Stolen iPhone - Criminals have full control and Apple cannot help!

[monstermash]

On my Mac..I have a password to login.

Once you are logged in, if you want to access my most sensitive stuff, you have to mount an encrypted disk image, which has its own password.

Having access to the the machine isn't enough to get the good stuff.

The phone should have the same capability, one way or another. There are multiple ways to implement it. A good way would be to designate applications as "locked down". Having this designation would require a second passcode to be entered, every time the application is accessed.

Have access to the device? Great. Doesn't mean you have access to the critical apps that promote ID theft.

 

[HarryMudd]

In more positive news, just over a week since they stole the phone, I have regained access to my iCloud account via a second attempt at recovery.


Now just need to regain access to WhatsApp, which should hopefully be i the next day or so, as they have a 7 day recovery period.

That is good new! Thank you for the update.

 

[Mike Boreham]

I tried removing all my security keys at once from that screen, and it asked for my Apple ID password before allowing me to proceed. Same for adding a new key or removing individual keys. So I guess it's safe because the thief will only know your passcode and not your Apple ID password. Obviously this means you can't save your Apple ID password in iCloud Keychain or Notes and will have to actually memorise it.

Separately, I also note that Screen Time can protect that page from being accessed completely (under Content and Privacy Restrictions, disallow Account Changes, and Apple ID settings will be greyed out entirely) if one needs another layer of protection, but it's not really necessary.

Screen Time passcode is easily bypassed as I detailed and tested in this post. When asked for your Apple ID you go though the forgot password route and are asked for PIN, which thief has, instead.

I strongly suspect that Yubilkeys will also fail the same way. Especially as the Apple article I quoted gave no confidence that any additional check was involved to turn the key off.

Have you tested the Yubikey by going down the 'forgot password' route?

 

[russell_314]

Screen Time passcode is easily bypassed as I detailed and tested in this post. When asked for your Apple ID you go though the forgot password route and are asked for PIN, which thief has, instead.

I strongly suspect that Yubilkeys will also fail the same way. Especially as the Apple article I quoted gave no confidence that any additional check was involved to turn the key off.

Have you tested the Yubikey by going down the 'forgot password' route?

I have two Yubikeys ordered so I will know tomorrow if this fixes the problem. I hope a simple pen doesn’t bypass a hardware key, because at that point it would be useless. The whole point of a hardware key is that is 100% lockdown. Of course, that solution isn’t for everyone because if you lose both then I don’t know. I guess this is why Apple makes you have two since it’s easy to have one fail or get lost.

 

[jaytv111]

I tried removing all my security keys at once from that screen, and it asked for my Apple ID password before allowing me to proceed. Same for adding a new key or removing individual keys. So I guess it's safe because the thief will only know your passcode and not your Apple ID password. Obviously this means you can't save your Apple ID password in iCloud Keychain or Notes and will have to actually memorise it.

Separately, I also note that Screen Time can protect that page from being accessed completely (under Content and Privacy Restrictions, disallow Account Changes, and Apple ID settings will be greyed out entirely) if one needs another layer of protection, but it's not really necessary.

Can't you just reset the iCloud password with the passcode?

 

[HarryMudd]

A lot of the time, the victim is at fault.

NEVER! The victim, through their behavior, can make it easier, but the blame for a criminal act rest 100% squarely on the shoulders of the person who commits it. IMHO.

 

[TechnoMonk]

NEVER! The victim, through their behavior, can make it easier, but the blame for a criminal act rest 100% squarely on the shoulders of the person who commits it. IMHO.

That begs the question what are cops doing with these crooks.

 

[HarryMudd]

SUGGESTION TO APPLE; what about the idea of having a “guest” account. A second passcode that would open the phone in a very limited fashion. Perhaps even have the ability to set which apps and functions could be access by the guest account.

In fact would this be possible to emulate now? Can one of our resident experts chime in and give directions on how one could set up your current phone as a “new” phone for going on a trip or some time you were going to be gone long enough to justify the trouble? Maybe even have an alternate Apple ID for just such a purpose? This wouldn’t be much help if you were just going out for a night with friends, but might be useful for longer trips to questionable places.

 

[Mike Boreham]

I have two Yubikeys ordered so I will know tomorrow if this fixes the problem. I hope a simple pen doesn’t bypass a hardware key, because at that point it would be useless. The whole point of a hardware key is that is 100% lockdown. Of course, that solution isn’t for everyone because if you lose both then I don’t know. I guess this is why Apple makes you have two since it’s easy to have one fail or get lost.

I really hope Yubikey works, but not hopeful. Look forward to your findings!

 

[monstermash]

NEVER! The victim, through their behavior, can make it easier, but the blame for a criminal act rest 100% squarely on the shoulders of the person who commits it. IMHO.

You're confusing fault with responsibility.

If I leave my keys in my car, thereby allowing you to steal it, it's my fault my car was stolen, even though you're responsible for stealing it.

 

[onenorth]

I really hope Yubikey works, but not hopeful. Look forward to your findings!

I have two YubiKeys and they do not protect against this situation. They are only useful for phishing attacks.

 

[Barcamatic]

I work in London and was at a restaurant/bar on Thursday. I use FaceID and have a 6 digit pin. During the night my FaceID must have failed at some point.

My phone went missing from my pocket and I realised within 5 mins. I was very suspicious. I instantly went on my friend's phone and attempted to login to my icloud. My password did not work.

Long story short from here but it had been stolen and the thieves had my passcode. They locked me out within minutes. There is a massive security flaw that allows this to happen.

I am reasonably cyber security aware (or so I thought). I had two step authentication set up on iCloud. I used my wife's number for this, thinking that makes things way more secure. It does not.

Apple allowed the thief to lock me out and change my password for icloud.

They have had full control of my phone and data for 5 days now. I can't disable my account and I can't login.

I am stuck in a recovery loop. 1 day later I had a new sim with my phone number. I can verify the code for this and also my wife's number. I verify the code sent to my email that I have regained control of.

Final request was for me to enter my bank card in full. I did this originally but I have had to cancel all cards as the thieves used my Apple pay to buy £1000s in Apple products!

I have visited an Apple store with my passport but absolutely nothing helps me. The power is with the criminals and I cannot stop them.

I waited 72 hours for recovery but then heard nothing. No sms or email.

I was told to try recovery again but it has gone back to where I was 5 days ago.

Meanwhile the criminals are using my WhatsApp to extort money from my contacts (1000+ of them) pretending to be me needing money. I have found out 4 have sent money and it could be a lot more.


I am powerless to stop this.

Does anyone know why my recovery is failing despite having all the information Apple asked me for?

Are the criminals with my device able to block my request from the device?

I haven't slept in 5 days with worry. They also sent threatening messages from my phone to my wife, with photos of my children.

Still Apple will do nothing to help. It is sickening.

To change your phone passcode, to change your iCloud password, to make any significant changes to your account and devices you must enter your passcode and/or password. I’m not sure I’m understanding how was this done. What am I missing?

 

[onenorth]

You're confusing fault with responsibility.

If I leave my keys in my car, thereby allowing you to steal it, it's my fault my car was stolen, even though you're responsible for stealing it.

We all have made bad decisions that lead to bad outcomes of varying degrees. But victim blaming deflects the conversation away from where it should be, which in this case, what Apple could do differently to mitigate this issue.

 

[monstermash]

We all have made bad decisions that lead to bad outcomes of varying degrees. But victim blaming deflects the conversation away from where it should be, which in this case, what Apple could do differently to mitigate this issue.

Apple could. It hasn't. So now what?

 

[Night Spring]

This issue includes situations where the owner took reasonable steps to secure the information and it still was stolen. Apple insists on having you enter your passcode at random times even when you have Face ID set up, so it contributes to the problem. I know that if I pick up my phone a few times, such as walking around my house, and it wakes up but fails to validate my face each time, eventually it defaults back to passcode. I don't know how many failed attempts it takes but it is not too many. And even with my Apple Watch on, it doesn't always unlock the phone - only when it sees enough of my face to know it is someone's face but not enough to validate it.

Yes, exactly. my iPhone with FaceID gives the "need passsword to enable FaceID" prompt nearly every day, and often more than once a day. Also, for me, FaceID seems to fail much more often than TouchID did. I'd say it fails about half the time, and I can keep holding up the phone to my face, or I can enter the passcode, and it's just faster to punch in the passcode, knowing it's guaranteed to work, rather than try FaceID once more, not knowing if it'll work this time.

The upshot is, I'm unhappy with FaceID, and wish I could go back to TouchID.

 

[onenorth]

SUGGESTION TO APPLE; what about the idea of having a “guest” account. A second passcode that would open the phone in a very limited fashion. Perhaps even have the ability to set which apps and functions could be access by the guest account.

In fact would this be possible to emulate now? Can one of our resident experts chime in and give directions on how one could set up your current phone as a “new” phone for going on a trip or some time you were going to be gone long enough to justify the trouble? Maybe even have an alternate Apple ID for just such a purpose? This wouldn’t be much help if you were just going out for a night with friends, but might be useful for longer trips to questionable places.

I like the idea of a restricted account being the fallback for when the passcode is used instead of FaceID or TouchID. In the restricted account you should not be able to reset the Apple ID password without knowing the old password or some other piece of information.

 

[onenorth]

Apple could. It hasn't. So now what?

Get their attention with discussions like these and the WSJ article.

 

[h.gilbert]

Isn't the solution to this requiring the Apple ID password to change/remove account even when the phone is unlocked?

 

[monstermash]

Get their attention with discussions like these and the WSJ article.

Ooooooooooooooooooh.

That should work.

 

[monstermash]

Isn't the solution to this requiring the Apple ID password to change/remove account even when the phone is unlocked?

Again, if someone has unlocked access to your phone, putting it in airplane mode cuts off all avenues for someone without the phone in their hand to do anything with it.

Besides that, someone who knows what they're doing can do the following in just minutes:

1). Transfer your Apple Savings balance to Apple Cash.

2). Use your linked debit card to transfer as much money as possible from your bank account to Apple Cash.

3) Send your Apple Cash balance to anyone they like or spend it.

4). Walk into a store and use your Apple Card to buy whatever they want.

5). PROBABLY get into your banking apps, reset the passwords, and then drain those accounts one way or another. Most most people probably have their account into saved anyway, so they don't even have to bother with the password reset.

6). Same for your retirement account apps (Vanguard, Fidelity, E*Trade, whatever).

Then put it in airplane mode and go through the contents of your phone at their leisure.

 

[wave84]

As a programmer, a tech aficionado, a guy who has worked with computers his entire life and owned most iPhones since the first one, I had no idea that you can use the iPhone unlock code to reset the Apple ID. I was certain that you needed the iCloud password. This is a huge, huge, huge flaw in the entire system. It's even worse that Apple allows it for 4 digit pins as well.

And yes, FaceID doesn't work all the time for me either, I have to occasionally unlock manually in public, especially when paying. Which makes it even worse.

 

[onenorth]

Yes, exactly. my iPhone with FaceID gives the "need passsword to enable FaceID" prompt nearly every day, and often more than once a day. Also, for me, FaceID seems to fail much more often than TouchID did. I'd say it fails about half the time, and I can keep holding up the phone to my face, or I can enter the passcode, and it's just faster to punch in the passcode, knowing it's guaranteed to work, rather than try FaceID once more, not knowing if it'll work this time.

The upshot is, I'm unhappy with FaceID, and wish I could go back to TouchID.

FaceID works reliably for me when I am trying to unlock the phone, but sometimes I just pick it up not intending to use it and it gets confused. TouchID never had this problem. For that reason, I liked TouchID better.

Ooooooooooooooooooh.

That should work.

Your proposed solution is just to tell everyone "too bad, so sad?" How helpful is that?

 

[monstermash]

FaceID works reliably for me when I am trying to unlock the phone, but sometimes I just pick it up not intending to use it and it gets confused. TouchID never had this problem. For that reason, I liked TouchID better.


Your proposed solution is just to tell everyone "too bad, so sad?" How helpful is that?

Understanding and accepting reality is often more helpful than not.

I have stage 4 cancer and will be dead soon. I understand it. I accept it. All the "wishing it wasn't so" in the world doesn't change my reality.

I think the same is true for Apple. I think the reality is it will do whatever it is going to do, without much input from me.

 

[onenorth]

Understanding and accepting reality is often more helpful than not.

I have stage 4 cancer and will be dead soon. I understand it. I accept it. All the "wishing it wasn't so" in the world doesn't change my reality.

I think the same is true for Apple. I think the reality is it will do whatever it is going to do, without much input from me.

I am sorry to hear that and wish you the best.

You are not the only one who is fatalistic around here. I have come to learn that while many things are beyond my control, I also know that nothing will happen if I don't at least try to deal with the things I think I can have an influence on. I have been surprised how often it works, even though it usually doesn't.

 

[addamas]

As a programmer, a tech aficionado, a guy who has worked with computers his entire life and owned most iPhones since the first one, I had no idea that you can use the iPhone unlock code to reset the Apple ID. I was certain that you needed the iCloud password. This is a huge, huge, huge flaw in the entire system. It's even worse that Apple allows it for 4 digit pins as well.

And yes, FaceID doesn't work all the time for me either, I have to occasionally unlock manually in public, especially when paying. Which makes it even worse.

You will be surprised how easy is to reset it even with Screen Time disabled.

As it’s almost 2 weeks since Apple answered to my reports telling me it’s all fine, as a SW Tester I am pissed and let’s play a game of reveal the steps to reproduction.

Screw you Apple “security” developers and whoever above them choosed that it’s better to allow people reset iCloud password in ease if they forget it but have iPhone in their hands…

Last steps are removed but everybody will enough brain cells can get what to do there on the same device.