofill to steal logins and 2FA codes. Apple’s latest response is a system under which the 2FA code will also include the URL of the website it is intended to be used for. If the site you are on is different from the site the 2FA code recognizes, autofill will not work.

This typically happens if you click a link in an email to take you to a site that purports to be a trusted site and try to login to your account. What happens is that, armed with your account details and the 2FA code, criminals may also be able to jump inside your data. That’s a slight simplification, but it shows the risk.

Here’s what is different about Apple’s new 2FA messages, which should appear with macOS Monterey, iOS 15, and iPadOS 15.

• Old message: “Your Apple ID code is 123456. Don’t share it with anyone”.
• New Message: “Your Apple ID Code is: 123456. Don’t share it with anyone. @apple.com #123456 %apple.com”.

You can be certain some very smart people will already be figuring out how to undermine this protection, but it helps. Fooling some of the people some of the time is the lifeblood for attacks of this kind.

What to do if your business is attacked

Another recent Jamf security report told us that 29% of organizations had at least one user fall for a phishing attack in 2021. It also said one in 10 users fall victim to phishing attacks on remote devices.

So, what should your company do if its security is breached? Michael Covington, vice president for portfolio strategy at Jamf, shared a response plan:

“If you fall victim to an attack such as phishing, the first thing you should do is assess the damage. Take note of the PII that was handed over as part of the attack. The second step is to fix what is within your control – this might mean changing passwords, cancelling impacted bank cards, and calling the credit bureau. The final step is to share your experience. Don’t be ashamed.”

Covington advises businesses to adopt a no-blame culture in their response to attacks:

“If you are in the IT or security team and an employee reports an incident to you, do not ridicule or shame those who fall victim, this will only discourage others from bringing forward important information that can help mitigate further damage.”

It isn’t always obvious when you or your systems have been attacked. “Attackers are good at covering their tracks,” he said. “Some examples of things to look out for are: Device crashes, mystery apps, links or attachments in emails or messages, missing text, or apps that don’t work right. These are often the first clues that something is going awry.”

Education is always critical, of course: Don’t click links in emails to access secure sites — enter addresses in the browser manually. And, most importantly, if your Apple device doesn’t let you use autofill to enter your 2FA code, don’t override it, as you may be under attack.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.