Stolen iPhone - Criminals have full control and Apple cannot help!

[KENESS]

I might have missed it, or not be understanding something well. But would requiring 2FA for AppleID password changes be an improvement? The AppleID password is such a POWERFUL password that I feel it would warrant stricter change requirements.

This would only work for people with multiple devices, so perhaps for those people without multiple devices, some form of secondary contact method could be used to authorize the change.

Airplane mode has been mentioned as a workaround, but couldn't FindMy send the lock down signal even with Airplane Mode on in the same way that AirTags are always in communication? If this FindMy signal is blocked by the current AirPlane mode, perhaps it could be changed so the the standard AirPlane Mode leaves the FindMy network active (I don't believe this is an issue for the FAA) with a secondary option to enter a FULL AirPlane Mode, but that requires the AppleID password, which they have been blocked from changing.

This way, an AppleID could not be changed and FindMy not turned off, without authorization on a secondary device, and even if they turned on Airplane Mode, the device would still be in contact with the FindMy network and remote lockable as well as trackable.

I'm assuming I've missed some glaring problem with this idea, because people way smarter than I have put a lot of thought into it. So please be gentle if it is a dumb idea! hah

 

[OSXphoto]

It is not: it is IT security 101. Access to data, communication and devices are controlled through a secret. Lose exclusive control over that secret and all bets are off.

If you use technology, you are also accountable to know how it works.

What happened to OP is sad but at the end of the day, they lost control of a key which is clearly advertised to be the key to the kingdom (you car key analogy is flawed).

View attachment 2198037

You are 100% correct. It’s just that very few users will actually dive into this menu and learn about device recovery options *before* losing access to their account. Most of us trust Apple to have designed the system so that these things cannot happen.

 

[OSXphoto]

I followed the steps in your post.

• It first asked me to enter my Apple ID, which I did.
• I then selected forgot password.
• Then it asked me to enter my phone number, which I did.
• Then it asked me to approve the Apple ID password reset on another device, and there was another option for if I do not have access to any of my other devices. I selected the latter option.
• Then it asked me to produce my hardware security key and does not allow me to proceed further without it. I tried failing it and it then produced a screen telling me to either approve password reset on another device, or cancel.

At no point in time was I asked for my device passcode.




No. As I mentioned in my previous post, the phone asks me to present a security key before it allows me to change my Apple ID password, both via the Apple ID > Password and Security > Change Password and Privacy and Security > Safety Check routes. There is no option to use my device passcode at all.

@melusine thank you so much for your continued follow ups. I really appreciate that 👍

 

[melusine]

I meant to ask what happens if you try to remove Security Keys ?....see this post. Thanks.

I made a previous post about this. Long story short, my Apple ID password is required to make any changes to security keys (adding or removing).

@melusine thank you so much for your continued follow ups. I really appreciate that 👍

Not at all. Thank you to everyone who gave me all the scenarios to test out as well and do keep them coming — the system and my setup is not secure unless every possible exploit and workaround has been thoroughly tested, and I am sure criminals are also trying everything they can as well.

 

[Mike Boreham]

I made a previous post about this. Long story short, my Apple ID password is required to make any changes to security keys (adding or removing).

Yes thanks. I replied to that post, where you also said that Screen Time password provided protection, which it doesn't, because of the forgot password route.

Sounds like Yubikeys are more secure (although @onenorth said not with his Yubikeys).

 

[OSXphoto]

Yes thanks. I replied to that post, where you also said that Screen Time password provided protection, which it doesn't, because of the forgot password route.

Sounds like Yubikeys are more secure (although @onenorth said not with his Yubikeys).

It’s interesting enough for me to order two ubikeys and test them out. Preparing to buy some Yubico stock 😁

 

[anakin44011]

So...I'm thinking about an old TV show, maybe 15 years ago. When you want to catch a pedophile...you lure them in with fake information and then arrest them (or show them on national TV).

So...why can't Apple make a slightly-alternative IOS for undercover police, and then lure these ******s by publicly typing in passcodes, letting the iPhones get stolen (which would be the first criminal act), then letting them think they are successfully resetting iCloud passwords (which would be the second more serious criminal act), then use the iPhone as a homing device to catch the thieves?

Do this a few thousand times...criminals start rethinking the risk/reward.

It is one thing to steal a $1000 phone - that's a certain level of theft.
It is another thing to steal an identity. That HAS to be worth serious fines and mandatory jail time.

 

[onenorth]

Yes thanks. I replied to that post, where you also said that Screen Time password provided protection, which it doesn't, because of the forgot password route.

Sounds like Yubikeys are more secure (although @onenorth said not with his Yubikeys).

I did not try locking access via Screen Time. That would be two layers: Screen Time plus hardware key. If that works then good but now we're getting into the weeds.

 

[onenorth]

Such as?

Read this thread, there are many suggestions so far.

 

[Mike Boreham]

I did not try locking access via Screen Time. That would be two layers: Screen Time plus hardware key. If that works then good but now we're getting into the weeds.

Thanks. Can you clarify whether with just the Yubikeys set, you were able to remove the keys, including by checking the 'forgot password' when asked for Apple ID password?

 

[4389842]

So...why can't Apple make a slightly-alternative IOS for undercover police, and then lure these ******s by publicly typing in passcodes, letting the iPhones get stolen (which would be the first criminal act), then letting them think they are successfully resetting iCloud passwords (which would be the second more serious criminal act), then use the iPhone as a homing device to catch the thieves?

Do this a few thousand times...criminals start rethinking the risk/reward.

It is one thing to steal a $1000 phone - that's a certain level of theft.
It is another thing to steal an identity. That HAS to be worth serious fines and mandatory jail time.

There are probably serious crimes being committed with cases like this and this is probably very traumatizing to individual victims.

However, in the grand scheme of things, this is likely small time compared to other challenges law enforcement have to deal with when likely already being understaffed and underfunded.

When caught, people doing this will likely get serious punishment but the low probability and the resource requirements for what you describe likely do not outweigh the upsides…

It would be much more effective for people to inform themselves about the digital tools they use daily: use MFA, protect your passwords and don’t re-use them everywhere. Use a different recovery phone no. than the phone you take out of the house, Set different pins for all your credit cards, …

Do all of that and these ******s don’t stand a chance.

 

[avkills]

Whoever posted the tip of adding screen time to your own account and turning off the ability to change AppleID stuff without knowing the separate screen time passcode; thank you, that is an excellent suggestion and I have done that on my iPhone.

This is a horrifying story and can only imagine the headache this has caused.

 

[Choco Taco]

Whoever posted the tip of adding screen time to your own account and turning off the ability to change AppleID stuff without knowing the separate screen time passcode; thank you, that is an excellent suggestion and I have done that on my iPhone.

This is a horrifying story and can only imagine the headache this has caused.

I must've missed this, but it's certainly a good idea.

 

[Newbie67]

Whoever posted the tip of adding screen time to your own account and turning off the ability to change AppleID stuff without knowing the separate screen time passcode; thank you, that is an excellent suggestion and I have done that on my iPhone.

This is a horrifying story and can only imagine the headache this has caused.

While this is a good first layer to protect iCloud access, note that the password keychain is still accessible if a thief has your code. I’ve taken the step to remove all banking and critical passwords from keychain and saving those to a secure password manager. I don’t know if this is enough but it’s better than what I had. (Ps I wish Apple had a way to nuke your iPhone from your watch quickly. Would also be nice as others have said to have a vault for thinks like banking apps)

 

[onenorth]

Thanks. Can you clarify whether with just the Yubikeys set, you were able to remove the keys, including by checking the 'forgot password' when asked for Apple ID password?

When I go to remove the keys, all I need is the phone's passcode.

 

[avkills]

While this is a good first layer to protect iCloud access, note that the password keychain is still accessible if a thief has your code. I’ve taken the step to remove all banking and critical passwords from keychain and saving those to a secure password manager. I don’t know if this is enough but it’s better than what I had. (Ps I wish Apple had a way to nuke your iPhone from your watch quickly. Would also be nice as others have said to have a vault for thinks like banking apps)

Yeah I am not sure what the overall answer is. Perhaps a password keychain password that is tied to a separate email that has to be different from your AppleID; where you would need to know that in order to change the keychain password and it only does 2-factor via that email; although one would need to make sure not to have that email account installed on the Phone.

 

[Mike Boreham]

When I go to remove the keys, all I need is the phone's passcode.

So that makes Yubikeys useless!

EDIT I wonder why your experience is so different from @melusine in this post.

 

[Mike Boreham]

Whoever posted the tip of adding screen time to your own account and turning off the ability to change AppleID stuff without knowing the separate screen time passcode; thank you, that is an excellent suggestion and I have done that on my iPhone.

This is a horrifying story and can only imagine the headache this has caused.

I was enthusiastic about Screen Time passcode, but it doesn't work....see this post:
https://forums.macrumors.com/thread...p.2388366/page-15?post=32142508#post-32142508

 

[onenorth]

So that makes Yubikeys useless!

They are useful for preventing phishing attacks. But YubiKeys are not useful if someone has your phone and passcode. And I think passkeys will have the same issue as YubiKeys unless Apple changes how passcodes are used.

 

[avkills]

I am going to shoot myself down. Screen Time is not the answer even with ID Recovery key set, and with "Recover screen time password with Apple ID" disabled. Though it does put some more obstacles in the thief’s path. Maybe some less knowledgeable thieves would be stopped. Some options to the sequence below put some delay in the Recovery process but the sequence below leads to instant break in.

I just went through these steps:

1. Screen Time settings > Change Screen Time passcode.
2. Click Forgot Passcode
3. Enter Apple ID email but not password…click forgot Apple ID password
4. This produces a screen asking for iPhone Passcode which thief has. Enter Passcode leads to screen to enter new Apple ID password.

Anyone can test these steps themselves ....no harm is done... you can cancel out ot the end before entering your new Apple ID password.

Lame. oh well.

 

[Newbie67]

Lame. oh well.

Bummer

 

[marvin_h]

So that makes Yubikeys useless!

Yes as long as Apple insists on "one passcode for every different thing" this will be a problem. It's like using the same password for your bank, your email, your library card, your amazon account, the IRS web site, best buy, starbucks, the NRA web site, your DirectTV, and your Instacart......

 

[marvin_h]

Yeah I am not sure what the overall answer is. Perhaps a password keychain password that is tied to a separate email that has to be different from your AppleID; where you would need to know that in order to change the keychain password and it only does 2-factor via that email; although one would need to make sure not to have that email account installed on the Phone.

One answer is simple: Allow users to opt to have the screen unlock code be different from the code needed to access the keychain. Allow users to choose ONLY biometrics to access some apps and services, and prevent changes to biometrics behind a third passcode/password. Etc. The days of using one password to unlock everything in the world are long gone. It was never a good idea, and it's now an absurdly bad idea.

 

[OSXphoto]

So that makes Yubikeys useless!

EDIT I wonder why your experience is so different from @melusine in this post.

@onenorth did you read @melusine ’s post? There are two methods described and with both methods the YubiKeys can only be removed by typing the icloud password and using the YubiKey. Do you do something different?

 

[OSXphoto]

See Here for the earlier post. This is the quote: