Stolen iPhone - Criminals have full control and Apple cannot help!

[jaytv111]

Isn't the solution to this requiring the Apple ID password to change/remove account even when the phone is unlocked?

They reset the password with the passcode.

People here are requesting that Apple makes it an option so that you can't do that, that you must have some other security factor to do account changes of any kind, really. The passcode is the one key that holds all the other keys.

It used to be that you reset the password with SMS 2-factor and you just had to request a code. Android I think still has this. In Android-land you would have a small chance you could transfer the SIM off the phone and cut off SMS access before they reset your password (maybe you could have a SIM-PIN set and reboot the phone remotely and require SIM-PIN on reboot? I don't know). In Apple-land you don't have even that much, passcode is enough to start ***** up a person's whole digital life. It's a reflection of single-point of failure, or SPOF as IT people call it.

 

[OSXphoto]

Understanding and accepting reality is often more helpful than not.

I have stage 4 cancer and will be dead soon. I understand it. I accept it. All the "wishing it wasn't so" in the world doesn't change my reality.

I think the same is true for Apple. I think the reality is it will do whatever it is going to do, without much input from me.

Very sorry to hear that. Entirely different level than this topic. And I do understand and support your point. Accepting reality empowers us.

 

[Cunir]

I reckon this would work better… why dont they just use the simple solution of asking you to enter the 2nd, 5th and 8th characters of your passcode instead. And then next time ask you for the 1st, 6th and 9th, or whatever. As long as your passcode is long enough a thief could literally sit and watch you type it in and you’d still be safe.

And even if he got lucky and managed to get inside with the few characters he knows, he still wouldnt know the entire passcode, so he wouldnt be able to turn off screentime or reset your icloud password.

It's perfect because as far as the user is concerned nothing has changed - he still only has to remember the one passcode. And as far as Apple is concerned nothing has changed either - they can still use the passcode as the key to the kingdom, because a thief never gets to see it.

 

[Mike Boreham]

To change your phone passcode, to change your iCloud password, to make any significant changes to your account and devices you must enter your passcode and/or password. I’m not sure I’m understanding how was this done. What am I missing?

Read more of the thread. Yes you are correct but on a phone if you click 'forgot password' you asked for the PIN instead, then you can change the Apple ID password etc

 

[960design]

Which one do you use?

I use several: currently Meraki, Jamf and Mosyle. I have "used" practically all of them, even rolling my own when this all started back in 2002'ish. The ones I use are probably a little too "enterprisey" for a single family/user needs.

You might just need something as simple at Prey: https://preyproject.com/

 

[JamesMay82]

I’m very sorry to hear this. I know this is a very rare case and you’ve been unlucky but this is a reminder of the dangers of the cloud and our data. Financial implications but also the potential loss of private photos and need for local back up as well.

I hope you get this resolved

 

[960design]

This is why biometrics need to be the sole authentication method?

I do not believe biometrics should EVER be used as the sole source for authentication.

 

[960design]

SUGGESTION TO APPLE; what about the idea of having a “guest” account. A second passcode that would open the phone in a very limited fashion. Perhaps even have the ability to set which apps and functions could be access by the guest account.

In fact would this be possible to emulate now? Can one of our resident experts chime in and give directions on how one could set up your current phone as a “new” phone for going on a trip or some time you were going to be gone long enough to justify the trouble? Maybe even have an alternate Apple ID for just such a purpose? This wouldn’t be much help if you were just going out for a night with friends, but might be useful for longer trips to questionable places.

Yes you can do this now, but requires a far greater commitment than most people are willing to put in.
Highlights here (mostly a brochure advertisement): https://www.apple.com/business/enterprise/it/
Here for beginning of real stuff: https://www.apple.com/business/docs/site/Apple_Business_Manager_Getting_Started_Guide.pdf

 

[960design]

...if you want to access my most sensitive stuff, you have to mount an encrypted disk image, which has its own password.

That is pretty tight, except for catastrophic events: hurricane, fire while you are out, theft of device.
Backing up is where most security fails.

 

[960design]

You're confusing fault with responsibility.

If I leave my keys in my car, thereby allowing you to steal it, it's my fault my car was stolen, even though you're responsible for stealing it.

I disagree with this one. Forgetfulness is not a crime; you are not at fault for someone else's choices. Stealing is the problem. A decent person would find the keys and return them to the owner.

Hard to come up with an example without getting too dark, so I will just leave it.

 

[960design]

Again, if someone has unlocked access to your phone, putting it in airplane mode cuts off all avenues for someone without the phone in their hand to do anything with it.

Try it with my phone. I will come knocking pretty quickly. ( my phone will allow you change it to Airplane mode, but does not actually put it in airplane mode ).

 

[bevsb2]

Today I made a purchase(under $100) from a company that carries skin care products. In order to complete my order I had to type in a code they sent to prove I was who I claimed to be. I have an account with a password and was signed in. After reading the posts here for a few days, I am amazed that this website I ordered from today has more security than that of my iPhone. I realize they are more concerned about protecting their company from fraudulent charges than protecting me, but surely Apple could do better.

 

[ric22]

Absolutely terrifying that your entire account can be stolen simply by someone learning your passcode. It's incredibly easy to look over someone's shoulder to discover a 6 digit pin.

 

[4389842]

This is a classic case of victim blaming.

It is not: it is IT security 101. Access to data, communication and devices are controlled through a secret. Lose exclusive control over that secret and all bets are off.

If you use technology, you are also accountable to know how it works.

What happened to OP is sad but at the end of the day, they lost control of a key which is clearly advertised to be the key to the kingdom (you car key analogy is flawed).

 

[4389842]

There are many possibilities.

Such as?

 

[h.gilbert]

Again, if someone has unlocked access to your phone, putting it in airplane mode cuts off all avenues for someone without the phone in their hand to do anything with it.

Besides that, someone who knows what they're doing can do the following in just minutes:

1). Transfer your Apple Savings balance to Apple Cash.

2). Use your linked debit card to transfer as much money as possible from your bank account to Apple Cash.

3) Send your Apple Cash balance to anyone they like or spend it.

4). Walk into a store and use your Apple Card to buy whatever they want.

5). PROBABLY get into your banking apps, reset the passwords, and then drain those accounts one way or another. Most most people probably have their account into saved anyway, so they don't even have to bother with the password reset.

6). Same for your retirement account apps (Vanguard, Fidelity, E*Trade, whatever).

Then put it in airplane mode and go through the contents of your phone at their leisure.

I see. I guess fortunately for me all banking stuff requires its own separate code. None of my financial apps allowing unlocking with just my phone's password, maybe it's a European thing.

 

[Rnd-chars]

I always fear that when travelling to other countries like egypt or turkey, that i’d get kidnapped and someone would be able to force me to open up my phone and reveal all my personal information. This is different to just forcing someone to an ATM and emptying one bank account few hundreds at a time. He could take all my money and potential live as my double virtually for a long time.

Are there insurance that protects against such lost? Is what the op experienced considered identity theft?

Some things to consider for greater protection:
1. Bring and only use a burner phone with prepaid SIM
2. Bring your normal phone but reset it first so that only the stock apps are present (and whatever you’re “comfortable” with being compromised. ) You may consider creating a temporary AppleId/email account and not saving passwords in keychain on the phone as well.

Also, we keep talking about phones, but I believe the same exploit works for any device, including Mac, Windows, etc. Generally once an attacker has physical access, the credentials to login and access to a password vault (which is generally just the login credentials) all bets are off.

Just like using a PIN at an ATM, assume someone is standing right behind you looking over your shoulder; cover your phone/keyboard if you must enter your PIN in public and use a complex alphanumeric combination. While not perfect, the alphanumeric keyboard is much smaller visual target so it makes it more difficult for onlookers/cameras to catch which keys were pressed.

 

[Rnd-chars]

I reckon this would work better… why dont they just use the simple solution of asking you to enter the 2nd, 5th and 8th characters of your passcode instead. And then next time ask you for the 1st, 6th and 9th, or whatever. As long as your passcode is long enough a thief could literally sit and watch you type it in and you’d still be safe.

It's perfect because as far as the user is concerned nothing has changed - he still only has to remember the one passcode.

I think customer adoption would be a challenge. Folks want to log in while they’re doing other things and rely on muscle memory. If I had to think of the 3rd,6th, and 9th numbers of my phone number to log in I would probably have to count through it a couple of times since I don’t index my telephone number by ordinal position.

But I like the novel approach! I suspect there are a few other ones Apple could implement:
1. TouchId as the secondary factor (perhaps on the power button similar to recent iPads) for secure areas. Pros: nothing to remember. Con: hardware cost and consequence of it not working.
2. Personalized challenge question for secure areas. The PIN/FaceId would still be used to login, but anything that required greater security (eg password access, banking apps, etc) would present with you a personalized (and likely multiple choice) random challenge question modal like “What time did you wake up today?” or “Which of these places did you shop at earlier today?” If you have yourself a dedicated stalker you’re probably out of luck, but it would work well for the majority of these cases
3. Super user password. Similar idea, but instead of a challenge question you present a password you only use for secure operations. The downside is you now have a third password to remember/forget
4. Hardware-based key (eg Yubikey). Don’t lose it.

 

[melusine]

Screen Time passcode is easily bypassed as I detailed and tested in this post. When asked for your Apple ID you go though the forgot password route and are asked for PIN, which thief has, instead.

I strongly suspect that Yubilkeys will also fail the same way. Especially as the Apple article I quoted gave no confidence that any additional check was involved to turn the key off.

Have you tested the Yubikey by going down the 'forgot password' route?

I followed the steps in your post.

• It first asked me to enter my Apple ID, which I did.
• I then selected forgot password.
• Then it asked me to enter my phone number, which I did.
• Then it asked me to approve the Apple ID password reset on another device, and there was another option for if I do not have access to any of my other devices. I selected the latter option.
• Then it asked me to produce my hardware security key and does not allow me to proceed further without it. I tried failing it and it then produced a screen telling me to either approve password reset on another device, or cancel.

At no point in time was I asked for my device passcode.

Can't you just reset the iCloud password with the passcode?

No. As I mentioned in my previous post, the phone asks me to present a security key before it allows me to change my Apple ID password, both via the Apple ID > Password and Security > Change Password and Privacy and Security > Safety Check routes. There is no option to use my device passcode at all.

 

[Mike Boreham]

I followed the steps in your post.

• It first asked me to enter my Apple ID, which I did.
• I then selected forgot password.
• Then it asked me to enter my phone number, which I did.
• Then it asked me to approve the Apple ID password reset on another device, and there was another option for if I do not have access to any of my other devices. I selected the latter option.
• Then it asked me to produce my hardware security key and does not allow me to proceed further without it. I tried failing it and it then produced a screen telling me to either approve password reset on another device, or cancel.

At no point in time was I asked for my device passcode.

Thanks for doing that. Very interesting and contrary to another Yubikey owner (@onenorth) who reported they didn't work for this scenario. I will have to get some myself and try out.

I know when I was testing the Screen Time passcode that, after clicking 'forgot password', there were braniches in the process which did not lead to instant request for passcode. They led to a slower recovery of Apple ID which would give time for rightful owner to take action.

 

[Mike Boreham]

I followed the steps in your post.

• It first asked me to enter my Apple ID, which I did.
• I then selected forgot password.
• Then it asked me to enter my phone number, which I did.
• Then it asked me to approve the Apple ID password reset on another device, and there was another option for if I do not have access to any of my other devices. I selected the latter option.
• Then it asked me to produce my hardware security key and does not allow me to proceed further without it. I tried failing it and it then produced a screen telling me to either approve password reset on another device, or cancel.

At no point in time was I asked for my device passcode.




No. As I mentioned in my previous post, the phone asks me to present a security key before it allows me to change my Apple ID password, both via the Apple ID > Password and Security > Change Password and Privacy and Security > Safety Check routes. There is no option to use my device passcode at all.

I meant to ask what happens if you try to remove Security Keys ?....see this post. Thanks.

 

[Puonti]

my phone will allow you change it to Airplane mode, but does not actually put it in airplane mode

Assuming you're talking about an iPhone, are you using a Shortcut to disable airplane mode whenever it's enabled?

 

[Puonti]

You will be surprised how easy is to reset it even with Screen Time disabled.

This was very informative, thank you - I had previously been thinking of ways to make the Apple ID harder to figure out, and hadn't thought about it being listed under Wallet & Apple Pay / Transaction Defaults (and by extension the same section in the Watch app if that's in use).

I'm not sure if you had mentioned this in the removed part of your report, but just in case someone comes looking after the fact:

You can remove your Apple ID e-mail address from the Transaction Defaults list (separately under both Settings and Watch apps) and use some other address instead to block this method of obtaining the address.

Edit:
That said, there's still plenty of places where to find the e-mail address on a device that Apple would need to address, for example Settings / Family and the Apple Store app (which you can delete, sure, but it can be reinstalled).

 

[ifxf]

This is why you don’t put all your security sensitive capabilities to one vendor. If you have an Apple phone then use a separate password manager, an email provider other then Apple, don’t use Apple pay or cash and never use icloud for backups. Then if your phone is grabbed it is very inconvenient but you still have access to everything non Apple.

 

[addamas]

This was very informative, thank you - I had previously been thinking of ways to make the Apple ID harder to figure out, and hadn't thought about it being listed under Wallet & Apple Pay / Transaction Defaults (and by extension the same section in the Watch app if that's in use).

I'm not sure if you had mentioned this in the removed part of your report, but just in case someone comes looking after the fact:

You can remove your Apple ID e-mail address from the Transaction Defaults list (separately under both Settings and Watch apps) and use some other address instead to block this method of obtaining the address.

Edit:
That said, there's still plenty of places where to find the e-mail address on a device that Apple would need to address, for example Settings / Family and the Apple Store app (which you can delete, sure, but it can be reinstalled).

If you put new email at least in my case - my iCloud and phone related number were “proposed” in it anyways. Also when I have removed these details, these important info were suggested. Which is hilarious.

Maybe because my details (person in Contacts app) are set in Siri…

About my post - in the end user is asked if can put other iCloud device passcode… and then can choose others(!) (which option is damn insecure) in which list you can choose the same (!!!) iPhone or other device passcode where this glitch is used.