Stolen iPhone - Criminals have full control and Apple cannot help!

[mrochester]

So you're telling me it's impossible to make the unlock code on a phone a different number than say the number to unlock my bank account? I find this a bit hard to believe.

Passkeys are designed to use your device's exisiting security (Face ID, Touch ID or device passcode) to authenticate access to your accounts. Once in those accounts, you can reset the underlying password for those services. This means your device passcode is likely to become the master password for your accounts and the thing you need to know to be able to reset passwords.

"Passkeys are a safer and easier replacement for passwords. With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords."

 

[cdsapplefan]

It looks like the future is precisely that; your device passcode is going to become the master password for many different accounts and will be what you need to enter to reset passwords to your online accounts.

It's going to become ever more important to protect your device passcode as we move away from accounts being authenticated by password/2fa and instead authenticated by a trusted device.

Passkeys & Passkey Authentication: Secure Passwordless Login and Auth

Passkeys and passkey authentication provide secure, passwordless sign-ins through passkey login, passkey auth, and passkeys authentication. Experience seamless authentication with biometrics, PIN, or pattern for enhanced security.

www.passkeys.com

You won’t be putting in your master device passcode as often as your regular passcode. Just when you need to change account settings and or password would you need to enter the master device passcode and of course the master passcode would be different from the regular passcode. Apple should also implement Touch ID and security questions, but the master device passcode method is more convenient for consumers

 

[mrochester]

You won’t be putting in your master device passcode as often as your regular passcode. Just when you need to change account settings and or password would you need to enter the master device passcode and of course the master passcode would be different from the regular passcode. Apple should also implement Touch ID and security questions, but the master device passcode method is more convenient for consumers

Your master passcode and device passcode are one and the same thing. Touch ID wouldn't help as that falls back to device passcode when failed.

 

[onenorth]

Passkeys are designed to use your device's exisiting security (Face ID, Touch ID or device passcode) to authenticate access to your accounts. Once in those accounts, you can reset the underlying password for those services. This means your device passcode is likely to become the master password for your accounts and the thing you need to know to be able to reset passwords.

"Passkeys are a safer and easier replacement for passwords. With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords."

All of this assumes that the owner maintains physical possession of the device.

Which was not the case with the OP.

 

[mrochester]

All of this assumes that the owner maintains physical possession of the device.

Which was not the case with the OP.

Absolutely. It's going to become ever more important to ensure that if your device is stolen, the thiefs don't have your passcode, or if your passcode becomes known, thiefs don't get hold of your trusted device.

 

[cdsapplefan]

Your master passcode and device passcode are one and the same thing. Touch ID wouldn't help as that falls back to device passcode when failed.

That strategy wouldn’t work. The regular passcode would have to be different from the master device passcode. The thief would see you putting in your regular passcode. They wouldn’t know your device passcode. Apple should also put 3-day hold period if there are 2 or more authentication fails to give consumers time to react and wipe there phone data remotely and brick the phone with lost mode activation

 

[mrochester]

That strategy wouldn’t work. The regular passcode would have to be different from the master device passcode. The thief would see you putting in your regular passcode. They wouldn’t know your device passcode. Apple should also put 3-day hold period if there are 2 or more authentication fails to give consumers time to react and wipe there phone data remotely and brick the phone with lost mode activation

That's not how passkeys work, or look like they are going to work. They are secured by your existing device security.

This is why is it incredibly important to be vigilant and ensure no one learns what your device passcode is.

These are the steps to logging into an account using a passkey as per Google instructions:

1. Go to the application.
2. Click Sign in.
3. Select their passkey.
4. Use the device screen unlock to complete the login

Passwordless login with passkeys | Authentication | Google for Developers

developers.google.com

This is what Apple have already implemented with iCloud (the device passcode is a master password for the iCloud account).

 

[Mike Boreham]

There is no setting for that. If Face ID fails, you will be prompted to enter the passcode. When that happens, I exit out of the app and reopen with Face ID.

Then I don't understand your post. I thought you said you had locked your phone down to prevent passcode being offered when Face ID fails.
I think I misunderstood. In fact you are just saying you avoid the need to use passcode.

 

[russell_314]

Passkeys are designed to use your device's exisiting security (Face ID, Touch ID or device passcode) to authenticate access to your accounts. Once in those accounts, you can reset the underlying password for those services. This means your device passcode is likely to become the master password for your accounts and the thing you need to know to be able to reset passwords.

"Passkeys are a safer and easier replacement for passwords. With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords."

I know what passkeys are, but there needs to be a different number for unlocking the phone.

I think this whole passkey thing is something they're trying, but haven't really tested on a mass scale. Once you realize something has a vulnerability the first thing you do is try to mitigate that vulnerability. Just because we're doing it that way now doesn't mean it's the right way to do it. At one time many websites had limits on the number and type of characters for passwords. At that time we could've just said, that's the way it works, I’m sorry your password keeps getting brute forced. That's not what we did though. Passwords became longer and more complex to mitigate that specific vulnerability. I think this one number unlocks everything concept is something they're going to have to work out in the future with passkeys. Maybe we'll have different numbers for different purposes. If you asked me should the same number that unlocks my phone have the capability to access my banking account. I would have thought that was crazy. For some reason security researchers didn't foresee this as a problem.

 

[mrochester]

I know what passkeys are, but there needs to be a different number for unlocking the phone.

I think this whole passkey thing is something they're trying, but haven't really tested on a mass scale. Once you realize something has a vulnerability the first thing you do is try to mitigate that vulnerability. Just because we're doing it that way now doesn't mean it's the right way to do it. At one time many websites had limits on the number and type of characters for passwords. At that time we could've just said, that's the way it works, I’m sorry your password keeps getting brute forced. That's not what we did though. Passwords became longer and more complex to mitigate that specific vulnerability. I think this one number unlocks everything concept is something they're going to have to work out in the future with passkeys. Maybe we'll have different numbers for different purposes. If you asked me should the same number that unlocks my phone have the capability to access my banking account. I would have thought that was crazy. For some reason security researchers didn't foresee this as a problem.

They probably did forsee it as a problem, but it is already much safer and more secure than the existing password/2fa method that it is going to replace.

It is going to become ever more important to ensure that no-one finds out what your device passcode is, and people will need to be much more vigilant when typing in their passcode in public places.

I'm starting to feel like a broken record here!

 

[laptech]

OP, if you have actually reported the theft to the police and they have given you a crime/incident number, you can use that number in communications to various companies in getting them to cancel accounts and put blocks on accounts. With regards to whatsapp, just contact customer support and tell them about the iphone theft and that your account has now been compromised by the thieves and that you request that your account be blocked. Then tell them the theft has been reported to the police and here is the crime/incident number. Because whatsapp operate in the UK they are legally obligated to act on your information. Customer support should ring up the police giving them the number you've given them so they can confirm that a) it is actually you the account holder and b) that a report to the police has been made. If whatsapp fail to act on the information you've given them you can take them to court if their failure to act causes harm (mental or financial) to you or to anyone in your whatsapp contact list.

So I suggest to write off an email to whatsapp ASAP, provided you've got a police crime/incident number because without that no company is going to help you.

 

[Unregistered 4U]

I think you know my what I mean. Obviously in this whole scenario, the person has stolen the phone. Let me be more specific

With the iPhone in hand, the PIN alone should not be enough to reset an Apple ID password.

You want to be able to give your phone to someone. Then tell them your PIN.

Once you’ve done that, what should be the limit of what’s possible with the phone? Should they be able to see your email? Should they be able to launch Safari?

 

[russell_314]

I'm starting to feel like a broken record here!

Because you keep saying well, that's just the way it works. You can't have that attitude with security. I'm sure the guy at Apple working on this isn't saying well nothing we can do so. Let's just not worry about it. I'm sure they're at least trying to figure way to mitigate this. Right now people have come up with this Screen Time hack which seems to lock account changes out with a different number. They might be onto something where Apple could make something like this part of the operating system.

This is the cat and mouse game with security. We come up with something new, then criminals come up with a way to attack it, so then security experts have to come up with a way to fix that. It's not like oh we got passkeys so we're done, problem solved and no need to work on this any further. There's going to be changes to any system.

 

[mrochester]

Because you keep saying well, that's just the way it works. You can't have that attitude with security. I'm sure the guy at Apple working on this isn't saying well nothing we can do so. Let's just not worry about it. I'm sure they're at least trying to figure way to mitigate this. Right now people have come up with this Screen Time hack which seems to lock account changes out with a different number. They might be onto something where Apple could make something like this part of the operating system.

This is the cat and mouse game with security. We come up with something new, then criminals come up with a way to attack it, so then security experts have to come up with a way to fix that. It's not like oh we got passkeys so we're done, problem solved and no need to work on this any further. There's going to be changes to any system.

I agree, but the 'fix' isn't just an Apple problem, it needs the entire industry, since passkeys are a standard. The entire passkey specification would need to be changed.

"When a user is asked to sign-in to an app or website, the user approves the sign-in with the same biometric or PIN that the user has to unlock the device (phone, computer or security key). The app or website can use this mechanism instead of the traditional (and insecure) username and password."

Passkeys - FIDO Alliance

Payment service providers and banks are evolving service delivery to online payments from physical branches. Using Passkeys for Payments with FIDO’s open and scalable authentication standards offers a faster and easier way to secure online payments.

fidoalliance.org

As such, there's nothing for Apple to fix, the system is working as designed until a point at which it is redesigned.

 

[russell_314]

You want to be able to give your phone to someone. Then tell them your PIN.

Once you’ve done that, what should be the limit of what’s possible with the phone? Should they be able to see your email? Should they be able to launch Safari?

I said none of the things you're talking about here. Maybe you're replying to someone else?

 

[Apple_Robert]

Then I don't understand your post. I thought you said you had locked your phone down to prevent passcode being offered when Face ID fails.
I think I misunderstood. In fact you are just saying you avoid the need to use passcode.

You misunderstood. The point of my post was to state that if someone besides me has access to my phone, said person cannot freely open apps and gain access to personal information, some of which includes my Apple ID email address found in the Settings app, which now requires Face ID to unlock.

If someone grabs your unlocked phone out of your hand, you want to make it very hard for them to be able to get any useful information out of your phone. Locking apps with Face ID helps secure your phone a lot more than the standard set up.

 

[russell_314]

I agree, but the 'fix' isn't just an Apple problem, it needs the entire industry, since passkeys are a standard. The entire passkey specification would need to be changed.

Passkeys - FIDO Alliance

Payment service providers and banks are evolving service delivery to online payments from physical branches. Using Passkeys for Payments with FIDO’s open and scalable authentication standards offers a faster and easier way to secure online payments.

fidoalliance.org

Perhaps it's not just Apple's problem, but it definitely is their problem and a big one. If someone can set up a Screen Time password with a different number than the unlock code to lock out account access, I'm sure Apple could figure a way to integrate this into the operating system. It may not be the fix needed, but at least it would be a temporary Band-Aid

 

[mrochester]

Perhaps it's not just Apple's problem, but it definitely is their problem and a big one. If someone can set up a Screen Time password with a different number than the unlock code to lock out account access, I'm sure Apple could figure a way to integrate this into the operating system. It may not be the fix needed, but at least it would be a temporary Band-Aid

Not sure they could make that a requirement of using passkeys, as that might then break the standard.

It's definitely less of a problem than all of the issues with the current password/2fa system we have.

It just means users need to make sure that no-one finds out what their device passcode is.

 

[Unregistered 4U]

I said none of the things you're talking about here. Maybe you're replying to someone else?

I guess the question is more… for a person that just got a new iPhone, what SHOULD using the PIN in the phone that they own do?

 

[Cunir]

there is something really easy Apple could do that would be super secure... if you want to change your Apple password then they should make you verify the change with a second device. If you can't do that then Apple should post a validation code to your registered address, and give you a week to enter it. only after you've entered the code can you change the password.
That would stop pretty much all thieves taking over your account even if they have your device and passcode.

 

[Mike Boreham]

Locking apps with Face ID helps secure your phone a lot more than the standard set up.

Still puzzled. I always use Face ID with all my apps that allow it (don't most people?), and many revert to passcode if Face ID fails, so no improvement?

What I thought you were saying was that there was a way to disable the fall back to passcode.

 

[mrochester]

there is something really easy Apple could do that would be super secure... if you want to change your Apple password then they should make you verify the change with a second device. If you can't do that then Apple should post a validation code to your registered address, and give you a week to enter it. only after you've entered the code can you change the password.
That would stop pretty much all thieves taking over your account.

Would that be in line with the passkey standard, which appears to be what Apple's system is based on?

 

[mrochester]

Still puzzled. I always use Face ID with all my apps that allow it (don't most people?), and many revert to passcode if Face ID fails, so no improvement?

I think it depends on the app. A banking app will fail to the banking apps own security methods if face ID fails, not to the device passcode.

 

[russell_314]

I guess the question is more… for a person that just got a new iPhone, what SHOULD using the PIN in the phone that they own do?

In an ideal situation, unlock the phone. That's it. In a less secure situation, probably give access to everything on the phone, but definitely not access to make account changes without additional information. This is just going to be a bad situation

 

[adrianlondon]

I have read the entire thread and not see anyone produce any evidence that a Screen Time password doesn't solve the problem.

Also tested on my iPhone.

You have the option of allowing Apple ID to recover the screen time passcode and it seems enabling this puts a crucial delay in the thief's ability to unlock screentime Hence take control. If you don't enable this I assume the thief is stopped.

Yes it is inconvenient if you want to do anything with your Apple ID but I dont do that often.

If the above is incorrect please give details.

Try this:

Set screen time. Set a screen time pin and don't set Apple ID recovery. Lock out access to Apple ID/iCloud settings.

Now, pretend you're a thief armed with the phone passcode/pin only.

1) Unlock phone with pin you obtained by shoulder-surfing or cctv
2) Go into screen time
3) Select "change screen time passcode" then "Turn off screen time passcode"

On my phone, despite skipping the step to allow my Apple ID to perform recovery, clicking "Forgot Passcode" asks for an Apple ID. Then I can click "forgot password" and using the phone's PIN I can change the Apple ID password. I didn't continue this test as don't want to change my Apple ID password.

No need to disable screentime now anyway, as I have the Apple ID password and have changed it to lock out the original owner.