Is the 'change Apple ID password with stolen passcode' issue fixed in iOS 17?

[LuisNeto]

@papbot & @betasp : You need to know that people are being attacked on the street by groups of thieves, armed with knives, who force the victims to give them the iPhone and tell them the passcode.

I read posts on Reddit written by victims of this in London.
It is surely happening in many other cities around the world.

Therefore, only using TouchID/FaceID and being careful when you enter your Passcode in public spaces doesn't prevent you from being a victim of this.

So yes, I reiterate that there is a serious flaw that needs addressing.

 

[LuisNeto]

Not being able to engineer for everything ≠ not making any effort at all.

Exactly.

@betasp : Security is not about "all or nothing". It's about creating layers of protection to make the attackers/thieves job as difficult as possible.

 

[papbot]

So yes, I reiterate that there is a serious flaw that needs addressing.

In that scenario carrying a credit or debit card, or a luxury watch or cash, is a serious flaw. No one is going to attack you just for your cellphone, “groups of thieves” really?! In this hysteria the best thing Apple can do is provide an easy mechanism to restore access to your account, as credit card companies and banks do with fraudulent charges that get made with stolen cards or numbers. I’ve gotten replacement cards with different account numbers several times automatically in recent years because of breaches at different merchants or services that my credit card company became aware of. So Apple could possibly implement something similar, but I’m certain that’s more difficult. If you think it’s an easy process and have a solution then quit wasting your time here and go talk to Apple, I’m sure they’ll give you a job.

If you live in an area where knife wielding “groups of thieves” are roaming looking for cell phones then you have a lot more to worry about and shouldn’t even be going out in public at all. Every report I’ve seen and there have only been a few that get well publicized in click-bait articles involve a bar. Roaming knife wielding “groups of thieves”, yeah in the Purge. Again since you think the solution is easy go work for Apple or Google and get it implemented and then come back here for your adulation. Trying to drive up hysteria is not a solution. Go do something useful and prove to everyone how easy it is and make a lot of money.

 

[LuisNeto]

You're wrong on so many things that I don't even know where to start.

No one is going to attack you just for your cellphone, “groups of thieves” really?!

Yes, really! This is happening. It's not made up.

The way you put it is a fallacy.
It's not like they do it once in their life, to a single victim, stealing a single iPhone and then decide to stop being criminals.
They do it over and over. In other words, they steal at least dozens or hundreds of iPhones.

And even in the cases where it's not a group but a single thief with a knife. Doesn't matter to this discussion.

If you live in an area where knife wielding “groups of thieves” are roaming looking for cell phones then you have a lot more to worry about and shouldn’t even be going out in public at all.

This is not a reasonable argument, either. Crime starts happening to people in an area, and your point is that people that work, live and/or go to that area are the ones to blame because they should:

1. be immediately aware of these crimes AND
2. stop going there

?!
Maybe one day this will start happening in your area.
It is happening, for example, in London zone 2.

Trying to drive up hysteria is not a solution

I'm not trying to drive up hysteria.

the best thing Apple can do is provide an easy mechanism to restore access to your account

So Apple could possibly implement something similar

So now you admit that Apple can do something!

But are you even reading this thread properly? It seems you have not understood what it is about.

You're talking about restoring access the account, but this thread is about preventing thieves from locking you out of the account!
They're doing it because Apple makes it possible for them to change your iCloud account password just by using the Passcode.

To change that so it can no longer happen is what Apple can easily and should do. That's what this thread is about!

 

[Jayson A]

Use Face ID and don’t enter your password in public.

 

[Bobajobbob]

@papbot & @betasp : You need to know that people are being attacked on the street by groups of thieves, armed with knives, who force the victims to give them the iPhone and tell them the passcode.

I read posts on Reddit written by victims of this in London.
It is surely happening in many other cities around the world.

Therefore, only using TouchID/FaceID and being careful when you enter your Passcode in public spaces doesn't prevent you from being a victim of this.

So yes, I reiterate that there is a serious flaw that needs addressing.

If thieves are attacking people and demanding their passcode what is to stop them from demanding whatever additional level of security is introduced?

 

[LuisNeto]

If thieves are attacking people and demanding their passcode what is to stop them from demanding whatever additional level of security is introduced?

The answer to that depends on the changes that Apple would end up implementing.

Even if Apple were simply to modify the process so that it requires the iCloud password to change it, it would already an improvement.

But Apple could go further.
They could, for example, implement settings that allow you to choose that you only want to change the iCloud password on other devices you own, such as a computer or a tablet, that you might not even be carrying with you.

Or a setting where you can specify that changing the password would require entering a code that you wouldn't be carrying with you.

Or a setting to specify that you'd need to use a hardware key, which you wouldn't necessarily carry with you. (Or you could carry it but it would be hidden and you'd tell the thieves you don't have it.)

Before you say "I wouldn't want that", I'm suggesting that these could be settings where each person chooses the methods they'd prefer.

 

[Bobajobbob]

The answer to that depends on the changes that Apple would end up implementing.

Even if Apple were simply to modify the process so that it requires the iCloud password to change it, it would already an improvement.

But Apple could go further.
They could, for example, implement settings that allow you to choose that you only want to change the iCloud password on other devices you own, such as a computer or a tablet, that you might not even be carrying with you.

Or a setting where you can specify that changing the password would require entering a code that you wouldn't be carrying with you.

Or a setting to specify that you'd need to use a hardware key, which you wouldn't necessarily carry with you. (Or you could carry it but it would be hidden and you'd tell the thieves you don't have it.)

Before you say "I wouldn't want that", I'm suggesting that these could be settings where each person chooses the methods they'd prefer.

I'm not suggesting that additional security isnt a good idea however I haven't seen a suggested solution yet that solves the "issue" discussed.

1) Just adding an additional password won't help in the mugging scenario.

2) Requiring authorisation on another Apple device only works if you have anther Apple device. Many don't and could be very annoying if you did but didn't have the device on you.

3) An addition complex code/password could work for the more tech savvy but is a recipe for disaster for your average human who would either lose it or write in on a post it and stick it to the back of their device. If not a complex password then goto 1)

Having said all of the above I am increasingly paranoid about the security and apps I have on my iPhone and would welcome any additional security including additional layers in the event that a thief does break into the device with or without my presence. Hidden folders and emergency app lock triggers amongst other ideas spring to mind.

 

[LuisNeto]

I haven't seen a suggested solution yet that solves the "issue" discussed.

1) Just adding an additional password won't help in the mugging scenario.

It appears you have not fully understood the suggestions in my previous comment.

If you don't have the required code, password or physical key with you when you're out, so that even you couldn't change the iCloud password yourself if you wanted, how could the thieves change it in a mugging situation?
They couldn't.

But even if Apple didn't implement those options, but could still improve it by requiring the iCloud password instead, they should do it.
I'll repeat what I wrote in a comment above:

Security is not about "all or nothing". It's about creating layers of protection to make the attackers/thieves job as difficult as possible.

The more levels of security there are, the higher the chances that the attackers / thieves might give up.
They need to keep you around for longer, ask you for the password and type it to check that it works. If it's a long password, this takes time.
Depending on the where of the mugging is taking place, they'd be taking a risk too by making it take longer.

2) Requiring authorisation on another Apple device only works if you have anther Apple device. Many don't and could be very annoying if you did but didn't have the device on you.

You are looking for flaws in my suggestions. Same on your point 3).

In my post I wrote that those would be custom settings where each person chooses based on what works for them and how they want to balance security VS convenience.

Those that don't have other Apple devices obviously wouldn't enable that option to require using another Apple device.

But even for those that have other Apple devices, let me ask you: why would you sacrifice security just so that you can change your iCloud password while you're on the street?!

 

[Bobajobbob]

It appears you have not fully understood the suggestions in my previous comment.

If you don't have the required code, password or physical key with you when you're out, so that even you couldn't change the iCloud password yourself if you wanted, how could the thieves change it in a mugging situation?
They couldn't.

But even if Apple didn't implement those options, but could still improve it by requiring the iCloud password instead, they should do it.
I'll repeat what I wrote in a comment above:

The more levels of security there are, the higher the chances that the attackers / thieves might give up.
They need to keep you around for longer, ask you for the password and type it to check that it works. If it's a long password, this takes time.
Depending on the where of the mugging is taking place, they'd be taking a risk too by making it take longer.


You are looking for flaws in my suggestions. Same on your point 3).

In my post I wrote that those would be custom settings where each person chooses based on what works for them and how they want to balance security VS convenience.

Those that don't have other Apple devices obviously wouldn't enable that option to require using another Apple device.

But even for those that have other Apple devices, let me ask you: why would you sacrifice security just so that you can change your iCloud password while you're on the street?!

I agree with multilayers and choice. Some kind of remote complex password is in conflict with usability and would cause issues for the non tech savvy but I agree an opt in for the more tech savvy and security conscious would make sense. It might also work well with your other suggestion to require another apple device to authenticate or store this code. It couldn't be mandatory for reasons already given. To a certain extent this is also achieved with a more complex passcode that is harder to observe.

The more complex the security however the more danger potentially for users in a mugging or home invasion scenario. If the reward is high enough some thieves will go to extreme lengths. I do agree that in most cases layered security makes sense. It just needs to be implemented in such a way so as not to compromise usability or indeed security itself as users work around or self compromise the additional layers.

 

[marvin_h]

Stop using a passcode.

Yeah, if Apple would give us that option, I would.

(I'm not hopeful. I have watched my elderly parents struggle endlessly with first Touch ID and now Face ID. So even if Apple gives users the OPTION to not use passcodes, some user will need to.

A middle ground: Give users the OPTION to have a separate passcode to unlock the screen versus to unlock and alter their iCloud and Keychain.)

This "issue" isn't hard to fix.

- Use a long passcode that's not easy to guess. At least 8 digits, or a passphrase.
- Use FaceID so you don't have to enter your passcode all the time.
- Don't enter your passcode when other people are watching. Hold your phone close to your chest and shield it from other eyes.

This is like saying the lack of seatbelts in a car isn't hard to fix: just don't crash and don't let anyone else crash into you.

It's the same. I use a long alpha-numeric unlock code so I'm not worried about someone shoulder surfing, but Apple should still fix this. I also use a third-party password manager because I want my passwords saved the same code as everything else.

They (Apple) need to require something more than a screen pin to get into your account and make changes. Require your Apple ID password, for example, when viewing/changing anything related to your account.

I don't know that Apple needs to REQUIRE it. They should at least ALLOW the option for a user to separate their screen lock code from the keys to their digital kingdom.

Few cents: Nobody will just look over your shoulder, but record a short video of you typing password - then just matter of time to get it right out of it an then take device of the Target.

It’s a design flaw with one point of failure.

I wonder about one thing:
I heard cases where pay terminals were refusing Apple Pay to work and forced to type password - is that a fake story or this behavior is happening when for instance 2 times in row Apple Pay is not working?

I don't know if the terminals were refusing to accept my authentication, but I have had many times, and not just during the mask wearing era, where my FaceID for whatever reason was "locked out" of my phone, and I had to use my passcode to make Apple Pay to work, or just enter my passcode in a crowded checkout line or bar, to unlock my phone.

All Apple has to do is put a switch in iCloud to disable password reset with your iPhone passcode.

Not being able to engineer for everything ≠ not making any effort at all.

I was hopeful that the new security dongle functionality would do this but no, if one has possession of the phone and screen lock code, one can bypass the physical dongle step.

Use Face ID and don’t enter your password in public.

Don't worry about seatbelts, just avoid car wrecks and you'll be fine?

 

[marvin_h]

The answer to that depends on the changes that Apple would end up implementing.

Even if Apple were simply to modify the process so that it requires the iCloud password to change it, it would already an improvement.

But Apple could go further.
They could, for example, implement settings that allow you to choose that you only want to change the iCloud password on other devices you own, such as a computer or a tablet, that you might not even be carrying with you.

Or a setting where you can specify that changing the password would require entering a code that you wouldn't be carrying with you.

Or a setting to specify that you'd need to use a hardware key, which you wouldn't necessarily carry with you. (Or you could carry it but it would be hidden and you'd tell the thieves you don't have it.)

Before you say "I wouldn't want that", I'm suggesting that these could be settings where each person chooses the methods they'd prefer.

Yeah, security comes in layers. The best security is to not use an iPhone at all, perhaps.

But I agree with your point that allowing users to choose to add an additional layer or two is the right path.

Apple could start by allowing a user to use a separate screen lock code versus code to unlock their iCloud and KeyChain, and add a new biometric access.

Heck, my old BANK would accept biometric log ons......and Apple would allow anyone with my screen lock code to add their face to my phone. You can see how this is a potential problem. And easy to solve if Apple let me use a separate screen lock code from the code for managing biometrics on my phone.

It really is like Apple is using a 1990s version of security where every web site one visits one uses the same password. Except in this case, that password is one's phone passcode, with which I can get to all my other account settings.

(And don't even get me started about how "two factor" relying on SMS and emailed codes are a joke in the scenario where one's phone is compromised -- not because one's phone is compromised but because Apple doesn't allow users to add a layer of security to mitigate that penetration vector.)

 

[I7guy]

Why do you write "issue" with quotes, as if it isn't an issue?
It is clearly a security design flaw that had serious consequences for many people.

What you wrote are not fixes.
Using a long passcode and hiding it from other people when entering it are tips which still don't prevent the issue from happening if, for example, thieves force you to give them the iPhone and to tell them the passcode.
And your advice to use FaceID is a workaround that isn't ideal either.

It’s not a design flaw. It’s a feature designed so that apple doesn’t have to field 2 billion phone calls about lost passwords. You may not like the way it’s designed but it’s designed for the balance of security vs convenience. Because this am issue for one person doesn’t mean apple has to fix it for 1 billion making it worse in the process.

It’s one of those things I don’t think there will be agreement on; although apple imo will do something eventually…probably be some half-way measure.

 

[marvin_h]

It’s not a design flaw. It’s a feature designed so that apple doesn’t have to field 2 billion phone calls about lost passwords. You may not like the way it’s designed but it’s designed for the balance of security vs convenience. Because this am issue for one person doesn’t mean apple has to fix it for 1 billion making it worse in the process.

It’s one of those things I don’t think there will be agreement on; although apple imo will do something eventually…probably be some half-way measure.

2 billion phone calls? Google introduced something similar as an option years ago, adding a layer of security as an OPTION that users could OPT IN to. Apple could offer the OPTION to separate the screen lock code from the digital life master key (iCloud reset, Keychain access, email access) to everything else and demonstrably not have to field 2 billion phone calls.

 

[I7guy]

2 billion phone calls?

Yes. More security the less co venue ce and more phone calls.

Google introduced something similar as an option years ago, adding a layer of security as an OPTION that users could OPT IN to.

How did that work out? Stats before and after? I’m sure there are some metrics to report on.

Apple could offer the OPTION to separate the screen lock code from the digital life master key (iCloud reset, Keychain access, email access) to everything else and demonstrably not have to field 2 billion phone calls.

Sure, apple could do many things, including nothing. Someone who wants to get in will threaten you with harm. And there could be many phone calls if people opt in to another level of security and still forget their passcodes is the point.

 

[aiatfe]

Craig Federighi has said that they are working on it. It will be interesting to see what they end up on, perhaps something like "Advanced Data Protection" that you can enable that basically tells you you are screwed if you ever forget your details?

 

[LuisNeto]

Someone who wants to get in will threaten you with harm.

It's one thing what happens nowadays: thieves force the victim to give them the iPhones on the street and coerce him/her to reveal the Passcode, which gives the thieves access to the Apple ID account. Normally, this happens under knife threat.

But it's a fallacy to defend that if it wasn't possible to use the Passcode to access the Apple ID account, and instead it would be necessary, for example, to use another device, or a hardware key, or a code written in a paper - all of which would be in the victim's home - then the thieves would simply just coerce their victim to take them to the victim's home - all so they can lock him/her out of their Apple ID account.

It's not the same! The thieves need their act to be over as quickly as possible.
So if security was tighter, it would stop many of these crimes.

 

[Paddle1]

Craig Federighi has said that they are working on it. It will be interesting to see what they end up on, perhaps something like "Advanced Data Protection" that you can enable that basically tells you you are screwed if you ever forget your details?

I'm glad he acknowledges that although there may be mitigations such as Face ID, it is still an issue. The workarounds are not a solution.

 

[jozero]

Best fix I have seen is go to Settings > Screen Time. Turn it on **** . Go to Content and Privacy Settings. Turn it on. Scroll down to Account Changes. Change this to DONT ALLOW. Enter your Screen time 4 digit password

**** - when the pop up appears for the 4 digit numeric passcode enter it, then hit CANCEL when it asks you for your iCloud password. Yes it's confusing, but do that. This disassociates this particular password with your iCloud password - it cannot be gotten around with your iCloud password

Now you have a separate numeric passcode for *just your iCloud password*. You can see the effect this has by going back to Settings, and your name (iCloud settings) at top are greyed out. The only way to enable this is to turn off Screen Time.

Voila, your iCloud password cannot be changed even if a thief has your iPhone password

 

[mrochester]

The security system Apple is using is called passkey. Passkeys make it so that your authorised device becomes the master password for your account. Your authorised device must be protected by a passcode or biometrics to be able to use it as a passkey.

When you create an Apple ID you create a username and password. When you turn on 2FA you turn your Apple device(s) into a passkey. This means that Apple device and its security (passcode, face id, Touch ID) become the master password for your Apple account (precisely because they are more secure than using a password).

As your physical Apple device becomes the master password for your Apple ID, this is how/why you can reset the underlying password using the Apple device.

I don’t think there is anything for Apple to fix here; the security model is working to the required passkey standards.

Users need to ensure they remain vigilant when entering their device passcode in a public place as passkeys require greater physical security of the authorised device vs passwords. Conversely, passwords require greater security in many more places vs passkeys.

They are both a compromise of security vs convenience.

 

[mpavilion]

The security system Apple is using is called passkey. Passkeys make it so that your authorised device becomes the master password for your account. Your authorised device must be protected by a passcode or biometrics to be able to use it as a passkey.

When you create an Apple ID you create a username and password. When you turn on 2FA you turn your Apple device(s) into a passkey. This means that Apple device and its security (passcode, face id, Touch ID) become the master password for your Apple account (precisely because they are more secure than using a password).

As your physical Apple device becomes the master password for your Apple ID, this is how/why you can reset the underlying password using the Apple device.

I don’t think there is anything for Apple to fix here; the security model is working to the required passkey standards.

Users need to ensure they remain vigilant when entering their device passcode in a public place as passkeys require greater physical security of the authorised device vs passwords. Conversely, passwords require greater security in many more places vs passkeys.

They are both a compromise of security vs convenience.

I don’t see how this is 2FA. Access to the unlocked master device is just one factor. Possession or knowledge of the acct. pw should be the 2nd factor.

 

[mrochester]

I don’t see how this is 2FA. Access to the unlocked master device is just one factor. Possession or knowledge of the acct. pw should be the 2nd factor.

The 2FA process has already happened at this point (to add a new Apple device to an existing 2FA protected account you need to supply a 2FA code from another device or SMS). After completing the 2FA process, this device becomes an authorised passkey for the account (which supersedes password/2FA code).

Although saying that, passkey is 2FA itself as you need two things; the physical device, and knowledge of the passcode to unlock the device. Knowing the Apple ID password would be a third factor (and that’s probably the thing you will have forgotten and have a need to reset in the first place!).

 

[mpavilion]

The 2FA process has already happened at this point (to add a new Apple device to an existing 2FA protected account you need to supply a 2FA code from another device or SMS). After completing the 2FA process, this device becomes an authorised passkey for the account (which supersedes password/2FA code).

Although saying that, passkey is 2FA itself as you need two things; the physical device, and knowledge of the passcode to unlock the device. Knowing the Apple ID password would be a third factor (and that’s probably the thing you will have forgotten and have a need to reset in the first place!).

Yes, we’re talking about an existing device that’s already an authorized “passkey.” If the device and its passcode fall into the wrong hands, the Apple ID pw can be reset. The point of this thread is that you should also need to know the pw to do that (yes?)

 

[mrochester]

Yes, we’re talking about an existing device that’s already an authorized “passkey.” If the device and its passcode fall into the wrong hands, the Apple ID pw can be reset. The point of this thread is that you should also need to know the pw to do that (yes?)

Needing to know the password to reset the password is clearly a stupid requirement given the primary reason someone would be changing the password is because they have forgotten it!

You already have the physical passkey, and you already know the passcode to access the device (the second factor), that is enough to reset the Apple ID password.

You’re getting into the realms of 3rd factor authentication if you require anything else before being able to reset the Apple ID password.

I do LOL at the idea of a password reset system designed for the very people who don’t need it though.

 

[mpavilion]

Needing to know the password to reset the password is clearly a stupid requirement given the primary reason someone would be changing the password is because they have forgotten it!

You already have the physical passkey, and you already know the passcode to access the device (the second factor), that is enough to reset the Apple ID password.

You’re getting into the realms of 3rd factor authentication if you require anything else before being able to reset the Apple ID password.

I do LOL at the idea of a password reset system designed for the very people who don’t need it though.

I think you're discussing a different issue? If I pick up my (work) Pixel and go to change the pw to my Google account, I need my Google pw to do it. If I select Forgot my Pw, and go into Account Recovery, it requires my actual fingerprint on the screen lock (not the device passcode), or other recovery options that the thief may not have access to (i.e., a non-Gmail email address).

Meanwhile, on my iPhone, I can change my Apple ID pw simply by entering the device passkey.