Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.sys.mac.system > #102213 > unrolled thread

Fake Email From Apple

Back to article view | Back to comp.sys.mac.system

Contents

  Fake Email From Apple csampson@inetworld.net (Charles H. Sampson) - 2017-03-11 18:23 -0800
    Re: Fake Email From Apple nospam <nospam@nospam.invalid> - 2017-03-11 21:24 -0500
    Re: Fake Email From Apple Lewis <g.kreme@gmail.com.dontsendmecopies> - 2017-03-12 16:17 +0000
      Re: Fake Email From Apple dcohenspam@talktalk.net (Daniel Cohen) - 2017-03-14 09:48 +0000
        Re: Fake Email From Apple nospam <nospam@nospam.invalid> - 2017-03-14 06:00 -0400
        Re: Fake Email From Apple befr@eaglesoft.de (Bernd Fröhlich) - 2017-03-14 11:36 +0100
        Re: Fake Email From Apple Jolly Roger <jollyroger@pobox.com> - 2017-03-14 16:02 +0000
        Re: Fake Email From Apple dorayme <do_ray_me@bigpond.com> - 2017-03-15 07:28 +1100
    Re: Fake Email !From Apple David Ritz <dritz@mindspring.com> - 2017-03-12 12:50 -0500
      Re: Fake Email !From Apple nospam <nospam@nospam.invalid> - 2017-03-12 13:51 -0500
        Re: Fake Email !From Apple David Ritz <dritz@mindspring.com> - 2017-03-12 17:30 -0500
          Re: Fake Email !From Apple nospam <nospam@nospam.invalid> - 2017-03-12 18:33 -0400
            Re: Fake Email !From Apple dorayme <do_ray_me@bigpond.com> - 2017-03-13 16:38 +1100
        Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-12 22:45 +0000
          Re: Fake Email !From Apple Alrescha <alrescha@gmail.com> - 2017-03-12 18:55 -0400
            Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-13 00:39 +0000
              Re: Fake Email !From Apple Alrescha <alrescha@gmail.com> - 2017-03-12 21:03 -0400
                Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-13 01:28 +0000
                  Re: Fake Email !From Apple Alrescha <alrescha@gmail.com> - 2017-03-13 00:39 -0400
                    Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-13 17:37 +0000
                      Re: Fake Email !From Apple dempson@actrix.gen.nz (David Empson) - 2017-03-14 09:58 +1300
                        Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-14 21:05 +0000
                          Re: Fake Email !From Apple Alrescha <alrescha@gmail.com> - 2017-03-14 17:41 -0400
                            Re: Fake Email !From Apple Jolly Roger <jollyroger@pobox.com> - 2017-03-14 21:50 +0000
                              Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-15 05:20 +0000
                                Re: Fake Email !From Apple Jolly Roger <jollyroger@pobox.com> - 2017-03-15 15:07 +0000
                                  Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-15 16:07 +0000
                                    Re: Fake Email !From Apple Jolly Roger <jollyroger@pobox.com> - 2017-03-15 16:34 +0000
                                      Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-15 17:58 +0000
                                        Re: Fake Email !From Apple Jolly Roger <jollyroger@pobox.com> - 2017-03-15 19:32 +0000
                                        Re: Fake Email !From Apple Lewis <g.kreme@gmail.com.dontsendmecopies> - 2017-03-18 14:51 +0000
                          Re: Fake Email !From Apple dempson@actrix.gen.nz (David Empson) - 2017-03-15 13:21 +1300
                  Re: Fake Email !From Apple Nelson <nelson@nowhere.com> - 2017-03-13 04:28 -0400
                    Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-13 17:31 +0000
                      Re: Fake Email !From Apple Nelson <nelson@nowhere.com> - 2017-03-13 14:30 -0400
                        Re: Fake Email !From Apple Nelson <nelson@nowhere.com> - 2017-03-13 15:17 -0400
                          Re: Fake Email !From Apple "David B." <DavidB@nomail.afraid.invalid> - 2017-03-13 23:33 +0000
          Re: Fake Email !From Apple dempson@actrix.gen.nz (David Empson) - 2017-03-13 14:36 +1300
            Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-13 03:54 +0000
              Re: Fake Email !From Apple Alrescha <alrescha@gmail.com> - 2017-03-13 00:35 -0400
              Re: Fake Email !From Apple Nelson <nelson@nowhere.com> - 2017-03-13 05:04 -0400
                Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-13 17:27 +0000
              Re: Fake Email !From Apple Lewis <g.kreme@gmail.com.dontsendmecopies> - 2017-03-13 14:13 +0000
                Re: Fake Email !From Apple JF Mezei <jfmezei.spamnot@vaxination.ca> - 2017-03-13 11:59 -0400
              Re: Fake Email !From Apple dempson@actrix.gen.nz (David Empson) - 2017-03-14 09:58 +1300
                Re: Fake Email !From Apple Patty Winter <patty1@wintertime.com> - 2017-03-14 21:09 +0000
                  Re: Fake Email !From Apple JF Mezei <jfmezei.spamnot@vaxination.ca> - 2017-03-14 17:53 -0400
                    Re: Fake Email !From Apple Jolly Roger <jollyroger@pobox.com> - 2017-03-14 23:40 +0000
                  Re: Fake Email !From Apple dempson@actrix.gen.nz (David Empson) - 2017-03-15 13:21 +1300
          Re: Fake Email !From Apple Lewis <g.kreme@gmail.com.dontsendmecopies> - 2017-03-13 14:10 +0000
    Re: Fake Email From Apple JF Mezei <jfmezei.spamnot@vaxination.ca> - 2017-03-12 17:27 -0400

Page 3 of 3 — ← Prev page 1 2 [3]

#102255 — Re: Fake Email !From Apple

On Sun, 12 Mar 2017 23:54:36 -0400, Patty Winter wrote
(in article <oa555s$h10$1@dont-email.me>):

> I know. That's why I specified that it was the same computer and same web 
> browser I've been using for a couple of years.

Didn't you just upgrade that MacBook to Sierra?  According to 
https://support.apple.com/en-us/HT204915 and 
https://support.apple.com/en-us/HT204152, TFA only works with El 
Captain and later.  So at some point it seems that you would have to 
switch from TFV to TFA.

-- 
Nelson

[toc] | [prev] | [next] | [standalone]

#102271 — Re: Fake Email !From Apple

In article <0001HW.D4EBD8C300837ECFB02919BF@news.astraweb.com>,
Nelson  <nelson@nowhere.com> wrote:
>On Sun, 12 Mar 2017 23:54:36 -0400, Patty Winter wrote
>(in article <oa555s$h10$1@dont-email.me>):
>
>> I know. That's why I specified that it was the same computer and same web 
>> browser I've been using for a couple of years.
>
>Didn't you just upgrade that MacBook to Sierra? 

I did it whenever Sierra was released, which was sometime last year.


Patty

[toc] | [prev] | [next] | [standalone]

#102261 — Re: Fake Email !From Apple

In message <oa555s$h10$1@dont-email.me> Patty Winter <patty1@wintertime.com> wrote:

> In article <1n2ttiy.y93d1m1klh7e9N%dempson@actrix.gen.nz>,
> David Empson <dempson@actrix.gen.nz> wrote:
>>Patty Winter <patty1@wintertime.com> wrote:
>>
>>> A few minutes ago, I began a login iCloud on my MacBook. Same computer,
>>> same web browser as always, yet for some reason TFA got triggered.
>>
>>Logging in to icloud.com triggers a TFA sequence if you have not yet
>>told icloud.com to trust that particular computer/browser.

> I know. That's why I specified that it was the same computer and same 
> web browser I've been using for a couple of years.

Unless you have blocked Firefox updates, it is *NOT* the same browser.

> But it wasn't a "new browser connection." So you must be right that
> the TFA was triggered by an expired cookie.

Firefox updates all the time.


-- 
May you live in interesting times

[toc] | [prev] | [next] | [standalone]

#102268 — Re: Fake Email !From Apple

On 2017-03-13 10:13, Lewis wrote:

> Unless you have blocked Firefox updates, it is *NOT* the same browser.

A Firefox update would preserve cookies. So when you login to iCloud, it
would present the same cookies pointing to some virtual session approved
in the past. Not sure Apple would see the different version of Firefox
as a trigger to invalidate that session/cookie. But entirely possible.


Note: accessing iCloud via web is OS independent from a 2FA point of
view. ElCapitan and later have the ability to approve 2FA requests via
the OS (not browser related). But a browser on Windows, Linux or Mac OS
8.6 could still access icloud.com, generate a 2FA request to valid
devices to approve it.

[toc] | [prev] | [next] | [standalone]

#102277 — Re: Fake Email !From Apple

Patty Winter <patty1@wintertime.com> wrote:

> In article <1n2ttiy.y93d1m1klh7e9N%dempson@actrix.gen.nz>,
> David Empson <dempson@actrix.gen.nz> wrote:
> >Patty Winter <patty1@wintertime.com> wrote:
> >
> >> A few minutes ago, I began a login iCloud on my MacBook. Same computer,
> >> same web browser as always, yet for some reason TFA got triggered.
> >
> >Logging in to icloud.com triggers a TFA sequence if you have not yet
> >told icloud.com to trust that particular computer/browser.
> 
> I know. That's why I specified that it was the same computer and same
> web browser I've been using for a couple of years.
> 
> 
> >Having a quick glance at the icloud.com cookies saved by Firefox, they
> >have an expiry date. Your cookie probably just expired so it needs a new
> >one, which means signing in again and a new TFA sequence.
> 
> How long do the cookies last?

Finding all the icloud.com cookies after signing in with Firefox, some
expire at end of session, some two weeks after they were created, and
the one labelled X-APPLE-WEBAUTH-HSA-TRUST expires in three months. (Not
sure if that is the critical one, but it seems likely.)

To check your own ones, look in Firefox > Preferences > Privacy, then
click the link "remove indivdidual cookies" and in the resulting window,
search for icloud.com. (You don't have to remove it - this just lets you
see the detailed list of cookies, and some of the cookie fields for the
one you select.)

> >That's normal. The TFA request goes to _all_ trusted devices signed in
> >to your Apple ID which are running new enough OS versions.
> >
> >In this case, that includes the computer on which you are trying to log
> >in to icloud.com. The TFA request is from the OS (originating from a
> >push notification sent by Apple), not the browser.
> >
> >The new browser connection is not trusted, but the computer's connection
> >(via your user account having signed in to iCloud and your Apple ID) is
> >trusted, so it got the authentication request.
> 
> But it wasn't a "new browser connection."

As far as icloud.com is concerned, it was a new connection if the trust
cookie had expired (or been deleted), because the history of the
previous connection was forgotten.

> So you must be right that the TFA was triggered by an expired cookie.
> 
> 
> >Read this for general information on Apple's TFA scheme.
> >
> >https://support.apple.com/HT204915
> 
> That's the same page I already cited.

I hadn't seen your later post when I wrote that.

My main point was for you to understand that TFA sends authentication
requests to all your trusted devices, not just the "other ones".

> It only talks about "When you want to sign in to a new device for the
> first time"; it says nothing about the authentication expiring at some
> point.

Web browser logins to icloud.com are not "signing in to a new device".
They are signing in to the iCloud web site from a web browser. That does
not establish the computer as a trusted device.

For a Mac to be a "trusted device" (and able to receive TFA
authentication requests), you need to sign in to your iCloud account
using System Preferences, or during Setup Assistant.

> I get now that there were two entities that could be authenticated
> on my MacBook--the computer itself and Firefox. An impermanent cookie
> explains why I got a TFA request even though both of those entities
> had previously been verified as trusted "devices."

For TFA, a "trusted device" which can receive authentication requests is
a physical Apple product - a Mac (running OS X 10.11 El Capitan or
later) or an iOS device (running iOS 9 or later).

A browser is not a "device".

Trusting the web connection to icloud.com just means "save a trust
cookie so I don't need to authenticate this web browser again using TFA"
(until the cookie expires or is deleted).

It is a pity the word "trust" appears in both contexts, because it is
actually two separate mechanisms.

-- 
David Empson
dempson@actrix.gen.nz

[toc] | [prev] | [next] | [standalone]

#102321 — Re: Fake Email !From Apple

In article <1n2u4lt.exalhmlgm706N%dempson@actrix.gen.nz>,
David Empson <dempson@actrix.gen.nz> wrote:
>Patty Winter <patty1@wintertime.com> wrote:
>
>> I get now that there were two entities that could be authenticated
>> on my MacBook--the computer itself and Firefox. An impermanent cookie
>> explains why I got a TFA request even though both of those entities
>> had previously been verified as trusted "devices."
>
>For TFA, a "trusted device" which can receive authentication requests is
>a physical Apple product - a Mac (running OS X 10.11 El Capitan or
>later) or an iOS device (running iOS 9 or later).
>
>A browser is not a "device".

Browsers are mentioned under "Trusted Devices" on that Apple support
page. Including them in that section seemed odd to me, too, which is
why I came up with the word "entities." I still think they could make
it clearer that you may need to authenticate twice on a given computer,
and that the authentication for browsers expires periodically and you
have to renew it.


>Trusting the web connection to icloud.com just means "save a trust
>cookie so I don't need to authenticate this web browser again using TFA"
>(until the cookie expires or is deleted).
>
>It is a pity the word "trust" appears in both contexts, because it is
>actually two separate mechanisms.

Yeah, they should differentiate the two situations more.


Patty

[toc] | [prev] | [next] | [standalone]

#102327 — Re: Fake Email !From Apple

On 2017-03-14 17:09, Patty Winter wrote:

> Browsers are mentioned under "Trusted Devices" on that Apple support
> page. 

(I've nopt use TFA yet, so bear with me)

Say I have my laptop's browser  "authorized" to use my AppleID. Since
this is via cookies, it isn't really tied to the machine itself, right ?

Laptop gets stolen.

I can go in and deauthorisze the laptop hardware since at iCloud level,
the machine has a "Bonjour" name.


Can I de-authorize the cookie for Firefox on that laptop? Or do I just
get show a list of authorized Firefox instances (laptop, desktop) and no
info on which cookie is used by what hardware?

[toc] | [prev] | [next] | [standalone]

#102335 — Re: Fake Email !From Apple

On 2017-03-14, JF Mezei <jfmezei.spamnot@vaxination.ca> wrote:
> On 2017-03-14 17:09, Patty Winter wrote:
>
>> Browsers are mentioned under "Trusted Devices" on that Apple support
>> page. 
>
> (I've nopt use TFA yet, so bear with me)
>
> Say I have my laptop's browser  "authorized" to use my AppleID. Since
> this is via cookies, it isn't really tied to the machine itself, right ?

Wrong.

-- 
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[toc] | [prev] | [next] | [standalone]

#102340 — Re: Fake Email !From Apple

Patty Winter <patty1@wintertime.com> wrote:

> In article <1n2u4lt.exalhmlgm706N%dempson@actrix.gen.nz>,
> David Empson <dempson@actrix.gen.nz> wrote:
> >Patty Winter <patty1@wintertime.com> wrote:
> >
> >> I get now that there were two entities that could be authenticated
> >> on my MacBook--the computer itself and Firefox. An impermanent cookie
> >> explains why I got a TFA request even though both of those entities
> >> had previously been verified as trusted "devices."
> >
> >For TFA, a "trusted device" which can receive authentication requests is
> >a physical Apple product - a Mac (running OS X 10.11 El Capitan or
> >later) or an iOS device (running iOS 9 or later).
> >
> >A browser is not a "device".
> 
> Browsers are mentioned under "Trusted Devices" on that Apple support
> page.

Mentioned yes, but the definition of Trusted Device in that section
reads:

"A trusted device is an iPhone, iPad, iPod touch with iOS 9 and later,
or Mac with OS X El Capitan and later that you've already signed in to
using two-factor authentication."

The browser does not count as a "trusted device". A "trusted device" is
a physical Apple product (iOS device or Mac).

The second sentence then explains how a trusted device is involved when
your identity needs to be verified:

"It's a device we know is yours and that can be used to verify your
identity by displaying a verification code from Apple when you sign in
on a different device or browser."

The "on a different device or browser" bit is slightly vague -
"different" refers to a device but not to a browser. It would be better
worded as "on a different device, or a browser".

You need to authenticate from a trusted device if you sign in to
icloud.com or appleid.apple.com from any web browser, including a web
browser running on one of your trusted devices. (In the case of
icloud.com it can save a trust cookie so you don't need to repeat that
for each login to the web site, until the cookie expires.)

-- 
David Empson
dempson@actrix.gen.nz

[toc] | [prev] | [next] | [standalone]

#102260 — Re: Fake Email !From Apple

In message <oa4j1r$5qf$1@dont-email.me> Patty Winter <patty1@wintertime.com> wrote:

> In article <120320171351537547%nospam@nospam.invalid>,
> nospam  <nospam@nospam.invalid> wrote:
>>
>>enable 2 factor authentication and eliminate the risk.

> A few minutes ago, I began a login iCloud on my MacBook. Same computer,
> same web browser as always, yet for some reason TFA got triggered. My
> iPhone beeped to let me know about the code I needed. A moment later,
> the required six-digit code for my MacBook appeared on another device--
> my MacBook. I typed it in and got logged in to iCloud. Never had to
> reach for the iPhone on the table. 

> Clearly, this is not how things are supposed to work.

Clearly? A trigger word that indicates a fundamental lack of
understanding or a desire to obfuscate.

What fundamental misunderstanding leads you to believe this is not how
things are suppose to work?

> Either Apple's security system knew that Firefox on this computer was
> trusted, and therefore shouldn't have demanded a verification code, or
> if it really thought that this system wasn't trusted, then it
> shouldn't have sent a verification code to it. It's as though one
> security database isn't talking to another one.

Neither statement you made is correct.

-- 
Of pleasures, those that occur most rarely give the most delight

[toc] | [prev] | [next] | [standalone]

#102234

On 2017-03-11 21:23, Charles H. Sampson wrote:
> I recently got a couple of emails from Apple titled "Your Apple ID was
> used to sign in to FaceTime on an iPhone 5: and "Your Apple ID was used
> to sign in to iCloud on an iPhone 6".


A few weeks ago, I got a legitimate email from Apple about an iPhone I
don't own using my Apple ID. ("view source" is the tool to see if the
email is legit or not from the headers, so you should NEVER open such
emails from an iPhone BTW).

Changing password got delayed because Apple insisted I setup
authentication questions, and 2 of the 3 questions has no choices which
were applicable to me. (I don't have car, and certaintly don't remember
children's books etc).

Getting a human for Apple ID is not easy as they allways refer you to
their web site which has no info for legit fraud. EVentually did get one
to report this as a real fraud.


(You may recall my asking about two factor authentication, that is why).

[toc] | [prev] | [standalone]

Page 3 of 3 — ← Prev page 1 2 [3]

Back to top | Article view | comp.sys.mac.system

csiph-web