What? FaceID authentication occurs by the user holding it at the angle the user finds comfortable… It doesn’t even matter what angle the reader is at.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
I agree, the story is sounding increasingly manufactured, but ultimately that doesn't matter. It's still an important topic to discuss so I'm glad it's here.
People do need to be more wary about entering their passcodes in public.
And of "securing" a device with only a 6-digit code, especially if they work with sensitive information. It's helpful to discuss ways we can all protect ourselves better until Apple is able to improve this behavior.
This is especially true as we move away from passwords to passkeys. Our devices and their passcodes become the ultimate authority to accessing many accounts.
This has been an interesting thread and some good information got disseminated to folks that need to know, but the police thinking that a card reader can make FaceID fail… 🤔
Yes the IMEI is blocked and so in theory no SIM will work in the device to get cellular connection. They usually sell them overseas where they will work.
Yes they have been using WhatsApp to contact my contacts. I assume via Wi-Fi or Hotspot.
To show how measured they are, they were able to change my WhatsApp recovery code and email from within the WhatsApp app. They didn’t need to even verify any original password or 2FA, which was set up.
In this situation WhatsApp is just as insecure. I can’t get them kicked out of my WhatsApp or the account disabled.
I agree, the police should be trying to locate them via IP. In the U.K. this is unlikely as they say they have no resource to chase up theft and fraud.
It’s painful.
Yes, but IF it’s manufactured, then the moral of the story is to protect your PIN and do NOT let your device out of your possession. Nothing that Apple needs to do in order to respond to a manufactured situation.
Yes, even if manufactured, it’s still a good story to have communicated widely so that more folks become wary of entering their PINs in public.
UPDATE: OHHHHHH I see what you mean. New account created JUST for this thread.
No I created this account because I faced a major issue with Apple. I wanted some support and advice from people who may know more than me. To also discover why I was so wide open to this horrible situation.
I am not a person who has ever had a desire to post on here before. I only discovered this forum when searching on Google and reading replies to the other threads relating to this.
I actually mainly wanted to help understand why my iCloud recovery was looping and failing.
Hope this helps?
This isn’t correct in the UK, when I tap a contactless payment via Apple Pay it will not process unless I have verified via Face ID or pin.
Also any payments over £100 must have verification. You can’t just tap your phone.
Sorry maybe you missed the detail. The machines can be set up at awkward, fixed angles. It’s not difficult.
Our devices are going to increasingly become the means to which we access our online accounts as we move away from passwords/2FA to passkeys. It’s going to become ever more important to protect your device and passcode.
I have worked for a payment processor for 15 years and know of a few ways I could set up a card machine to encourage pin entry. I won’t share them here as I really don’t want to help facilitate this fraud any further.
I agree. It doesn't really matter if this particular story is fiction because is fiction because this type of incident happens all the time in the USA and I'm sure around the world. Criminals have heard about this on the news so they're going to do it. Apple needs to get on the ball and patch this security vulnerability.
I don't think there's anything for Apple to patch; this looks to be how passkeys are designed to work (the device passcode giving you access to the account).
I can assure you it’s not manufactured.
FFS, honestly is this really the world we live in now?
Why on earth would I waste my time making this story up.
Was initially getting some comfort from this thread and the fact it has raised awareness for others, but now some really arrogance descending on a this thread. I don’t get it at all.
I think there's some confusion about what you're saying versus what people are understanding. Some people are saying that it requires the PIN or can be made to require a PIN. You're saying it requires Face ID or possibly a PIN.
I don't know about in the UK but on my particular device iPhone in the USA when I double click the side button, it always brings up Face ID to verify before allowing the transaction. If they say the fails face ID fails, then it will give an option for a PIN. Unfortunately this was added due to people wearing masks.
Even without Apple Pay, criminals are observing people entering their PIN to unlock their phone. Sometimes Face ID will fail or maybe they don't have Face ID setup.
I believe that this happpened to you.
The trouble is, this is how it is designed to work. There's nothing for Apple to patch or fix.
Device passcodes are the key to the iCloud kingdom. In the future, more accounts will be controlled and administered by your device passcode alone.
Yes, there is something to patch. A PIN alone should not allow a complete reset of your Apple account password. This is the issue not the fact that they can get into the phone but they can reset your Apple password and take over your account.. This is a security vulnerability that needs to be patched. I'm sure Apple is going to fix this. It's a cat and mouse game and criminals will always try something new, so there is going to be patches
Haha well I have perhaps learned a lot in this thread but embarrassingly I did not know how this functioned. And yes I’ve worked in payments for 15 years.
When I go to pay, I place the device on the reader and then lower my face down the the device for Face ID!
So I assume i have been doing this wrong. I could just Face ID first and then tap?
Or do I tap the device and then take the device away from the reader for Face ID or pin?
I thought they had to be completed simultaneously?
Damn…. I will test this later.
It doesn’t matter if the machine is at an awkward fixed angle. All devices I’ve used with FaceID are at all different angles. Are you thinking that you have to hold the phone near the device and THEN authenticate with FaceID? Because that’s not required. Once one has authenticated via FaceID they could then squat and crawl to the reader if that’s how it’s set up.
A PIN alone doesn’t allow a complete reset of an Apple account password. Here, try it. Mine is elmerQ. Completely reset my Apple account without my device in your possession.
I think you’ll find that’s quite difficult to do.
Yep, exactly. I pay at drive through regularly. Hold the phone to my face for authentication, then to the reader.
Yeah I did think that. I feel stupid regarding this part.
I thought it was simultaneous. I see people doing exactly what I do all the time. Tap then verify. Not vice versa.
I’m convinced they got my passcode whilst I was paying and caught unawares by someone filming.
Ahhhhhhhh, that’s it. Right, you don’t lower your face to the reader for FaceID. For some of the fast food places in the US that take Apple Pay, they don’t have the reader set up so that they can extend it to you, so you authenticate and hand them the phone (and they gingerly hand it back).
You can test this right now. Double click your side button and it will bring up your cards and Face ID. If you're going to use your default card you just put your phone down to the payment terminal. If you want to change the card, you select the card then it will bring up Face ID again then you go down to the terminal. Obviously, you can test the payment action but soon as you double click Face ID comes up and it's ready to go. There's no need for a second Face ID confirmation