MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security
I don't think 2FA will work if you are outside of the US and use a local SIM card in order to get less expensive data on your phone, because your phone number will not be the one registered for 2FA. (Maybe I'm missing something.)
2FA does not require you to have a phone that uses the trusted number. That number is not used unless you explicitly request to get a code via SMS text message or a voice call, which is not the default for Apple's 2FA system.

Under normal circumstances, any trusted device with an Internet connection works (while it is logged in to your iCloud account). This is why you can use Macs, Wi-Fi-only iPads and iPod Touches as trusted devices.

If you have a trusted device without an Internet connection, even that is OK - you can manually tell it to generate a code. See my previous post on this subject for the instructions on how to do that.
 


Authentication apps that produce time-limited codes are another way to do 2FA, which doesn't necessarily require an active connection (depending on the means for verification).
Putting time limits on codes can be useful, but I have encountered codes with lifetimes of only a few minutes, which can be too short if they are delayed (by spam filtering protocols or mail clients set to download periodically rather than continually), or if you have to find and boot up the second factor. Another problem I've seen is an authentication code generated at the end of a procedure that winds up taking so long that you have to go do something else, and find the authentication code has expired when you return.
 


Putting time limits on codes can be useful, but I have encountered codes with lifetimes of only a few minutes, which can be too short if they are delayed (by spam filtering protocols or mail clients set to download periodically rather than continually), or if you have to find and boot up the second factor. Another problem I've seen is an authentication code generated at the end of a procedure that winds up taking so long that you have to go do something else, and find the authentication code has expired when you return.
You are conflating two different methods of 2FA. One method involves receiving a code by text or email, which is valid for a certain amount of time and is subject to the issues you mention. The other is TOTP applications (Time-based One Time Passwords), such as Google Authenticator. Those codes are generated locally by the app, based on the current time. If you get interrupted and come back to the process, the app will generate a new valid code based on the current time. As it is a local app, there is no concern with transit delays, SIM cards, email access, etc.
 


It's also worth noting that using SMS/text messages for 2FA is not all that secure, thanks to hackers who conduct SIM-swapping attacks, where they trick your phone service provider to switch your phone number to their device and can therefore receive all your texts.
My problem while in New Zealand was the converse. There's no roaming, so I had to swap SIMs in order to use the local cell network. And so both PayPal and my bank back in the US refused to obey my online commands, because they wanted to confirm my identity by sending an SMS text / phone call to my US number, the SIM for which was not in my phone (and wouldn't have worked if it was).
 


My problem while in New Zealand was the converse. There's no roaming, so I had to swap SIMs in order to use the local cell network. And so both PayPal and my bank back in the US refused to obey my online commands, because they wanted to confirm my identity by sending an SMS text / phone call to my US number, the SIM for w.hich was not in my phone (and wouldn't have worked if it was).
Yes, this is a real problem if your account only supports the phone system (SMS or voice call) as a second factor.

Regarding PayPal, they support four different TOTP apps in addition to SMS: Google Authenticator, Authy, Duo Mobile, and Authenticator.

You may want to ask your bank if they support any other mechanism to use as your second factor.

In addition to working when your local phone number isn't available, getting rid of SMS also protects you against SIM-swap attacks.
 


I had set up my Backblaze account to use 2FA via an SMS code. This worked until it didn't. The code never arrived. Backblaze couldn't figure out why. (I live in Thailand.) It took about 24 hours to accomplish removing 2FA from my account so I could get access. (I suppose I should be glad that Backblaze has rather strict procedures in place for verifying my identity.)

I now have Backblaze set up to use 2FA via a TOTP. The TOTP facility in 1Password works for this.

As I see it, one big problem (as demonstrated by this thread) is that much of this stuff is not well understood by many of us mortals. I shouldn't have to spend a bunch of time studying in order to make these things work. It should be quick and easy. Often it is not.
 



Yes, this is a real problem if your account only supports the phone system (SMS or voice call) as a second factor. Regarding PayPal, they support four different TOTP apps in addition to SMS: Google Authenticator, Authy, Duo Mobile, and Authenticator.
Unfortunately, that's only for "PayPal powered by Braintree", a merchant payment processor service. The normal PayPal that most consumers would use only supports 2FA via SMS. It's one of the few services I have that does not support TOTP for 2FA.
 


Unfortunately, that's only for "PayPal powered by Braintree", a merchant payment processor service. The normal PayPal that most consumers would use only supports 2FA via SMS. It's one of the few services I have that does not support TOTP for 2FA.
I just went in to my account at the main PayPal site and was able to enable TOTP as my primary 2FA (with SMS as a backup.) Not sure what powered by Braintree is, but I don't see anything like that on my PayPal account.
 



Can anyone shed some light please on an “Invalid Code Signature” issue with Safari 12.03 in macOS Sierra? Little Snitch shows Safari has “Invalid Code Signature”, but clicking “show certificate”, the Software Signing shows “This certificate is valid.” The results are the same after reinstalling Safari from an installer downloaded from Apple. Using codesign --verify --verbose some problems exist:
Code:
/Applications/Safari.app: a sealed resource is missing or invalid
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/icon-arrow-2.png
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-left.png
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-left.svg
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-right.png
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-right.svg
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/SharedGlobalArt/dmg.json
The Safari 12.03 installer shows a valid certificate from Apple when clicking the lock icon. The SHA1 Fingerprint listed there is "1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD”, which is different from the two on the bottom of Apple’s support page that start with FA and 9C:
That support article was updated in 2017, so maybe it’s outdated?

In case the installer doesn’t fully replace Safari, I wanted to delete Safari first, but I have been unsuccessful. Can Safari be deleted? I have the latest Adblock by BetaFish from the App Store, but I don't think that would have modified the code signature. Thanks.
 


Ric Ford

MacInTouch
Using codesign --verify --verbose some problems exist...
I can at least confirm this behavior on my macOS 10.12.6 Sierra system with all updates:
Bash:
codesign --verify --verbose /Applications/Safari.app
/Applications/Safari.app: a sealed resource is missing or invalid
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/icon-arrow-2.png
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-left.png
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-left.svg
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-right.png
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-right.svg
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/SharedGlobalArt/dmg.json
 


I don't think 2FA will work if you are outside of the US and use a local SIM card in order to get less expensive data on your phone, because your phone number will not be the one registered for 2FA. (Maybe I'm missing something.)
To my dear US friends who are afraid of losing 2FA access when travelling abroad and switching SIM chips: it works. I do it all the time, the reason for this being that 2FA does not use SMS (or rather, only as a last resort). For these people, I also strongly recommend to never use your phone number as outgoing identifier for iMessage and FaceTime but rather your email address or Apple ID, because the latter does not change when you switch SIMs.
 


Can anyone shed some light please on an “Invalid Code Signature” issue with Safari 12.03 in macOS Sierra? Little Snitch shows Safari has “Invalid Code Signature”, but clicking “show certificate”, the Software Signing shows “This certificate is valid.” The results are the same after reinstalling Safari from an installer downloaded from Apple. Using codesign --verify --verbose some problems exist:
I don't understand this aspect of Little Snitch. The code signature check was introduced in a fairly recent Little Snitch update (maybe last year). Immediately Little Snitch started flagging the Cisco AnyConnect app. I eventually set Little Snitch to ignore code signatures on AnyConnect and the associated vpnagentd process. I checked just now with the codesign command, and there were no errors indicated for either the app or the process. I wonder if this is a Little Snitch problem.
 


Ric Ford

MacInTouch
Here's a related note (substitute "Safari" for "EtreCheck"):
Objective Development Forums said:
Re: Little Snitch 4.0.5 blocks valid code signatu
... To check an app’s code signature on disk (called the “static code signature”) and thereby verify that it was not modified since its developer signed it, use this command (replace the path to the app if necessary):

codesign --verbose=4 --verify /Applications/EtreCheck.app

The other relevant thing is the code signature of the running process (called the “dynamic code signature”) and that is what Little Snitch actually checks. To check this, use this command:

codesign --verbose=4 --verify `pgrep EtreCheck`

If second command reports that the code signature is invalid, that means that the app does something that breaks its dynamic code signature. Most often, this means that the app loads a library or plugin that has no valid code signature, which invalidates the app’s code signature. But it could also mean that something nasty is going on and another process tries to modify the app.
 


I just went in to my account at the main PayPal site and was able to enable TOTP as my primary 2FA (with SMS as a backup.) Not sure what powered by Braintree is, but I don't see anything like that on my PayPal account.
Can you please check again and/or provide step-by-step directions on how to enable TOTP for PayPal? When I go Settings > Security > Security key, I'm only provided these options, which only allow for SMS registration. This comports with their Security Key documentation which only mentions SMS. Additionally, there are PayPal users complaining about SMS being the only option and no TOTP support.
 


Can you please check again and/or provide step-by-step directions on how to enable TOTP for PayPal? When I go Settings > Security > Security key, I'm only provided these options, which only allow for SMS registration. This comports with their Security Key documentation which only mentions SMS. Additionally, there are PayPal users complaining about SMS being the only option and no TOTP support.
I just checked again and logged in fine with a TOTP 2FA. I can't post screen shots right now, but my screens don't look like what you have in your screen shots. To enable 2FA using TOTPS, here is what I did:
  1. Go in your account settings (gear in the upper right corner)
  2. Third item down is 2-Step Verification. Click Update
  3. In the Manage 2-Step Verification screen, click Add a Device and select Use an Authenticator App.
You should then be able to walk through the process to add TOTP authenticator app.

If you are not seeing that, I am not sure why my settings would be different from yours.
 


I also have Pi-hole running on my home network. I keep getting many requests for "ckdatabase.fe.apple.dns.net" from my Macs and iOS devices that are blocked by default. A quick search shows that this request may be for iCloud services. Does anyone have any experience with this?
It appears to be related to iOS telemetry, as the domain "ckdatabase.fe.apple-dns.net" appears on this blacklist of hostnames to block if you want to block telemetry. I supposed it may be related to the setting that asks if you want to send usage data to Apple during OS installation/setup. On iOS, you can find those settings under Settings > Privacy > Analytics.

(Note: the domain is apple-dns.net, not apple.dns.net. apple-dns.net is a legitimate Apple-owned domain).
 


Here's a related note (substitute "Safari" for "EtreCheck"):
Thanks for the tip Ric. The second command shows as valid, but it still seems as though something modified it. Perhaps nothing to worry about, but I'd still like to delete Safari before reinstall, however that's done.
Bash:
codesign --verbose=4 --verify /Applications/Safari.app

--prepared:/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex
--validated:/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex
--prepared:/Applications/Safari.app/Contents/PlugIns/Safari.wkbundle
--validated:/Applications/Safari.app/Contents/PlugIns/Safari.wkbundle
--prepared:/Applications/Safari.app/Contents/PlugIns/DiagnosticExtension.appex
--validated:/Applications/Safari.app/Contents/PlugIns/DiagnosticExtension.appex
--prepared:/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc
--validated:/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc
/Applications/Safari.app: a sealed resource is missing or invalid
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/icon-arrow-2.png
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-left.png
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-left.svg
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-right.png
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/css/img/nav-paddle-right.svg
file added: /Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/SharedGlobalArt/dmg.json

codesign --verbose=4 --verify `pgrep Safari`

399: dynamically valid
399: valid on disk
399: satisfies its Designated Requirement
406: dynamically valid
--prepared:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariCloudHistoryPushAgent
--validated:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariCloudHistoryPushAgent
--prepared:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/webinspectord
--validated:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/webinspectord
--prepared:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariHistoryServiceAgent
--validated:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariHistoryServiceAgent
--prepared:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariPlugInUpdateNotifier
--validated:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariPlugInUpdateNotifier
--prepared:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
--validated:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
--prepared:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariNotificationAgent
--validated:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariNotificationAgent
--prepared:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/safaridriver
--validated:/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/safaridriver
406: a sealed resource is missing or invalid
file added: /System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariSupport
 


I just checked again and logged in fine with a TOTP 2FA. I can't post screen shots right now, but my screens don't look like what you have in your screen shots. To enable 2FA using TOTPS, here is what I did:
  1. Go in your account settings (gear in the upper right corner)
  2. Third item down is 2-Step Verification. Click Update
  3. In the Manage 2-Step Verification screen, click Add a Device and select Use an Authenticator App.
This is what my Settings > Security section looks like. The "Security Key" section goes to the screens I posted earlier where you can only add a mobile number for SMS delivery. I was unable to find anything that looks like what you described or any instructions that match that. A screenshot might be helpful in determining why yours looks so different.
 


Regarding Safari and signature issues, I did a test with a fresh install of Sierra and High Sierra and performed all Apple updates. Codesign indicated it was “valid on disk”. Updated OS’s that have been in use showed “a sealed resource is missing or invalid.” It's interesting that variations exist.

This is a useful article on MacIssues:

I especially like the command to verify all apps (in the specified directory, not subdirectories):
Code:
find /Applications -d 1 -name "*.app" -exec codesign --verify --verbose {} \;
and for system policy assessment:
Code:
find /Applications -d 1 -name "*.app" -exec spctl --assess --verbose {} \;
 


This is what my Settings > Security section looks like. The "Security Key" section goes to the screens I posted earlier where you can only add a mobile number for SMS delivery. I was unable to find anything that looks like what you described or any instructions that match that. A screenshot might be helpful in determining why yours looks so different.
There is a possibility that PayPal is doing a slow rollout of TOTP, and only certain people can use it.
 


Apple is about to force me, as a developer, into 2FA for my developer Apple ID ...
I've been using 2FA successfully on all my devices. However, I will note that when logging into my iCloud account on my MacBook Pro the verification code will pop up on-screen directly on top of (and completely hiding) the dialog box where I'm supposed to enter it. I always have to drag the window with the code off to the side then type the code into the dialog box. your milage may vary. And, yes, it does seem odd to have the verification code appear on the device being used to log into iCloud, but that's the way it works.
 


This is what my Settings > Security section looks like. The "Security Key" section goes to the screens I posted earlier where you can only add a mobile number for SMS delivery. I was unable to find anything that looks like what you described or any instructions that match that. A screenshot might be helpful in determining why yours looks so different.
It appears that 2FA is available if you use Braintree as your credit card processor. Otherwise, you can set up a security key with a phone or device.
 


I don't think 2FA will work if you are outside of the US and use a local SIM card in order to get less expensive data on your phone, because your phone number will not be the one registered for 2FA. (Maybe I'm missing something.)
If you have a data connection, you do not need a phone number - that's how your Mac or iPad can work with 2FA.

If you know your "foreign" phone number you can register that as a "trusted number"....
 


Ric Ford

MacInTouch
Another silent Gatekeeper update for macOS:
Howard Oakley said:
Apple has pushed an update to Gatekeeper’s data
Apple has pushed an update to the data used by Gatekeeper, bringing its version number to 163, dated 20 February 2019. Apple provides no details as to what changes this update brings, but it is normally expected to include recent revocations of security certificates used in signing software.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
 


It appears to be related to iOS telemetry, as the domain "ckdatabase.fe.apple-dns.net" appears on this blacklist of hostnames to block if you want to block telemetry. I supposed it may be related to the setting that asks if you want to send usage data to Apple during OS installation/setup. On iOS, you can find those settings under Settings > Privacy > Analytics.
Thanks for the reply. I checked my Macs and iOS devices, and they all have analytics disabled, so I don't think it's related to that option.
 


It appears that 2FA is available if you use Braintree as your credit card processor. Otherwise, you can set up a security key with a phone or device.
Paypal still has a page available where you can add a Symantec VIP token, but the page doesn't appear to be linked anywhere on the main site. I've been using two Yubikey VIP tokens, but yesterday added a separate VIP token generated with a Python script so I could add the TOTP secret key to 1Password. I haven't been able to find backup codes referenced anywhere on Paypal since they started pushing SMS "authentication", so I keep 3 keys active at PayPal including one of their original DisplayCard tokens. I discovered yesterday that the battery in that token was dead which is what drove me to add a new token. The 1Password TOTP setup is easy and makes 2FA easy to use.

https://www.paypal.com/webscr?cmd=_setup-security-key
https://github.com/dlenski/python-vipaccess
 


Ric Ford

MacInTouch
Malwarebytes covers a confusing and mostly invisible array of Apple security mechanisms in macOS:
Thomas Reed said:
How does macOS protect against malware?
Mac users often are told that “Macs don’t get viruses.” This is not really true, of course. Macs can and do get infected. However, it is true that macOS provides some basic protection against malware. This protection can be quite effective in some ways, but, unfortunately, quite ineffective in others. Let’s take a look at how macOS features protect you from malware, and how malware can get past these features.
 


Malwarebytes covers a confusing and mostly invisible array of Apple security mechanisms in macOS:
Thomas' article is an excellent summary of macOS security in Mojave and to some degree earlier systems. The only thing I can add is a somewhat more technical blog on MRT and the identity of the mysterious MACOS.35846e4 malware:
Phillip Stokes for Sentinal One said:
Uncovering Apple's Mysterious Malware Removal (MRT) Tool Update
Apple’s little known malware removal tool gets a signature update. But what is this new malware family MACOS.35846e4? Find out on this journey inside MRT.

We’ve noted before that Apple’s built-in security technologies have been missing some updates of late, and we weren’t the only ones. So, when Apple dropped a couple of updates to MRT and XProtect last week, the macOS community raised a collective eyebrow of interest. With XProtect having hardly seen a significant update since March of 2018, there were high hopes that Apple were finally playing catch-up with the rounds of macOS malware that have appeared since XProtect’s last update.
Philip is the developer of DetectX Swift.
 


I don't think 2FA will work if you are outside of the US and use a local SIM card in order to get less expensive data on your phone, because your phone number will not be the one registered for 2FA. (Maybe I'm missing something.) If you have a data connection, you do not need a phone number - that's how your Mac or iPad can work with 2FA. If you know your "foreign" phone number you can register that as a "trusted number"....
Here’s an example of some pain and suffering related to 2FA:

My wife is unable to log into her CapitalOne account via the online portal, because the 2FA code is being sent to her US phone number, and we are in Thailand. The customer service representative tried changing the notifications to her email address, but the "fix" did not work. It still went to the phone.

So another call to a different service representative is needed, one with more privileges. So 35 minutes on Skype wasted. Aggravation level increased for little valid reason.

Without 2FA this problem would not exist. There’s got to be a better way.
 


It appears that 2FA is available if you use Braintree as your credit card processor. Otherwise, you can set up a security key with a phone or device.
That is only for Braintree accounts, which is a payment processor gateway, a separate subsidiary service from PayPal's normal services. (Braintree was a PayPal acquisition.) You can merge your Braintree account to a PayPal login, but as their help document states, you will lose all the 2FA options that Braintree provides, and only have the brain-dead PayPal option (SMS delivery).

Paypal still has a page available where you can add a Symantec VIP token, but the page doesn't appear to be linked anywhere on the main site.

https://www.paypal.com/webscr?cmd=_setup-security-key
https://github.com/dlenski/python-vipaccess
That page is from the old PayPal site before they rolled out the redesign in 2013. The fact that the hardware token options were not carried over to the current site gives me pause. The fact that you have to hack that old option to associate it with a software token does not instill me with confidence. Why can't PayPal just roll out proper software Authenticator app support like every other company?

If you want to try the software hack, I found these step-by-step instructions. Hardly a simply process, though you can use the online tool in the first link to make it easier (if you trust the website):
 


Here’s an example of some pain and suffering related to 2FA:

My wife is unable to log into her CapitalOne account via the online portal, because the 2FA code is being sent to her US phone number, and we are in Thailand. The customer service representative tried changing the notifications to her email address, but the "fix" did not work. It still went to the phone.

... Without 2FA this problem would not exist. There’s got to be a better way.
This isn't a problem with 2FA, but with the fact that your account is configured to use SMS text messages as the second factor.

According to TwoFactorAuth.org, Capital One supports SMS, e-mail and a soft-token (typically a mobile app) as your second factor. You may want to contact them to see what's involved in changing the mechanism used for your account.

It appears that Capital One's soft-token is the SwiftID component of their mobile app.
 


Ric Ford

MacInTouch
Thomas' article is an excellent summary of macOS security in Mojave and to some degree earlier systems. The only thing I can add is a somewhat more technical blog on MRT and the identity of the mysterious MACOS.35846e4 malware:
Uncovering Apple's Mysterious Malware Removal (MRT) Tool Update
And here's another silent MRT update:
Eclectic Light Co. said:
Apple has pushed an update to MRT
A day after updating Gatekeeper’s data, Apple has just pushed an update to its malware removal tool, MRT, for macOS, bringing its version number to 1.40.

Apple doesn’t provide any information on what changes this update brings. As it now obfuscates the names of malware which it can detect and remove, it appears impossible to correlate changed strings in the app with any malware known outside Apple.
 



Why can't PayPal just roll out proper software Authenticator app support like every other company?
I wish that PayPal being the exception were the case. In my experience most of the financial institutions I deal with offer no 2FA, and the practice of only offering SMS based 2FA is distressingly common.
 


Here’s an example of some pain and suffering related to 2FA:
My wife is unable to log into her CapitalOne account via the online portal, because the 2FA code is being sent to her US phone number, and we are in Thailand. The customer service representative tried changing the notifications to her email address, but the "fix" did not work. It still went to the phone.
So another call to a different service representative is needed, one with more privileges. So 35 minutes on Skype wasted. Aggravation level increased for little valid reason.
Without 2FA this problem would not exist. There’s got to be a better way.
I've started switching all my 2FA phone numbers to a Google Voice number for exactly this reason. Even when I'm traveling, I can always access my Google Voice texts, email and/or the web site and/or app.
 


Thanks for the reply. I checked my Macs and iOS devices, and they all have analytics disabled, so I don't think it's related to that option.
I deleted some of the applications Apple sends out with every OS install. Little Snitch reported SubmitDiagInfo was attempting to phone home to radarsubmission.apple.com - even though I had submit analytics off in System Preferences.
The Register [10/5/2016] said:
Is Apple's software getting worse or what?
Apple maintains an internal database of bugs called Radar that could be used to assess the frequency of bug reports over time. But the company does not make Radar public.

In an effort to promote greater transparency, developer Tim Burks in 2008 launched Open Radar, a way to make Radar submissions to the developer community. Even so, it's hardly a comprehensive way to assess whether alleged problems stem from the quality of Apple's code or from users who may just be holding their iPhones the wrong way.
 


I have removed SMS 2FA to the greatest extent possible from all my sensitive online accounts. A combination of iOS-based soft tokens, Verisign hardware tokens, and Google Voice have allowed to me be almost completely decoupled from SMS. Ironically, the one site that insists on clinging to SMS, and hence is extremely vulnerable to SIM swapping scams, belongs to my mobile phone provider!
 


I deleted some of the applications Apple sends out with every OS install. Little Snitch reported SubmitDiagInfo was attempting to phone home to radarsubmission.apple.com - even though I had submit analytics off in System Preferences.
I have seen this exact behavior going back to El Capitan (and posted about it here). On Mojave, I don't have a permanent Little Snitch rule but I seem to recall one or two instances of attempted connections to radarsubmissions, which I blocked. So maybe Apple seemingly going behind our backs may be less of an issue, but I believe it still happens (at least in this regard).
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts