Stolen iPhone - Criminals have full control and Apple cannot help!

[dk001]

Not really. Experian got hacked. Years ago a tidy sum of money was taken from Citibank. When a device passcode is used to change the Apple ID password. The cards in the wallet are invalidated. All my financial apps that depend on Face ID have to be reenrolled with the user logon.

Hacked is not the same. Nice of you to bring in additional criteria.

It’s true unsecured apps and iCloud can ge gotten at, buts it’s a personal decision how far one wants to “protect” themselves. And not have mail and iCloud on the phone.

Same old excuses. Smartphones have been pushed to do everything and Apple has been leading the charge.
Secure and Private? Not really.

If we forget all of that I agree it’s a theoretical weakness because a security hole that’s difficult to get to that requires physical access and some other knowledge can’t scale.

Say what?

So if a vulnerability exists: security score := security score -1? The iPhone is fairly secure even if it’s ripped from your hand. Like your atm pin keep your passcode safe.

No! If the “thief” has your access code you are pretty much screwed. This is not something insurmountable to fix.
Fairly secure is limited.

 

[vladi]

I know it's convenient but I do not have a single app on my phone that is linked to my banking info. I do not even have PayPal app, I just use webpage when I need to. Of course I have web browser without autofill and remember passwords or credit cards. No Amazon, no Wallmart, no eBay, no apps that require account with tied bank account info.

If you need to have a card tied to an account such as Apple ID use burner debit cards and refill them before the purchase.

My biggest gripe is that you can't log out of Whatsapp and other IM apps without having another phone at your disposal. You can't do it from desktop OS. That's a huge omission.

 

[I7guy]

Hacked is not the same. Nice of you to bring in additional criteria.

You’re the one who brought out the comparison to financial institutions.

Same old excuses. Smartphones have been pushed to do everything and Apple has been leading the charge.
Secure and Private? Not really.

You mean same old tired opinions. Security and privacy. Apple leads the charge.

Say what?

Yep.

No! If the “thief” has your access code you are pretty much screwed. This is not something insurmountable to fix.
Fairly secure is limited.

If a thief gets your atm pin, house keys etc, you’re screwed as well. But not really depending on what’s on your phone may not be a hill or beans. At any rate I’m not taking the edge case and arguing as if it were the majority case.

 

[dk001]

You’re the one who brought out the comparison to financial institutions.

Nice reinterpretation of my post. That’s cool.

You mean same old tired opinions. Security and privacy. Apple leads the charge.

No they don’t. Most of their claims are more marketing than substance. Sadly.

Yep.

If a thief gets your atm pin, house keys etc, you’re screwed as well. But not really depending on what’s on your phone may not be a hill or beans. At any rate I’m not taking the edge case and arguing as if it were the majority case.

Apples and Potatoes.

 

[Shirasaki]

Most of their claims are more marketing than substance. Sadly.

As typical Apple fashion. Inflate their products in marketing to do more than they have been designed for.

 

[Shirasaki]

If the “thief” has your access code you are pretty much screwed.

Let’s NOT FORGET most people still uses 4-digit Or 6-digit passcode, which is super easy to remember for thieves compared to alphanumeric passcode. That’s way too much weight those digits Are designed to carry.

 

[I7guy]

Nice reinterpretation of my post. That’s cool.

No reinterpretation necessary. They were youre words in your example.

No they don’t. Most of their claims are more marketing than substance. Sadly.

Apple lives up to their hype with their marketing regarding privacy. You don’t think so I do. Two people having different opinions of apple. Whoda thunk?

Apples and Potatoes.

Same difference. Apple maximizes convenience and minimized security risk. That risk will never be zero, while convenience with security will never be 100%

 

[marvin_h]

The trouble is this is not an either or situation. These discussions make the false assumption that either the passcode unlocks everything OR users need to remember and use different codes for different things. But both approaches could be true at the same time, or, rather, users could be allowed to choose which approach they prefer.

The passcode CAN be allowed to continue to unlock everything, while at the same time Apple COULD allow users that don't one one password for all their valuables to be the same to choose a separate screen unlock code versus master of the universe code.

No security system is perfect, so the fact that a more secure system that a user can opt into if they want to still isn't a perfectly secure system is a straw man argument.

 

[marvin_h]

The weak link here is device passcode does literally everything, including resetting Apple ID password.

Yep and it would be a nice fix to offer the option to separate those functions.

My biggest gripe is that you can't log out of Whatsapp and other IM apps without having another phone at your disposal.

Maybe not specifically on topic but this got me thinking and curious. I don't use that app. To fully log out and make it hard for a bad actor: Why not just delete the app as a way to thoroughly log out?

 

[I7guy]

[…]

No security system is perfect, so the fact that a more secure system that a user can opt into if they want to still isn't a perfectly secure system is a straw man argument.

The truism is that apple has 2 billion iOS users and just won’t Willy-nilly start adding “security” options. And when it does it still won’t be 100% secure. Now that’s not to say apple won’t do something to make the phone more secure but not less convenient.

They may do something to make the casual phishing of device passcodes more difficult. We’ll see. One thing I really would like is an option to force the enablement of Face ID of certain apps, including iCloud. Maybe under screen time.

 

[Shirasaki]

Maybe not specifically on topic but this got me thinking and curious. I don't use that app. To fully log out and make it hard for a bad actor: Why not just delete the app as a way to thoroughly log out?

Unless you anticipate a stolen incident, I don’t think anyone would “pre-delete” apps in such scenario. Yes, find my can try to issue a remote erase command, but that requires internet Connection, something that is unlikely to have if the SIM card is revoked shortly after stolen incident.

 

[vladi]

Yep and it would be a nice fix to offer the option to separate those functions.



Maybe not specifically on topic but this got me thinking and curious. I don't use that app. To fully log out and make it hard for a bad actor: Why not just delete the app as a way to thoroughly log out?

You can logout if you have a device on you but if you loose the device you can't remotely log out. That's what I meant.

 

[jozero]

I am going to shoot myself down. Screen Time is not the answer even with ID Recovery key set, and with "Recover screen time password with Apple ID" disabled. Though it does put some more obstacles in the thief’s path. Maybe some less knowledgeable thieves would be stopped. Some options to the sequence below put some delay in the Recovery process but the sequence below leads to instant break in.

I just went through these steps:

1. Screen Time settings > Change Screen Time passcode.
2. Click Forgot Passcode
3. Enter Apple ID email but not password…click forgot Apple ID password
4. This produces a screen asking for iPhone Passcode which thief has. Enter Passcode leads to screen to enter new Apple ID password.

Anyone can test these steps themselves ....no harm is done... you can cancel out ot the end before entering your new Apple ID password.

Damn. Good catch. Yup the steps you outline negate this trick

 

[KhunJay]

I dont consider any smartphone (even apple) to be 100% safe (see OP's post #1)
For this reason, I don't store any passwords, sensitive bank or card information
on my iPhone. Neither do I back up to iCloud...just manual backups at reasonable
intervals. At the first sign of trouble, I would wipe my iPhone remotely. Even though
all the stuff on it is boring and completely blackmail-proof.

If someone stole my phone they will only get a slightly out of date phone (iPX)
Laugh all you want but I sleep rather well.

 

[jaworq]

First thing I check in every new update is this Screen Time bug.

I am going to shoot myself down. Screen Time is not the answer even with ID Recovery key set, and with "Recover screen time password with Apple ID" disabled. Though it does put some more obstacles in the thief’s path. Maybe some less knowledgeable thieves would be stopped. Some options to the sequence below put some delay in the Recovery process but the sequence below leads to instant break in.

I just went through these steps:

1. Screen Time settings > Change Screen Time passcode.
2. Click Forgot Passcode
3. Enter Apple ID email but not password…click forgot Apple ID password
4. This produces a screen asking for iPhone Passcode which thief has. Enter Passcode leads to screen to enter new Apple ID password.

Anyone can test these steps themselves ....no harm is done... you can cancel out ot the end before entering your new Apple ID password.

I check after every update to see if anything has changed but unfortunately still nothing. Still same bug in iOS 16.6 =/

So, kids still be like: "Mom wanted to limit TikTok app on the phone? I can easily disable this lock or change the iCloud password and limit her iCloud access or buy a new phone with her money" xD

 

[fzJNotIBOxgnbqejSeVCvJScL]

Hey everyone.

Can someone tell me whether emails can be accessed in the browser at www.icloud.com -- even if

- Advanced Data Protection is enabled
- and without being able to allow temporary web access?

I'm asking because I would like to know whether I can access iCloud emails even if, for example, my iPhone is stolen.

(I don't have an iPhone yet.)

 

[marvin_h]

All you can get on iCloud are your iCloud emails, and then only if you are able to log in, which means (in the case you described) that you haven't used your phone for two factor authentication, so, no, I would not rely on that.

I would recommend using a non iCloud email, ie, one not associated with your Apple ID, and two factor security not related to your phone and not related to your phone number (no SMS, etc).

 

[Ameer_1]

I work in London and was at a restaurant/bar on Thursday. I use FaceID and have a 6 digit pin. During the night my FaceID must have failed at some point.

My phone went missing from my pocket and I realised within 5 mins. I was very suspicious. I instantly went on my friend's phone and attempted to login to my icloud. My password did not work.

Long story short from here but it had been stolen and the thieves had my passcode. They locked me out within minutes. There is a massive security flaw that allows this to happen.

I am reasonably cyber security aware (or so I thought). I had two step authentication set up on iCloud. I used my wife's number for this, thinking that makes things way more secure. It does not.

Apple allowed the thief to lock me out and change my password for icloud.

They have had full control of my phone and data for 5 days now. I can't disable my account and I can't login.

I am stuck in a recovery loop. 1 day later I had a new sim with my phone number. I can verify the code for this and also my wife's number. I verify the code sent to my email that I have regained control of.

Final request was for me to enter my bank card in full. I did this originally but I have had to cancel all cards as the thieves used my Apple pay to buy £1000s in Apple products!

I have visited an Apple store with my passport but absolutely nothing helps me. The power is with the criminals and I cannot stop them.

I waited 72 hours for recovery but then heard nothing. No sms or email.

I was told to try recovery again but it has gone back to where I was 5 days ago.

Meanwhile the criminals are using my WhatsApp to extort money from my contacts (1000+ of them) pretending to be me needing money. I have found out 4 have sent money and it could be a lot more.


I am powerless to stop this.

Does anyone know why my recovery is failing despite having all the information Apple asked me for?

Are the criminals with my device able to block my request from the device?

I haven't slept in 5 days with worry. They also sent threatening messages from my phone to my wife, with photos of my children.

Still Apple will do nothing to help. It is sickening.

Here is a list of credit cards that include cell phone protection insurance

Here are the best credit cards for cell phone protection of August 2024

Dropping your phone can be costly, but here are a variety of credit cards that offer cell phone protection plans at no additional cost and how it works.

www.cnbc.com

 

[marvin_h]

This person didn't fret about the cost of replacing the cell phone.

The concern was the cost of their entire personal, financial, and digital life being taken over by criminals.

 

[throAU]

Long story short from here but it had been stolen and the thieves had my passcode. They locked me out within minutes. There is a massive security flaw that allows this to happen.

Sorry to hear but i’m not exactly sure what you expect if someone has your passcode.
It’s like complaining that someone stole your car after you left your keys in it.

I guess the flaw is not enabling you to regain control of your account, but as above… your passcode should not be divulged...

 

[fzJNotIBOxgnbqejSeVCvJScL]

All you can get on iCloud are your iCloud emails, and then only if you are able to log in, which means (in the case you described) that you haven't used your phone for two factor authentication, so, no, I would not rely on that.

I would recommend using a non iCloud email, ie, one not associated with your Apple ID, and two factor security not related to your phone and not related to your phone number (no SMS, etc).

Thanks for your answer. Have you ever checked email via iCloud with ADP enabled and without giving web access?

Two people told me that Advanced Data Protection doesn't allow access to iCloud and Mail. And two others assert the opposite. 😅

(For two-factor authentication, I can save a second phone number that is linked to another phone.)

 

[MYZ]

I haven't read through this full thread, so forgive me if I'm repeating someone else. But isn't there already an easy way to block this scenario?

Just a set a longer, more complex passcode? e.g. 12 digits with numbers, upper and lowercase letters, symbols, etc.

Hasn't that been an option since at least iOS 14 or earlier?

Though I agree Apple should make it very clear, and give multiple warnings after someone declines that.

 

[Night Spring]

I haven't read through this full thread, so forgive me if I'm repeating someone else. But isn't there already an easy way to block this scenario?

Just a set a longer, more complex passcode? e.g. 12 digits with numbers, upper and lowercase letters, etc.,

I'm sure that's been an option since at least iOS 14 or earlier?

It's not very practical, especially since FaceID fails for me multiple times a day.

 

[MYZ]

It's not very practical, especially since FaceID fails for me multiple times a day.

Huh, didn't know FaceID is that unreliable, I'm still on TouchID phones and I can't remember the last time it failed with dry fingers.

Though the extra incovenience is true, it's still much less then any possible 2FA implementation.

 

[mrochester]

It's not very practical, especially since FaceID fails for me multiple times a day.

Security and convenience is always a trade off.