Stolen iPhone - Criminals have full control and Apple cannot help!

[j.williams888]

This isn’t a security flaw. There’s nothing to patch. FaceID has made people forget whats happening every time it’s picked up. Seeing that story go around from journalists that should know better is embarrassing. Why do you think they stopped talking about it? Alphanumeric passcodes are the only way, as long as you don’t forget it.

The fact if you can’t get passed activation lock, your working phone is trash is actually something to be outraged about. At the end of the day Apple owns your device.

 

[danclara]

I would seriously like an option to use biometrics only. Why can this not be an option?

OK it could lock you out if your camera fails, but so what? This would be a rare occurrence and it would boost security ten fold.

 

[Fred Zed]

If the thief knows the passcode and gets to it before the owner takes control, he or she can set up a new recovery key thus locking out the rightful owner of the account forever.

Same with iCloud password? My alpha numeric iPhone passcode is different to my iCloud password. Cheers.

 

[danclara]

This isn’t a security flaw. There’s nothing to patch. FaceID has made people forget whats happening every time it’s picked up. Seeing that story go around from journalists that should know better is embarrassing. Why do you think they stopped talking about it? Alphanumeric passcodes are the only way, as long as you don’t forget it.

The fact if you can’t get passed activation lock, your working phone is trash is actually something to be outraged about. At the end of the day Apple owns your device.

You think it's correct that ONE CODE, even if it's a 12 digit alphanumeric code, can give total access to your entire digital life?

You must be in the minority with that one.

If this flaw continues don't be surprised if these criminals find new ways to obtain passcodes. They are WAY too powerful as things stand.

 

[danclara]

Same with iCloud password? My alpha numeric iPhone passcode is different to my iCloud password. Cheers.

Mine was different and hidden. I also had two step authentication for a different mobile number to that of the device.

You can change the iCloud password and disable find my phone just by knowing the phone passcode.

I assume you did not know this? I certainly didn't.

It seems too crazy to be true, but it is.

 

[Fred Zed]

You think it's correct that ONE CODE, even if it's a 12 digit alphanumeric code, can give total access to your entire digital life?

You must be in the minority with that one.

If this flaw continues don't be surprised if these criminals find new ways to obtain passcodes. They are WAY too powerful as things stand.

Especially with London being a CCTV capital. Any unscrupulous security person can pass the relevant information on to one of their gang members within the pub, restaurant, place of work etc.

 

[Jackbequickly]

Moral of this story is to NEVER use your PIN in public places. Once they get your PIN and have your phone, it is over. Getting your PIN is one thing but then getting their hands on your phone makes me think this is organized.

 

[iStorm]

This isn’t a security flaw. There’s nothing to patch. FaceID has made people forget whats happening every time it’s picked up. Seeing that story go around from journalists that should know better is embarrassing. Why do you think they stopped talking about it? Alphanumeric passcodes are the only way, as long as you don’t forget it.

The fact if you can’t get passed activation lock, your working phone is trash is actually something to be outraged about. At the end of the day Apple owns your device.

How would an alphanumeric passcode help the OP? Presumably, he was being watched…not brute forced.

Alphanumeric passcodes are more for protecting against brute force attacks. It does nothing against shoulder surfing attacks. If an attacker is watching or has a camera on someone, they’ll be seeing every key press. Ideally, one should be covering the keyboard with one hand and typing with the other. That can be difficult to do with an alphanumeric passcode/keyboard, especially on an iPad.

Also, it could actually make it easier for shoulder surfing attackers to figure out the passcode. If they get a partial glimpse of someone typing “I l__e A_pl_e 1990” or “C_@rli_35”, it’s easy to infer what the missing letters are and can fill in the blanks. (Or do some social engineering to find out their dog’s name is Charlie, if they haven’t already figured it out.) No one is going to use something like “!mCm9j@z6Qn4” as their alphanumeric passcode.

 

[redmanduck]

Finally people are talking about it! Someone close to me had his phone stolen and locked him out by knowing JUST the 4-digits pin, the thief were able to go in to setting and change the iCloud password, then disable iCloud. When disabling iCloud, iPhone will ask the user to authenticate using the "4-digits PIN", and even if u have 2FA, 3FA, 3000FA, will lock you out and allow you to deassociate your Apple ID from your stolen device.

This is an insane security flaw. Your entire digital life secured by 4 or 6 digits numeric key. There are groups of thiefs that deliberately exploit this, one person would watch you type in your pin in public and another person would snatch your phone. I know face ID is a thing but even with face ID, i still find myself typing pins atleast once or twice a day for whatever reasons.

Apple should acknowledge this asap.

 

[Paddle1]

This isn’t a security flaw. There’s nothing to patch. FaceID has made people forget whats happening every time it’s picked up. Seeing that story go around from journalists that should know better is embarrassing. Why do you think they stopped talking about it? Alphanumeric passcodes are the only way, as long as you don’t forget it.

The fact if you can’t get passed activation lock, your working phone is trash is actually something to be outraged about. At the end of the day Apple owns your device.

That's not a solution. An alphanumeric passcode is harder to guess, but not necessarily harder to spy on.

The passcode is more powerful than people realize and even that in itself is a problem.

 

[Ctrlos]

This is a tragic story and I'm sorry for the OP to have to go through so much stress.

Anyone's phone passcode should be at least 12 digits long though. A good tip is to use the landline number of your parents or an old friend as you will already have it committed to memory. Another one is to use a long word but type it using T9 so it comes up as an impossibly long number. Again, a memorised quote or bible verse if you're that way inclined is a good place to start from. Even a simple sentence like 'The man went to the shop' comes out as 8443362669336688666844337777446667.

Its difficult for a thief to remember something that long.

 

[AlixSPQR]

There should and could be workarounds. For example, if you have another authorized Apple device, you should be able to dismiss and revert a later login, later passcode, and so forth, via this earlier login. There's no problem, as far as I can see, as long as the same iCloud account is in use for all devices.

 

[TechnoMonk]

You think it's correct that ONE CODE, even if it's a 12 digit alphanumeric code, can give total access to your entire digital life?

You must be in the minority with that one.

If this flaw continues don't be surprised if these criminals find new ways to obtain passcodes. They are WAY too powerful as things stand.

The solutions proposed can legitimately lock people out, trying to fix lack of personal awareness or responsibility. There were folks who wanted Apple to do this for simplicity and recovering the Apple accounts with pass code. I am sorry that this happened to you, it sucks what you going through. Next time keep your pin or password safe.

 

[TechnoMonk]

There should and could be workarounds. For example, if you have another authorized Apple device, you should be able to dismiss and revert a later login, later passcode, and so forth, via this earlier login. There's no problem, as far as I can see, as long as the same iCloud account is in use for all devices.

I like this, If Apple can come with a procedure to make this happen. May be some sort of verification with passport.

 

[FreakinEurekan]

In a nutshell - you’re SOL at this point. Once they have a Trusted Device (your iPhone) and know your passcode they were able to change the password on your Apple ID, and essentially - it’s their Apple ID now. They can cancel any Account Recovery you attempt. Cancel any credit cards you had saved, create a new Apple ID under a different email, and start over.

The real “Flaw” in Apple’s security is that while 2 Factor requires access to both the Password & a Trusted Device or Trusted Phone Number… iOS allows the password to be changed from a Trusted Device as long as you know the passcode of the device. Since they got your iPhone and your passcode…. You’re screwed.

 

[jeremysteele]

Main problem is faceID is not perfect, requiring users to use a pin, too bad apple doesn't give users a choice to use touchID.

Touch ID doesn't work for a fairly large number of people, myself included.

Not all fingerprints are of the same quality.

 

[danclara]

In a nutshell - you’re SOL at this point. Once they have a Trusted Device (your iPhone) and know your passcode they were able to change the password on your Apple ID, and essentially - it’s their Apple ID now. They can cancel any Account Recovery you attempt. Cancel any credit cards you had saved, create a new Apple ID under a different email, and start over.

The real “Flaw” in Apple’s security is that while 2 Factor requires access to both the Password & a Trusted Device or Trusted Phone Number… iOS allows the password to be changed from a Trusted Device as long as you know the passcode of the device. Since they got your iPhone and your passcode…. You’re screwed.

Yes exactly, Apple give them the power despite me still having access to the email AND phone numbers that have been associated to the ID for over 15 years.

Because they stole ONE piece of info alongside the device.

I can probably move on at some point. They have all the data on the phone, and even getting my ID back or remote wiping will not help much now. If they want to use the info it is already way too late to stop that. They have lots of personal photos and movies too.


Luckily I backed up my photos and contacts via a third party. But many others will not have done this.

I am still concerned they will try to find sensitive info to bribe me with or attempt identity fraud. Literally nothing I can do now anyway.

 

[Choco Taco]

This isn’t a security flaw. There’s nothing to patch. FaceID has made people forget whats happening every time it’s picked up. Seeing that story go around from journalists that should know better is embarrassing. Why do you think they stopped talking about it? Alphanumeric passcodes are the only way, as long as you don’t forget it.

The fact if you can’t get passed activation lock, your working phone is trash is actually something to be outraged about. At the end of the day Apple owns your device.

Yes. It is a security flaw. Hence … this story.

 

[Steve121178]

Yes exactly, Apple give them the power despite me still having access to the email AND phone numbers that have been associated to the ID for over 15 years.

Because they stole ONE piece of info alongside the device.

I can probably move on at some point. They have all the data on the phone, and even getting my ID back or remote wiping will not help much now. If they want to use the info it is already way too late to stop that. They have lots of personal photos and movies too.


Luckily I backed up my photos and contacts via a third party. But many others will not have done this.

I am still concerned they will try to find sensitive info to bribe me with or attempt identity fraud. Literally nothing I can do now anyway.

Have you asked your network provider to block your SIM & more importantly device by IMEI number? Once blocked it will just be a useless brick.

 

[antiprotest]

You think it's correct that ONE CODE, even if it's a 12 digit alphanumeric code, can give total access to your entire digital life?

You must be in the minority with that one.

If this flaw continues don't be surprised if these criminals find new ways to obtain passcodes. They are WAY too powerful as things stand.

It is surely a security flaw.

Ironically, Apple permits you to reset your Apple ID password using your phone passcode so that, we assume, you do not get locked out of your Apple ID, since you are likely to remember your phone passcode even when you forget your less used Apple ID password.

But since this piece of information is much more likely to be entered/leaked in public, it enables thieves to lock you out of the Apple ID.

Surely you would rather be locked out of your Apple ID (hopefully, temporarily) than to have thieves get in your Apple ID and lock you out.

If Apple wants to make it convenient for you to reset the Apple ID password, they should use some other mechanism than a passcode that is easily discovered by others. Even something absurdly insecure like your birthday would be safer in this situation, since those who attempt to reset your Apple ID password on your physical device would likely be strangers (thieves and snatchers).

 

[Cunir]

What i find stupid is that they give you a few different options to tighten your security, like setting up recovery keys, faceIDs, fingerprints and a screentime passcode to block account and password changes, but then they let someone just delete the whole lot of them with a single passcode.

The only bit of security that really matters is the device passcode. All of the others are basically useless because they cant stop a thief if he gets hold of it

 

[dewalt]

Here's how Apple should fix it

1. Allow us to prevent icloud password changes on device without current password.
2. Absolutely NO changes in the Password & Security without the icloud password
3. Restrict keychain access with icloud password or face id only
4. If icloud account recovery is needed, ability to set a waiting period or allow to bypass with a recovery key or secondary trusted phone number

 

[toobravetosave]

You can also access the entire keychain with only a pin so requiring passwords doesnt matter.

Apple should offer a face id requirement option for this kinda stuff.

 

[danclara]

My account recovery loop continues.

I am now being told I will receive a call or SMS to my account phone number on 5th May.

Previously this call or SMS did not arrive.

I am not clear why. I am not clear why this process is ONLY automated, with zero human involvement and no one to speak to.

 

[cdsapplefan]

Finally people are talking about it! Someone close to me had his phone stolen and locked him out by knowing JUST the 4-digits pin, the thief were able to go in to setting and change the iCloud password, then disable iCloud. When disabling iCloud, iPhone will ask the user to authenticate using the "4-digits PIN", and even if u have 2FA, 3FA, 3000FA, will lock you out and allow you to deassociate your Apple ID from your stolen device.

This is an insane security flaw. Your entire digital life secured by 4 or 6 digits numeric key. There are groups of thiefs that deliberately exploit this, one person would watch you type in your pin in public and another person would snatch your phone. I know face ID is a thing but even with face ID, i still find myself typing pins atleast once or twice a day for whatever reasons.

Apple should acknowledge this asap.

The only way to stop this would be 2-form authentication and. 48 -hour wait period before you can change the password or do anything significant. This will give the customer time to remote wipe there device and put the phone in lost mode and thus bricks 🧱 the device. Hopefully they backed everything in icloud. Also have the customer authenticate again via Face ID, airtag, passcode and close contact. This would be 4-form authentication. Very inconvenient, but very safe. You can use your physical cards 💳 in the meantime.