Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
I just did a test run and it isn't an easy reset in spite of what Apple_Robert said. In fact, Apple has now incorporated a waiting period (several days) if you try to reset the Screen Time pass code even if you can get through the Apple ID information input requirements.
I wish @Apple_Robert explains his statement so that I can understand to which degree this can be a workable workaround.
As far as I can see it cannot be bypassed.
It can be reset if you know the Apple ID password, which is exactly what we are trying to protect.
Hopefully in time we will get a reply from him.
Last edited:
It is possible to reset the pass code by using the Apple ID information or through Forgot Apple ID Passcode. The later requires two step authentication with name, email, phone number, and delayed access. In practice this would give you several days to change your Apple ID to prevent compromise even after your phone is stolen. Most people are going to know pretty quickly when their phone had been snagged. It may not be 100% but it should buy enough time to lessen the blow to the entire account.
And on top of that when we type passwords on iOS they appear on the screen before hidden by dots. I mentioned this above in one of my posts (and in the past as well).
I want my passwords when typed to not be revealed on the screen as in macos or in windows.
Attachments
I write “sat phone down on table, near the edge” because I know that’s what I used to do. Most often, I’d tap out the PIN on the flat table… VERY easy to follow as I’d use one finger and move slowly, no hurry. I think about EVERY time I’ve done this and I’m thankful that, because of where I was at the time or who knows what, I wasn’t targeted. I KNOW that’s the wrong thing to do, but never considered that I would be interesting enough to be a target. It’s not about whether one looks like they’re worth anything, though, it’s about an opportunity being seized.
I do have sympathy for everyone this has happened to as there’s not likely a big difference between how they used their phones and how I used mine. It sucks that this has become a way to target people, but here we are. No one deserves to be attacked and, as a result, have their life upended due to this. But it DOES remain true that being attacked in this SPECIFIC way has a very SPECIFIC method of avoidance. One that I’ll be using going forward.
I look at something like Apple’s “Lockdown” feature that is enabled by someone that knows they may be targeted prior to going to a place where even network access can’t be trusted. I can see how something similar (that a user would enable when they’re going to be around many cameras/eyes) could potentially be beneficial. OR, a user being able to put the apps a person wants to use in public on the lock screen, requiring no PIN (like the camera is now) so that the likelihood of needing to enter it while someone may be looking becomes lower (or the randomized keypad I mentioned previously).
A question of thought. The OP is in the UK and I was under the impression that in the UK the phone operators have a very rigorous blacklist system for mobile phones. Therefore, if the OP has contacted the network company telling them the iphone had been stolen, the company would have added the iphones imei to a blacklist which is used by all the UK network operators. Thus, if the thieves are sending messages to his wife, just exactly are they doing this? because they would not be able to use the mobile network because the imei would be flagged and thus prevent the iphone from working. Putting in another sim card would not work because again the iphones imei would be blacklisted and thus prevent the iphone from working. If the thieves are using wifi, surely the messages they send to the OP's wife will be tagged with the IP number of the wifi they are using. And this poses another question, if the iphone was reported stolen to the network provider, the phone number would not work either so again how are they able to message his wife? If they are using apps such as whatsapp, surely the thieves must be using wifi which is easily traceable by the police.
People are asking how to disable screen time.
It's done like this:
1) Go into Screen Time and select to change the passcode
2) Click "turn off passcode"
3) Click "forgot passcode?"
4) Type in Apple ID *
5) Select "Forgot Apple ID or Password?"
6) Unlock using phone PIN (which the thief has - it's the only password ever needed)
7) Then with the new password, use that to reset the screen time passcode or turn off screen time.
Or just stop after (6) as you now have the password for the Apple ID.
* You need to know the Apple ID. I don't know if that's easy to discover - I didn't actually do steps 6 or 7 as I don't want to reset anything.
It's done like this:
1) Go into Screen Time and select to change the passcode
2) Click "turn off passcode"
3) Click "forgot passcode?"
4) Type in Apple ID *
5) Select "Forgot Apple ID or Password?"
6) Unlock using phone PIN (which the thief has - it's the only password ever needed)
7) Then with the new password, use that to reset the screen time passcode or turn off screen time.
Or just stop after (6) as you now have the password for the Apple ID.
* You need to know the Apple ID. I don't know if that's easy to discover - I didn't actually do steps 6 or 7 as I don't want to reset anything.
I did a trial run on that and got a message that I couldn't reset the passcode for several days.
Yes, even if manufactured, it’s still a good story to have communicated widely so that more folks become wary of entering their PINs in public.
UPDATE: OHHHHHH I see what you mean. New account created JUST for this thread.
Last edited:
Try it. Have somebody stalk you for the entire week and see if they can somehow take a peek at your 4 digits pin, and see if they can somehow setup an elaborate scheme to grab your phone, enter your pin and go into lock you out of your iPhone and your iCloud account. It's easier than you think.
I am security conscious. However, I should be able to give my phone and its PIN to an attacker with no worries.
Those things seem at odds.
It’s also flawed that if I give someone my key and my address that people can ENTER MY HOUSE!
That is not possible. A machine outside of the phone cannot make Face ID fail on the phone, because one has absolutely nothing to do with the other.
Apple Pay is authenticated on the phone itself entirely independent of the credit card machine. The Face ID authentication does not even need to occur at the same time or place as the card machine.
You can take your phone, activate Apple Pay, and authenticate right now with Face ID, without being anywhere near a credit card machine. And now your phone would work like a contactless credit card.
Then walk over to a card machine and place the phone near it, and the machine would process the payment without knowing the difference or how Apple Pay was authenticated on the phone.
You see, by the time you put the phone near the machine, Face ID has already succeeded. So no card machine can "make Face ID fail."
I don't know what happened, but someone somewhere misunderstood or misreported something.
Update: OP replied that Apple Pay works differently in the UK.
Last edited:
So it looks like the news that Google are introducing passkeys today is going to make this even more of a problem.
I have just successfully changed my Google password by using nothing more than my iPhone's passcode.
It's going to become even more important than ever to protect your device's passcode in the future as with passkeys the device passcode is the key to the kingdom.
The process is as follows:
Setup your iPhone as a passkey for your Google account.
Logout of Google account on your phone.
Lock iPhone.
Unlock iPhone using passcode (deliberately fail FaceID).
Navigate to Google website in Safari.
Select account to login with.
Tap use passkey.
Deliberately fail FaceID.
Type in device passcode.
You now have access to the Google account and the ability to change the password.
I have just successfully changed my Google password by using nothing more than my iPhone's passcode.
It's going to become even more important than ever to protect your device's passcode in the future as with passkeys the device passcode is the key to the kingdom.
The process is as follows:
Setup your iPhone as a passkey for your Google account.
Logout of Google account on your phone.
Lock iPhone.
Unlock iPhone using passcode (deliberately fail FaceID).
Navigate to Google website in Safari.
Select account to login with.
Tap use passkey.
Deliberately fail FaceID.
Type in device passcode.
You now have access to the Google account and the ability to change the password.
Last edited:
Card machines can’t make face ID fail. However, a waiter can press cancel on the device, making someone think it has failed.
Paying doesn’t require a PIN. Paying can be done with a locked phone and FaceID. On older phones, it can’t be done with a mask, but, now folks should know that pulling down the mask is going to be better than entering their PIN.
I think the key is to protect the device. I can tell you my device’s passcode is elmerQ, but there’s not a lot anyone can do with that information without the device.
I have never said I used the same code for my phone and banking apps. I do not.
They accessed two banking apps (one simply via email magic link).
I did have card details saved, but all are cancelled now.
Well, if the attacker doesn’t have the device, there’s nothing they can do just knowing the PIN. The MOST complex part of this for an attacker is “How do I get the device” as people generally aren’t willing to just hand those over.
It goes to highlight (if it wasn’t already apparent!) how much personal and sensitive data we store on our phones.
Yes there are ways to make Apple Pay fail. You can fix the device at an very awkward angle, for example.
It just would help them getting more people entering their passcode rather than moving to a strange angle in public.