If the thief knows the passcode and gets to it before the owner takes control, he or she can set up a new recovery key thus locking out the rightful owner of the account forever.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
It wont work, thief can easily reset the recovery key. Unless Apple asks for old recovery key. Unfortunately, don’t give your device and passcode, to avoid this mess. Very similar to people writing their ATM pin in wallet with the debit card. Thief who gets the wallet, gets both card and pin, to get cash out.
Well I have no choice. I am in that 5% of the population where TouchID doesn’t work. So passcode it is for me.
Of course, I don’t keep any financial information on my phone.
That is one way to do it. I use Face ID, and it works flawlessly for me. I am not typing pin, I use watch for my notifications or messages if i am in public.
I’d be surprised if recovery works. They would likely have taken off your phone number and recovery email and other backup methods. If they didn’t, they left a hole open you could use to get your iCloud account back. And worse for them, you could get Find My iPhone back and see where it is and activation lock it. Activation lock is bad news for thieves because it makes a costly iPhone become worthless.
So I guess keep trying account recovery. But chances are, in this situation, it’s gone. You may need to think about picking up the pieces and starting over with new accounts.
That’s not to blame you or anything, I think what happened is that criminals got smarter. They now watch people relentlessly in public spaces and you do one slip up, they remember your code, they have someone outside mug you for your phone and it’s all gone. In the months and years prior, thieves were stealing iPhones and finding it impossible to sell, impossible to get money off it, there used to be methods over USB to take iCloud locks off, and now those methods don’t work on the latest SoCs. So they adapted. So what can you do. Maybe next iOS version has something.
And for anyone wondering, security keys for iCloud can be taken off an account with the passcode, as well as numeric recovery keys. Apple takes the blame for centralizing the whole shebang, a device with passcode controls all the other security features. Oh, and the screen time PIN can be reset with phone passcode, so that’s not a solution either.
So I guess keep trying account recovery. But chances are, in this situation, it’s gone. You may need to think about picking up the pieces and starting over with new accounts.
That’s not to blame you or anything, I think what happened is that criminals got smarter. They now watch people relentlessly in public spaces and you do one slip up, they remember your code, they have someone outside mug you for your phone and it’s all gone. In the months and years prior, thieves were stealing iPhones and finding it impossible to sell, impossible to get money off it, there used to be methods over USB to take iCloud locks off, and now those methods don’t work on the latest SoCs. So they adapted. So what can you do. Maybe next iOS version has something.
And for anyone wondering, security keys for iCloud can be taken off an account with the passcode, as well as numeric recovery keys. Apple takes the blame for centralizing the whole shebang, a device with passcode controls all the other security features. Oh, and the screen time PIN can be reset with phone passcode, so that’s not a solution either.
The biggest problem here is that Apple allows your icloud account to get reset with your phone passcode. Absolutely should not be allowed, or at least have a setting to prevent that. The passcode cannot be the full keys to the kingdom. Have access to the phone, fine. But the icloud account too? It's one of the reasons I dont use icloud keychain - it's all tied together.
Regarding account recovery - went through this w/ my mom's account. She forgot her icloud password, and could not reset it. Everytime it went into account recovery, somehow it was removed from it. The only way I got it to work - gave her a temp iphone, created a NEW icloud account so she can get by, and turned off any and all apple devices that use icloud. Had to wait 2 weeks to allow the reset to happen.
Regarding account recovery - went through this w/ my mom's account. She forgot her icloud password, and could not reset it. Everytime it went into account recovery, somehow it was removed from it. The only way I got it to work - gave her a temp iphone, created a NEW icloud account so she can get by, and turned off any and all apple devices that use icloud. Had to wait 2 weeks to allow the reset to happen.
Quite so. I didn't even realise that the iCloud password could be changed with just the PIN until I saw this thread. But you're quite right; I just had a look on my own phone and sure enough it only asks for the PIN, and there doesn't seem to be an option to disable that "feature".
It looks like there's a definite security hole here, and it needs to be fixed.
As for the OP, I'm simultaneously appalled yet unsurprised that Apple refused to help. I'd say to go back and refuse to take no for an answer, but I'm not sure how much help that would be.
I'm not really sure how to fix icloud account recovery, without requiring multiple devices. Standard 2FA may not be effective, since most use email, sms, or an app, all of which probably are accessible from the device itself. Maybe snailmail? Mandatory 72 wait time?
Apple Pay should also be limited to only face id, and not passcode. Change face id? Cards are removed. Same deal if you log into a bank app using face id. The password is removed from the secure enclave if face id is reset.
Apple Pay should also be limited to only face id, and not passcode. Change face id? Cards are removed. Same deal if you log into a bank app using face id. The password is removed from the secure enclave if face id is reset.
Thanks, I just did this! I was unaware it was possible to change your iCloud password with just the phone code, that send like a pretty bad security flaw!
Would have like the screen time pass to be longer, but at least my phone is a little more secure now.
I think the only way to stop this would be 2-form factor authentication with a AirTag with you on your keychain or your billfold. Something that’s on you all the time. If Face ID fails then wirelessly authenticate with the Airtag. Maybe 🤔 even have a wait period option of 24 hours just in case. Surprised Apple left this security exploit open
This is, unfortunately, the biggest glaring issue with Apple’s phone security. It is absolutely atrocious and I’m sorry you’re dealing with it and even more sorry that Apple is completely and utterly useless in this situation.
Thanks to everyone who has replied so far. It helps to read some blame being pointed towards Apple and highlighting the massive flaw in iCloud security.
From what I can tell the thieves did not change my recovery email or phone number. I still have access to both, but recovery is still failing.
I think because I cannot pass the bank card check as I had to cancel this bank card (thieves were trying to use it).
I have started recovery again. I hope it will work but its another 72 hours of worry, knowing they are in my account with all my data and access to my contacts and messaging platforms.
From what I can tell the thieves did not change my recovery email or phone number. I still have access to both, but recovery is still failing.
I think because I cannot pass the bank card check as I had to cancel this bank card (thieves were trying to use it).
I have started recovery again. I hope it will work but its another 72 hours of worry, knowing they are in my account with all my data and access to my contacts and messaging platforms.
You can use Unlock with Watch. It‘s not the same as a token but it does add a layer before falling back to PIN (meaning you may be typing your PIN into the phone and have it captured).
Ultimately you need to protect your PIN. While FaceID with Watch unlock is going to make it very slightly easier for a stranger to unlock your phone while they’re in possession of it and in proximity to you, it means that you’re less likely to be forced to expose you PIN yourself, meaning they’re also FAR less likely to steal it in the first place.
Unlock your iPhone with Apple Watch when you're wearing a face mask or sunglasses - Apple Support (CA)
When you're wearing a mask or sunglasses and your Apple Watch, you can simply raise and glance at your iPhone to unlock it. Learn how to set up and use the feature.
Last edited:
Yeah, the suffering has been made a whole lot worse by the fact I cannot recover iCloud, DESPITE:
- Having access to the iCloud associated phone number
- Having access to the iCloud associated email
I am taking some comfort from the fact the thieves didn't change this. I think there is a time lock delay on changing these details? That may be one good thing.
A more complex alpha numeric password is a lot harder to figure out than a 6 digit pin. It’s also a lot less convenient to type in when face id doesn’t work, but it’s worth the extra effort.
Was going to say this, it's what I use. The 6-digit-pins are far too easy to identify.
Yep, harsh lesson to learn for me. I just never considered this type of theft and fraud.
Even alphanumeric could be stolen if the criminals have covert filming set up. Then they just need the phone and your digital life is theirs.
The more I read about this the crazier it sounds. So if someone spies your passcode and has your phone for two minutes it's basically game over... that's all they need to reset your master iCloud passsord, delete your recovery keys, turn off FindMy, and turn off your screen time passcode.
They can bypass all the security measures and change three different passwords by only knowing one (the one to unlock your phone, screen time and iCloud)
how can it be that easy?
At the very least Apple should change it so you need to input your old iCloud password before setting a new one.
Or they should use the FaceID camera to make sure it's you, and only you, who can type in the passcode.
I think I'm going to turn on 'unlock your phone with your watch'. It makes it a bit easier for a thief to get in initially, but at least they can't spy you typing in your passcode, which is worse.
They can bypass all the security measures and change three different passwords by only knowing one (the one to unlock your phone, screen time and iCloud)
how can it be that easy?
At the very least Apple should change it so you need to input your old iCloud password before setting a new one.
Or they should use the FaceID camera to make sure it's you, and only you, who can type in the passcode.
I think I'm going to turn on 'unlock your phone with your watch'. It makes it a bit easier for a thief to get in initially, but at least they can't spy you typing in your passcode, which is worse.
Last edited:
Exactly this.
I definitely want answers from Apple.
I had a unique and hidden iCloud password plus authentication set up to a DIFFERENT mobile number. Yet that makes no difference once someone steals the pin and device.
It’s because people tend to forget their iCloud password since they only need it very rarely, so Apple made it recoverable by device passcode. And you can reset FaceID with that same passcode, so requiring FaceID wouldn’t help. It’s a trade-off that Apple made.
Some also want it in order to steal your and other people’s money, as described in this thread. The other thing is that you can lock your iPhone via iCloud by marking it as lost so that it can’t be activated with any other account, making it useless for thieves. Hence the first thing thieves do is to take over your iCloud account to prevent you from marking the device as lost.
the solution is to use TouchID, the FaceID camera or your nearby watch to make sure its you typing in the passcode. if they can't recognise it as you then they should freeze out the keyboard. if the thieves can't do that bit then they can't do anything at all. it wouldn't even matter if they have possession of the device and know the code.
if for some reason the fingerprint or camera can't recognise you then they can just send a verification code to another device. it might be a bit annoying if you don't have the second device handy, but at least it would be totally secure
if for some reason the fingerprint or camera can't recognise you then they can just send a verification code to another device. it might be a bit annoying if you don't have the second device handy, but at least it would be totally secure
Last edited:
This is really disturbing. Just a moment ago, I had to type the passcode in the grocery store, because Apple Pay decided it couldn't recognize my face. After having read this thread, earlier this morning, I really, really didn't want to type the passcode. I guess I have to also bring my contactless card from now on. But that defeats the purpose of having Apple Pay...
Last edited: