But herein lies the problems, which if addressed, could have prevented this attack or at least limit the potential damage. The lack of 2FA for Find My iPhone and the lack of pattern monitoring on Apple’s servers were two main reasons how this attack took place.

Pattern monitoring

Legitimate login by me, on my (then new) MacBook

The adversary’s login — I did get an email detailing the login attempt

One of the things I did notice was that the login notification emails generally originate from the country you login from, especially in this day and age when Apple has a local division in most large, if not all countries. I noticed this as I was able to check on my older login notification emails that I received when I lived in Australia — in that case all of my notifications were addressed from Apple Pty Ltd, while my logins from Canada were addressed from Apple Canada Inc.

Email notification when I tried to login after the attack, once I had it contained

In this case, the adversary’s login attempt resulted in a login email from Ireland instead, which lead me to suspect they clearly were not in North America at least. Of course this could have beeen spoofed with the help of a VPN, but still the location change could have been detected as it would be an outlier from my regular logins from Canada. The other, clearer differentiation of the pattern was the part where the login was done on a Windows computer, instead of a Mac — which in my case, would have been quite an outlier as I normally use a Mac and can probably count the number of times I have logged in using a Windows computer. Ideally, at this point, it would have been reasonable to check if this was a legitimate login — for example, using one of the secondary accounts nominated in the Apple ID. Microsoft actually does this, if you attempt to use your Microsoft account on a new device or a device that isn’t normally used, it locks the account and gets you to confirm the login through your secondary accounts.

Microsoft got this bit right. I got this when I signed in on a new Mac.

2. Lack of 2FA for Find My iPhone

When you sign up for 2FA, Apple disables the secret questions/answers to reset the password — you need the recovery key instead to regain access if you forget the password.

I can see why Apple decided against using the same 2FA authentication for Find My iPhone — ideally you’d only use Find My iPhone when you lose your device, hence you’d not be able to access your text and on-device authentication. But for there to be no 2FA for Find My iPhone doesn’t quite add up.

But really, I can see how this could be fixed. Instead of having a one time code for Find My iPhone, it might be better to have a second layer of authentication in the form of a secret question/answer when accessing Find My iPhone if 2FA was on, which the legitimate user would know the answer for the question, just like in the case of a forgotten password. By nominating a number of question — answer pairs, it can be randomised too.

If such a thing existed, the adversary in this case would have not been able to go anything more than looking up the location, and ideally he/she won’t be able to play the alert sound or even conduct the remote erase.