If you have two factor enabled, which is required for many iCloud features, every single Apple device you own will receive an alert with the location of login before you can reveal the 2FA code, even for iCloud logins. What more would you like to see?

They would just get an email saying that icloudbackupsupport@gmail.com (his phony address) accessed the account immediately after giving their info to icloudbackupsupport@gmail.com. He could even have told them to expect and ignore such an email.

There should be a request for approving the login attempt, and if you say yes, you get a six digit code to enter on the device trying to connect. Then when that succeeds, you get another push notification about it succeeding.

And thats what happens on any iOS with 2FA enabled.

Perhaps something in that 2FA request saying "Apple will only ask for your password in-person in a store or other authorized repair provider. Only allow this request if you know who requested it"?

You need to spend more time around non technologists. Many folks just dismiss computer prompts without reading, ignore emails, or any number of other similar behaviors that would likely drive you and I crazy by their lack of attention to detail.

Adding detailed prompts won’t solve the problem.

> Investigators soon discovered that a log-in to the victim’s iCloud account had come from an internet address at Chi’s house

If the attacker was really not covering his tracks, perhaps Apple may have flagged hundreds of different iCloud account logins originating from the same location as something to look into?

That's not really a reliable/actionable signal overall - my previous employer had like 20,000 employees NATed behind a single IP.

> my previous employer had like 20,000 employees NATed behind a single IP.

If so, it’s incredibly unlikely that all 20k were online simultaneously. If they were, each person could only open ~3 TCP sockets to the internet (even if via a proxy if dealing with individual login sessions) at a time before you’ve run out of ports.

even though you're probably right on the first part, the second part is false. while most NAT implementations operate as you describe, called "port-restricted cone NAT", some implementations allocate the external port only for a specific destination address, called "symmetric NAT".

TIL, thanks!

IP NATing is a common thing done by most isps, you can literally have 100s or even thousands of users using the same ip.

There isn’t enough information in the linked article to reveal the attacker’s methods. Do you have further information or are you speculating?

It’s better than nothing but still not great because the login area they present is too broad. For example, if you live in a large city and the phisher is somebody you know, seeing “New login from Your City” is not going to make you think twice.

Not just better education around security practices, but better understanding around control of your content, where it's stored, what happens to content when you press that button in an app. I don't want to victim blame here, and this guy is a total creep, but the victims uploaded their nudes to the Internet. At that point, the cat was out of the bag.

Part safely using the Internet is having the knowledge and being aware of where (in your apps) the boundary is between your local device and the global network that everyone has access to. People need to understand: When you sync to a cloud service, you're sending your content to someone's computer unknown to you. Yes, in this case, it's Apple's computer, but that didn't stop this guy. Once you sync something online, it's out of your hands, and on the Internet now.

I personally treat all cloud services as if they were accessible publicly and anonymously, and will inevitably be printed in my local newspaper, and only upload content to those services where I am comfortable with that level of exposure.

EDIT: To clarify, I wish applications would stop blurring the line between "on my device" and "on the Internet". I've used applications where, to an unsophisticated user, the save dialog looks like it's saving to their computer but it's actually in the cloud. Add to it all these apps that try to be helpful by seamlessly (and invisibly) keeping local content in sync with the cloud versions and you have a recipe for disasters like this. Have an explicit "upload this thing to the Internet" button, please!

It boggles my mind that people have nudes of themselves on any digital medium. I say if you want to dabble in that, get a film camera and develop the pictures in your own basement.

Or get a non-wifi digital camera and manage your photos on a non cloudy computer. Maybe even take it a step further and use tools to remove EXIF data that has your camera's serial number and other metadata in the images. Photos taken from cell phones often give away GPS coordinates.

Yeah, Netflix is actually annoying with it - I was using my "ultra low security" password which is in... probably every public password dump around for years, got dozens of logins, just ignored them til someone finally tried to change it and I had to reset it.