Unfortunately Im not sure if the passkey specification allows for those extra validation steps or not.
This authentication method is the new industry standard.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
This authentication method is the new industry standard.
if you lose possession of the device and give the pin/passcode to your phone. It’s too easy for thieves to look at your emergency contact number, get their full name. With access to phone, not hard to social engineer. The chances of crooks not knowing the iCloud password are higher than security questions. In any case, Dont enter pin in public, use Face ID, AW for authentication. If you can’t avoid using pin in open, don’t store anything confidential on the phone.
I think Apple will find a middle ground, but it’s hard to get around when users can’t keep their Pin safe and lose physical possession of the phone
There was a "rapid response" security update for iOS released yesterday. I wonder if this was related?!
It really is a hard choice. SMS and email accounts can be hacked/hijacked/spoofed. Hardware can be stolen. No matter which method Apple chooses to prioritize, some group of people will get shafted by bad actors.
How can they patch this, it’s more process and user related than software vulnerability. They have to change lot more than a patch.
Yeah it would be a fundamental change to the way passkeys work, which would have to come from a change in the industry standard.
There's a 1,037 thread discussion about this here:
A 282 thread long discussion about this is here:
A 282 thread long discussion about this is here:
This will keep spreading like wildfire 🔥 and more thieves copying other thieves cause they know it’s a big exploit until Apple does something about it
Or may be people will be more aware not to give away their pin and device. It’s most likely not going to be easy fix.
Well in this specific type of scenario where the thieves steal a phone and then use the information within the phone to cause trouble it proves they are dumb criminals because stealing a phone is just that, theft but as soon as they start doing other things then other laws come into play of which they can be charged with. If they use the persons banking app to transfer/steal money, there is numerous financial and banking laws that have been broken. If they use messaging apps to contact people on the persons contact list, it breaks communications laws. So, if they had just stolen the iphone for parts and they get caught, theft is all they could be charged with but when they start behaving like they have then they have broken 4-5 different laws with each one carrying a different length of prison time. So even if the exploit is communicated between criminals, they would be dumb to use it. Theft of a mobile phone you are probably looking at a fine and a suspended sentence (it being in the UK) but if they do more like misuse banking and misuse of communications then you are looking at prison time.
The solution is for people to be more vigilant when entering their passcode in a public place. Be aware of your surroundings.
How did Apple quickly fix the iCloud exploit with 2FA when all the celebs and iCloud users complained that there private photos were exposed?
What would the class action be? It’s like suing car manufactures for losing keys and some on driving away with car.
IDK, but people sue for all kinds of nonsense. All it takes is enough people to perceive that that action is the course to take. And opportunistic lawyers. I'm not saying it should be the course of action to take. But I Can see if enough victims get together and bandy this idea about it could happen.
Here's another security risk:
My friend had her iPhone stolen at a cafe in London last year. The old trick where someone puts down a magazine on the table while they chat to you, then picks up their magazine and your phone when they leave. By the time she realised it was gone and could log in to iCloud, the phone had been turned off so iCloud tracking didn't work.
But iCloud, of course, lets you remotely lock the phone and put a custom "lost" message on the screen. Which she did, putting her friend's phone number in the message. A few days later, the friend gets a spoofed SMS purporting to be from Apple/iCloud (and containing details of the device model/colour for added authenticity!) and inviting them to log in to iCloud to recover it. But, you guessed it, the link attached was to a fake iCloud website.
It's all just a scam/trap to get the owner's iCloud password so they can turn off iCloud Activation lock and factory reset the phone. And unfortunately, my friend fell for it.
My friend had her iPhone stolen at a cafe in London last year. The old trick where someone puts down a magazine on the table while they chat to you, then picks up their magazine and your phone when they leave. By the time she realised it was gone and could log in to iCloud, the phone had been turned off so iCloud tracking didn't work.
But iCloud, of course, lets you remotely lock the phone and put a custom "lost" message on the screen. Which she did, putting her friend's phone number in the message. A few days later, the friend gets a spoofed SMS purporting to be from Apple/iCloud (and containing details of the device model/colour for added authenticity!) and inviting them to log in to iCloud to recover it. But, you guessed it, the link attached was to a fake iCloud website.
It's all just a scam/trap to get the owner's iCloud password so they can turn off iCloud Activation lock and factory reset the phone. And unfortunately, my friend fell for it.
It seems there is a security flaw here that allows changing the iCloud password with only a PIN code, even when 2FA is enabled.
I havent seen it in this thread and maybe its buried but there is a 'screen time' setting that will not allow an iCloud Password change without... and follow me, it gets complex here... Entering your OLD iCloud password first.
I know.
I know, WAY too difficult to apple to implement, that when changing the OLD password you have to enter that First.
there will be a lot of 'but what If you forgot...' - well then call apple, but with the number of these thefts, and this GAPING security hole I think that would be an EASY and QUICK solution to protect 'users' that apple is so fond of doing, while adding only a small amount of work for those who Truly forgot their iCloud password and need it reset to talk to apple first, instead of entering a 4-6 digit pin.
Or how about being able to authenticate with another trusted device? dont have old password, just log in to another device, most apple users have an iPad, Mac or MacBook that would not be stolen at the same time.. or use a trusted contact if the old password needs to be reset. apple set that up a while back too, which could easily curb this and also allow simple password reset in the cases it needs to be.
I know.
I know, WAY too difficult to apple to implement, that when changing the OLD password you have to enter that First.
there will be a lot of 'but what If you forgot...' - well then call apple, but with the number of these thefts, and this GAPING security hole I think that would be an EASY and QUICK solution to protect 'users' that apple is so fond of doing, while adding only a small amount of work for those who Truly forgot their iCloud password and need it reset to talk to apple first, instead of entering a 4-6 digit pin.
Or how about being able to authenticate with another trusted device? dont have old password, just log in to another device, most apple users have an iPad, Mac or MacBook that would not be stolen at the same time.. or use a trusted contact if the old password needs to be reset. apple set that up a while back too, which could easily curb this and also allow simple password reset in the cases it needs to be.
Yep, the security flaw is that users allow others to see their passcode when they are in public.
But given that you seem to have just recently joined the forum after this "flaw" was widely publicized, I am guessing it didn't happen to you and you are just trolling.
-kp
Unfortunately no. Apple isn’t being so “rapid” when it comes to patching this.
That’s not a security flaw, it’s how passkeys work. Your device and its security (Face ID, Touch ID, device passcode) become the keys to the kingdom once you have logged into your iCloud account on that device. You already have authenticated access to your iCloud account by being able to successfully unlock the device. With authenticated access to your iCloud account, you can change the password.
The same is true when you login to a Google account using a passkey.
I can’t help but feel a lot of people do not understand how passkeys work.
Think of your phone as the master key to your accounts. That’s how passkeys work. Passkeys will likely replace passwords/2FA in the future (and they are here now for iCloud and google accounts).