Every parent is aware of pester power. From a very young age, kids will beg and plead to try and get their own way. “Mom, can I have…?”, “Please Mom?”, “Just one?”, “Please Mom, everyone else has one…

On and on it goes, a battle of wills between you and your offspring. It’s a war of attrition to see which is stronger, your resolve or your child’s urgent demands.

In an ideal world, our kids would take the first ‘no’ and stop asking. But children know instinctively that if they keep persevering, they may just cause us to change our minds, allowing them to have their own way.

So what does this have to do with cybersecurity? A new scam works on the same principle, using constant, annoying requests to wear down our defenses. And if we give in, we lose.

The iPhone MFA bombing attack

The goal of the iPhone MFA bombing attack is to trick victims into giving control of their iCloud account to a hacker. The criminal can then access iCloud files, disable devices remotely and potentially access payment details and other sensitive information. 

The attack itself works like this: 

  1. The attacker visits iCloud.com and tries to log into their target’s account. 
  2. Apple automatically sends a notification to the victim’s phone, asking if they want to reset their iCloud password. The user generally clicks ‘Don’t allow’ to clear the message.
  3. The hacker continues this process, generating dozens of annoying pop-ups in the hope of tricking the user into clicking ‘Allow’ to end the bombardment. Just like a tired toddler who won’t take ‘no’ for an answer.

The attack doesn’t end there though. Typically, a scammer will also call claiming to be from Apple and advising the iPhone owner that their iCloud account is being attacked. To end the attack, the user just needs to click ‘Allow’ and read out the one-time verification code to the operator.

However, once the one-time password has been shared, the scammer has everything they need to take control, locking the victim out of their own iCloud account.

Is the attack effective?

Thankfully, reports of the iCloud MFA bombing attack are quite limited. To be effective, attackers must know the email address and the phone number attached to the Apple ID.

If you begin receiving constant push notifications requesting a password reset, you may be a target. And just like a careful parent, you must click ‘Do not allow’ on every unprompted request. You should also report the attack to the relevant authorities (and Apple).

Also, you must not give one-time passwords to anyone who calls you, no matter how convincing they sound. Apple will never request this information from you over the phone. 

Read also: Do iPhones Need Antivirus Software? iPhone Security Considerations + Safety Tips

Stay safe

As always, the best way to protect yourself against these kinds of scams is to stay alert. Whatever you do, don’t let a scammer annoy you into making a mistake.