That product managers ship a feature that would subject you to total lockout of your account by SIM Swap is borderline dereliction of duty to users
Apple sherlocked 1Password today, so I'd like to remind you that your Apple ID is only as secure as your phone carrier. If you have 2FA on and get SIM swapped, attackers can lock you out of your iCloud account - PERMANENTLY. Last month, it happened to me. Make sure it doesn't happen to you: In February, my T-Mobile SIM was swapped for the first time. I recovered my number the same day and added SIM protection with a pin code to prevent future occurrences. I mention this only so that you know that a PIN code doesn't protect you from SIM swapping. Last month, I was on a FaceTime call when suddenly the call dropped, and I was asked to reauthorize iCloud on all my devices. I also noticed my iPhone had lost all reception - so I immediately knew what happened - I somehow got SIM swapped again, despite adding a PIN. In my inbox was an email from Apple telling me my Apple ID was password reset, my trusted phone number was removed, and a new number was added ending in 24, which I don't recognize. I immediately called T-Mobile and recovered my phone number. According to their systems, this change happened at the Stanford Apple store by an employee with an ID of R099. It's important to note that I did not visit this store all year - this was an inside job. I've escalated this as high as it goes at Apple (VP level) and was told that without knowing what the new trusted number is, they are cryptographically locked out. There is nothing they can do even if they wanted to. I am far from alone in getting hosed like this: https://lnkd.in/gBjZ5w5V. Luckily, all of our passwords were in 1Password, my work accounts are considerably more locked down, and we had backups of everything (including 20 years of photos). But having to remove activation lock and manually set up all of our Apple devices again was a pain in the ass. The best way to protect yourself is to NOT use any carrier numbers for 2FA: even with SIM code protection, you can still get SIM swapped. Instead, sign up for a Google Voice number. So my point is - I would think hard before trusting Apple or iCloud with any of your passwords. Apple is aware of the vulnerability and is working on things, but apparently, any fixes won't be retroactive. I think 1Password will be fine.
Andy Brown
1mo
The one other piece of advice is to use Authenticator instead of otp via sms or imessage. I’ve started migrating wherever it’s possible and requested it wherever it’s not. Agree it’s urgent to solve properly and could actually be solved with a 3rd party or 1st party authenticator + something you know on icloud I would think.
Wow, what a harrowing experience! It's alarming to see how even with added security measures like a PIN, SIM swapping can still occur. Your advice on using a Google Voice number for 2FA is incredibly valuable. It's a stark reminder that we need to stay vigilant and explore alternative security measures. Thank you for sharing your story and the lessons learned. It’s definitely a wake-up call for many of us! 🚨🔒
Stephen Klein
1mo
Borderline? I think you’re being kind
Kyle Quest
1mo
I assume it's ok not to use this feature :-) It doesn't look good though. A security product/feature was created without involving people who know security and who can threat model the SIM swapping attack (though maybe they did have security people threat model, but they just didn't care :-))
Vasili Onjea
1mo
I don't think it's a PM issue. Likely it's an "edge case" that wasn't thought through in the name of "ship fast" – shipping is great, but current SV culture has thrown the baby out with the bath water and quality seems secondary
Ian Vensel 🏁
1mo
No surprise tbh, this is the "new apple" that has strayed far from delighting customers & Tmobile is the most well known carrier for Sim swaps, its happened to 4 people I know personally in the past 2.5 years.
Yeong Cheng
1mo
Dereliction of duty to users is kinda Apple’s thing (and phone carriers and in particular TMobile’s thing; the latter limits your bandwidth to 1-5mbps unless you “opt in” to actually receiving your bandwidth)
Senior PM @ Google | MBA
1moThis vulnerability doesn’t really seem like a product team that’s ‘abandoned their post’, rather a complex scenario that wasn’t accounted for or vetted fully. It’s a team-wide miss that the entire team touching the product should fully commit to fixing ASAP. I’m positive there are members of this team, across disciplines, that are thinking “Damn, I let this slip through.” And I’m almost just as positive that there are folks saying “Damn, we’ve got to fix this.” The organizational redundancies to catch stuff like this also failed, and I’m sure those folks too are saying “Damn..”And I say this because I think most of us who love software have an ownership-mentality, and answer the calls triggered by these inevitable P0s. For the team who is working on this - I don’t think you’ve neglected your duties, though the person above might. Keep on keeping on and get it done. ✅