I would be calling the banks and complain. There is nothing Apple or any other device maker can do if they let you reset with an email/text. Even more reason to guard your pin or use an email/not on your phone.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
The money was mainly spent using online Apple Pay. They bought e-gift cards. I got quite a lot stopped and informed the police of the names and ‘delivery’ addresses they used.
I feel like the police could easily find them, but in the UK they won’t prioritise this at all.
But same argument applies to my phone. I have my Outlook gated by requiring its own pin. I have Brave browser which requires its own pin. Everything except messages, phone, contacts are behind their own pins. So you can’t do a password reset with my bank which emails me because you can’t open Outlook. My bank does more than that though.
You can accomplish similar by not configuring your phone with the email address you use for financial accounts too.
I use a different email address for accounts than I do for other stuff. I don't need to get email for that stuff on my phone, but if I did want to access that email, i can do so with a web browser.
I feel like the ‘automated’ system should realise that there will never EVER be a genuine Apple user who:
-Disables find my phone
-Changes iCloud password
-Disables family sharing
-Removes passcode
All within 2 minutes.
Then there is a web based iCloud login attempt a few minutes after that fails.
In what scenario could this happen?
Unless a thief has the device and passcode?
Yep. Just like the “keep $200 accessible from debit card” example. What bank supports this anyway? I have to provide my unique security key, username, part of my debit card number, and my SSN to reset my password.
Submit a feature request, If this happened to me, I would have personally sent a nice email to Tim Cook, highlighting the problem of losing ICloud accounts after a theft.
I have been sent a link by Apple support to report a security vulnerability. I will do this in the coming days.
Link is here:
Report a security or privacy vulnerability – Apple Support (UK)
If you believe that you have discovered a security or privacy vulnerability in an Apple product, please report it to us.
Still saddened by the people saying I’m ‘trolling’ over something so serious, but oh well. Always strange people on forums.
Absolutely baffled that some people can’t admit a huge flaw in the fact that the iCloud password can be changed via device pin. Totally defeats the point of find my phone and lost mode IMO.
Harsh lessons learnt for me.
I had 100% assumed that even if my device AND pin were stolen, a thief could be locked out by me remotely via iCloud.
Shame this is not the case.
Send an email to Tim Cook. Stick to the facts with out opinions. He will most likely forward it to some one to look at options. I think people disagree on assumption that fixing iCloud loophole will prevent other things. The crooks still have your pin and phone, by the time its marked stolen, they could easily make purchases and put your phone in Airplane mode, as they comb through emails and pictures.I have been sent a link by Apple support to report a security vulnerability. I will do this in the coming days.
Link is here:
Report a security or privacy vulnerability – Apple Support (UK)
If you believe that you have discovered a security or privacy vulnerability in an Apple product, please report it to us.support.apple.com
Still saddened by the people saying I’m ‘trolling’ over something so serious, but oh well. Always strange people on forums.
Absolutely baffled that some people can’t admit a huge flaw in the fact that the iCloud password can be changed via device pin. Totally defeats the point of find my phone and lost mode IMO.
Harsh lessons learnt for me.
I had 100% assumed that even if my device AND pin were stolen, a thief could be locked out by me remotely via iCloud.
Shame this is not the case.
Chalk it up as lesson learned and be aware of your pin outside. I never use pin these days between Face ID and AW. I use AW at restaurants and bars with card readers across the counter. In any case you should not lose money, with cards/banks writing off fraud charges. I hope your issues with iCloud accounts gets resolved.
The banks are not moving fast enough on this IMHO. I don't know why but it's frustrating. I can complain all I want but in the meantime the safest solution, short of not using a smart phone at all, is to not use the phone for anything other than making telephone calls and checking the weather. Delete all the financial apps, no email, no photos, etc., etc. Which kind of defeats the reason for having a smart phone. Next safest thing is to try and remember not to ever enter my passcode in public. Easier said than done.
I have been sent a link by Apple support to report a security vulnerability. I will do this in the coming days.
Link is here:
Report a security or privacy vulnerability – Apple Support (UK)
If you believe that you have discovered a security or privacy vulnerability in an Apple product, please report it to us.
Still saddened by the people saying I’m ‘trolling’ over something so serious, but oh well. Always strange people on forums.
Absolutely baffled that some people can’t admit a huge flaw in the fact that the iCloud password can be changed via device pin. Totally defeats the point of find my phone and lost mode IMO.
Harsh lessons learnt for me.
I had 100% assumed that even if my device AND pin were stolen, a thief could be locked out by me remotely via iCloud.
Shame this is not the case.
and ironically, it's the opposite - that the thief can lock YOU out of icloud with just the PIN.
If someone can ’reset’ your bank accounts with your phone and its passcode, you are doing something terribly wrong.
My banking apps are protected by their own dedicated passcode.
My banks never authorise a payment to a new recipient without additional security, usually in the form of typing the details of my debit card, or yet another dedicated password or passcode (not the same used to open the app).
None of my banking passwords are stored in my keychain or anywhere else on iCloud.
Does anyone know which passcode is used when there are multiple Apple devices using the same Apple ID? I was wondering if I could somehow repurpose a spare iPhone with a different passcode to be the passcode required to change the Apple ID.
None of my bank accounts, but there are some banks who are stuck in the past.
It’s on each device, if they can unlock the device With the passcode, they can reset the password on that device.
Each device’s passcode will allow the user to change the Apple ID password using that device.
Thanks. I remember being prompted for the passcode to my iPad from a different Apple device for something. I can’t remember what it was though. Was just hoping that it was when changing the Apple ID password.
Last edited:
To be clear, I am talking about changing the Apple ID‘s Password, not the Apple ID itself.
I also remember a situation where I was asked for the password for another device, but I can’t remember what it was for.
Settings
ICloud
Password and Security
Turn two factor authentication on.
Then edit the trusted phone numbers so that the device you want to protect is not listed among them.
Okay what I did was follow your instructions here and everything you say is true, but what I also discovered was that at the same time your stolen phone gets the ALLOW/DENY message I was able to select “did not get a code” on my wife’s phone. I was then able to use the passcode from my phone (stolen) and her phone, to gain access to my Apple ID where I could change the password. The big sticking point would be that I would have to be QUICK! I’d have to get that all done before the thief notices the alert and hits deny.
AWESOME! thank you! Having said that, are there other unintended consequences of this?
Yes I think this is exactly why I have no way of getting back into my account.
Recovery process can also be denied by anyone using my account on a device.
But no, this isn’t a security flaw. Not according to some. Haha.