Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
The email is tcook@apple.com
I've sent emails to this address a few times, and always received responses from an appropriate department, within a few days to a week.
The “your own fault, you’ve asked for it, so no further usage of brain necessary“ folk.
My 2 cents to this topic:
The solution is quiet simple. Give people options to secure their devices and accounts and properly educate people about these options. I mean sure, wanna take the risk to get pwned by some scumbag shoulder surfing your 654321 pin, more power to you, but I prefer having an alphanumeric password (because I have that option) and I would instantly enable a superpassword for device and account management… if I had that option.
Just gimme the option!
Exactly, we’d have to be super quick against an expert at this stuff. Let’s hope we can be if the need ever arises, which it hopefully won’t. 🤞
But what did you mean by being able to put in your passcode? When I hit “did not get code”, it only gives me three options - resend code, go via 2FA number, or ask for Apple’s help to verify identity.
Passcode after logging in. So you have to do one of the 3 options then use passcode to get into the phone/iCloud account (since the wife’s phone is unverified against his account). If you were using it with a device already on your iCloud account you wouldn’t need to put your passcode in.
My trusted phone number was that of my wife’s phone. I had done this a year ago due to the obvious concerns.
It did not make a difference.
Not sure if I could have changed the trusted DEVICE, but feel there may be some negatives to having your main device not being trusted anyway?
Absolutely this. It’s all very well saying you should never have your device and passcode stolen, but it CAN and DOES happen. It will happen MORE if thieves know they can do what they’ve done to me.
Even if I had locked down all my banking in an ultra secure way, it still gives them total access to all my data.
They have all my photos, messages and emails. They can download them and use them in any way they want.
Despite people claiming otherwise, I truly believe Apple will change this in one of the ways that has been suggested. iCloud login and password MUST be protected via a separate means.
‘From what I hear the newest doctors, being graduated today, are the ones you need to watch out for!
This is the price we pay for carrying around a device that has every detail about your life.
A passkey is fine if it is combined with multiple authentication factors (ie: 2FA). For example, to do some security-critical action like changing an iCloud password should require both a PIN and Face ID authentication. Or a PIN and authentication on a separate trusted device.
Or to put it another way, critical changes like changing an iCloud password or removing iCloud activation lock from a device should require an extra level of security, not just a PIN.
Something has gone wrong here if 2FA is enabled and the thief can reset the user's iCloud password using only the PIN.
It should not be possible to change iCloud password or remove iCloud activation lock using only the PIN. Period.
- It is a security weakness,
- it was designed badly,
- No, I don’t remember. Someone always complain about everything, but I don’t remember it being a huge issue, or even an issue at all.
I don’t know where you live, but Banks here in the UK know very well that they cannot rely on a single piece of security to transfer/spend more than a certain amount in a single transaction.
Indeed I cannot transfer/spend more than a set amount with the banking App. Full stop. I have to call them and go though security.
Yes it can be inconvenient from time to time, but it makes me feel safe and no way I am going to complain about safety.
I always fear that when travelling to other countries like egypt or turkey, that i’d get kidnapped and someone would be able to force me to open up my phone and reveal all my personal information. This is different to just forcing someone to an ATM and emptying one bank account few hundreds at a time. He could take all my money and potential live as my double virtually for a long time.
Are there insurance that protects against such lost? Is what the op experienced considered identity theft?
I am thinking if there could be an advanced option where the PIN can unlock general usage and then have the option to hide all bank apps or chosen sensitive apps that the alphanumeric passcode or a different PIN will reveal.
I get that there must be so so so many people who forgot their PIN and passwords and that what the OP posted is rare compared to the daily occurence of forgotten PIN and password.
The question is how to protect my data; and if i lost my phone+PIN or are being forced unlock my phone, there is this hidden layer of whats being shown to the thief unknown to him/her.
Are there insurance that protects against such lost? Is what the op experienced considered identity theft?
I am thinking if there could be an advanced option where the PIN can unlock general usage and then have the option to hide all bank apps or chosen sensitive apps that the alphanumeric passcode or a different PIN will reveal.
I get that there must be so so so many people who forgot their PIN and passwords and that what the OP posted is rare compared to the daily occurence of forgotten PIN and password.
The question is how to protect my data; and if i lost my phone+PIN or are being forced unlock my phone, there is this hidden layer of whats being shown to the thief unknown to him/her.
The only way to protect/block/hide apps with a passcode on an iPhone is by using Screen Time.
It is not perfect security, but it adds a layer. If your purpose is to hide apps, a thief might actually never notice that it is switched on.
As for someone kidnapping you and forcing to disclose information under duress, there is no security in the world that could save you from that, other than you not knowing the information.
I am pretty sure that banks (in the UK) would reimburse you for any loss incurred in such a circumstance, as long as you can provide reasonable evidence that you are not making it up.
There are many examples of banks even reimbursing some losses incurred through social engineering, though one have to put up a fight and demonstrate that the bank din’t pay attention to a change in spending habits.
It adds a very thin layer which might stop some less knowledgeable thief.
The steps to get round Screen Time are in this post. Try them for yourself, no harm is done and you can cancel back out without actually changing anything.
Whoever still uses 4-digit pins brought it on themselves…
Surprised to see people moaning about what is essentially the most fundamental aspect of IT security and cryptography : a secret.
A secret is always necessary when wanting to control access or encrypt data. It does not matter if that secret is a numeric, alphanumeric or any other kind of value derived from e.g. your biometrics:
If you don’t want unauthorized access to your systems or data, make sure that the secret truly is secret and sufficiently complex as to not be brute forced.
There is no flaw here… nothing else to see here either, move along…
I used a 6 digit pin. Perhaps I could have used 12 digits, but I didn’t know about this huge security flaw.
They got it via a secret camera located by the card machine.
Police are now fully on to this in my locality.
In more positive news, just over a week since they stole the phone, I have regained access to my iCloud account via a second attempt at recovery.
Now just need to regain access to WhatsApp, which should hopefully be i the next day or so, as they have a 7 day recovery period.
Now just need to regain access to WhatsApp, which should hopefully be i the next day or so, as they have a 7 day recovery period.
I read the entire topic and I understand it. I have family sharing set up and my CC is the payment method for all members. If one of their iPhones gets stolen along with their passcode, will the thieves be able to bypass the App Store “ask to buy” setting and order stuff? Is their any other trick they might have to abuse my CC?
Using Screen Time / Content Restrictions to prevent the device passcode and Apple ID password from being changed is not a viable solution. It can be easily bypassed without needing the iCloud password by going to Settings > Security and Privacy > Emergency Reset or Safety Check, which allows you to immediately reset both the device passcode and iCloud password once you've verified with Face/Touch ID or the current device passcode (which the attacker presumably has).
Solution
My iCloud account is secured with hardware security keys (Yubikeys). It is not possible to reset my iCloud account password, either via the normal way (Settings > Apple ID > Password and Security > Change Password) or via Emergency Reset / Safety Check, unless both the Yubikey is presented and the old iCloud password is entered.
So if you want to prevent yourself from falling prey to the same attack as OP, you will need to secure your iCloud account with hardware security keys.
Solution
My iCloud account is secured with hardware security keys (Yubikeys). It is not possible to reset my iCloud account password, either via the normal way (Settings > Apple ID > Password and Security > Change Password) or via Emergency Reset / Safety Check, unless both the Yubikey is presented and the old iCloud password is entered.
So if you want to prevent yourself from falling prey to the same attack as OP, you will need to secure your iCloud account with hardware security keys.
Passcodes and PINs shouldn’t be displayed in public, period. Options are good, but ICloud password from other trusted device is safe option for those who forget passwords. The reason OP got in big problem Isn’t necccesarily iCloud account, though it was part of the problem. The crooks could have still accessed Apple Pay, Photos, emails by the time OP realized the device stolen With out touching iCloud account. Nothing is stopping any one from turning on the airplane mode to comb through the phone and use it off the grid to steal identity. Remote swipe wont work once its in airplane mode with Wi-Fi, Bluetooth disabled.
I am interestead in doing this but just read the Apple article about security keys, which includes this:
"To stop using security keys: Open the Settings app, tap your name, then tap Password & Security. Tap Security Keys, then tap Remove All Security Keys. If you remove all security keys, your Apple ID reverts to using the six-digit verification code for two-factor authentication."
Can you test on your Yubikey device whether you are prevented from turning off the security keys by something the thief wont know?
Thanks