Stolen iPhone - Criminals have full control and Apple cannot help!

[Howard2k]

Isn’t it the same issue with ANY security, though? If one provides to a malicious actor (intentionally or unintentionally) the means to authenticate to their device, that user has effectively rendered a large number security protections ineffective. The most insecure vector of any device is the user with access or admin permissions to that devices.

The best thing about stories like this is that it helps people to understand some of what makes them a target. While folks have gotten away with it for years, they will now understand that they shouldn’t enter their phone’s PIN in public without taking steps to ensure they’re not seen.

Agreed.

Although some are arguing, and I can't entirely disagree with them either, that Apple should have an option to secure the actual iCloud account with something other than iPhone PIN.

But simplistically, yes, giving away your PIN should be assumed to be devastating.

 

[Choco Taco]

Isn’t it the same issue with ANY security, though? If one provides to a malicious actor (intentionally or unintentionally) the means to authenticate to their device, that user has effectively rendered a large number security protections ineffective. The most insecure vector of any device is the user with access or admin permissions to that devices.

The best thing about stories like this is that it helps people to understand some of what makes them a target. While folks have gotten away with it for years, they will now understand that they shouldn’t enter their phone’s PIN in public without taking steps to ensure they’re not seen.

If someone has access to the device, it is a much more dangerous situation. But that doesn't change the fact that if someone gets access to your iPhone and they know your passcode, they can pretty much lock you out of your entire existence with that passcode. There needs to be a second layer of security for situations like this. Period. The iPhone pin shouldn't have the far-reaching capabilities that it does.

 

[danclara]

Isn’t it the same issue with ANY security, though? If one provides to a malicious actor (intentionally or unintentionally) the means to authenticate to their device, that user has effectively rendered a large number security protections ineffective. The most insecure vector of any device is the user with access or admin permissions to that devices.

The best thing about stories like this is that it helps people to understand some of what makes them a target. While folks have gotten away with it for years, they will now understand that they shouldn’t enter their phone’s PIN in public without taking steps to ensure they’re not seen.

Lots of sensible discussion in here, but a handful of posters like you who miss the point really.

Pins can absolutely be stolen even if you do your best to hide them. What if you are violently attacked for it? Given the power the pin holds, this could sadly happen more often now, until this exploit is fixed.

The value of this pin is completely overpowered for all the reasons listed in this thread.

 

[Kerry78]

I work in London and was at a restaurant/bar on Thursday. I use FaceID and have a 6 digit pin. During the night my FaceID must have failed at some point.

My phone went missing from my pocket and I realised within 5 mins. I was very suspicious. I instantly went on my friend's phone and attempted to login to my icloud. My password did not work.

Long story short from here but it had been stolen and the thieves had my passcode. They locked me out within minutes. There is a massive security flaw that allows this to happen.

I am reasonably cyber security aware (or so I thought). I had two step authentication set up on iCloud. I used my wife's number for this, thinking that makes things way more secure. It does not.

Apple allowed the thief to lock me out and change my password for icloud.

They have had full control of my phone and data for 5 days now. I can't disable my account and I can't login.

I am stuck in a recovery loop. 1 day later I had a new sim with my phone number. I can verify the code for this and also my wife's number. I verify the code sent to my email that I have regained control of.

Final request was for me to enter my bank card in full. I did this originally but I have had to cancel all cards as the thieves used my Apple pay to buy £1000s in Apple products!

I have visited an Apple store with my passport but absolutely nothing helps me. The power is with the criminals and I cannot stop them.

I waited 72 hours for recovery but then heard nothing. No sms or email.

I was told to try recovery again but it has gone back to where I was 5 days ago.

Meanwhile the criminals are using my WhatsApp to extort money from my contacts (1000+ of them) pretending to be me needing money. I have found out 4 have sent money and it could be a lot more.


I am powerless to stop this.

Does anyone know why my recovery is failing despite having all the information Apple asked me for?

Are the criminals with my device able to block my request from the device?

I haven't slept in 5 days with worry. They also sent threatening messages from my phone to my wife, with photos of my children.

Still Apple will do nothing to help. It is sickening.

Sorry this happened to you hope you had the phone blacklisted as it will prevent it being used by the gang responsible

Hope you manage to get it sorted!

 

[Unregistered 4U]

A simple way for Apple to fix this is to require 2FA to change the Apple ID password, either with a OTP through another registered device (not email) or an authenticator app on the phone that unlocks with biometrics.

But, this is essentially a solution for “I gave someone my phone and access credentials.”. I know it’s not being “given” in intent, but the end result is still the same. The process proposed could work, but if one takes care when entering their PIN, the “I gave someone my phone and access credentials” doesn’t exist anymore.

 

[Unregistered 4U]

If someone has access to the device, it is a much more dangerous situation. But that doesn't change the fact that if someone gets access to your iPhone and they know your passcode, they can pretty much lock you out of your entire existence with that passcode. There needs to be a second layer of security for situations like this. Period. The iPhone pin shouldn't have the far-reaching capabilities that it does.

So, the first layer of security is FaceID. The second layer of security is the PIN (which should be entered in such a way that no one can see it being entered). So, a THIRD layer of security is needed for those that can’t handle the requirements for using the second layer.

 

[onenorth]

But, this is essentially a solution for “I gave someone my phone and access credentials.”. I know it’s not being “given” in intent, but the end result is still the same. The process proposed could work, but if one takes care when entering their PIN, the “I gave someone my phone and access credentials” doesn’t exist anymore.

In theory, yes. In practice, not necessarily. Phones are different in the sense that we carry them with us everywhere and use them in many public spaces, unlike, say, laptops. It is much more likely for someone to catch us entering our passcode because the nature of the OS is such that we are unlocking it every single time we pick up the device. Which is a lot. Maybe an even better solution is not to use our phones in public unless absolutely necessary, or not at all. But good luck getting people to do that.

 

[Choco Taco]

So, the first layer of security is FaceID. The second layer of security is the PIN (which should be entered in such a way that no one can see it being entered). So, a THIRD layer of security is needed for those that can’t handle the requirements for using the second layer.

Face ID is not a layer of security. It's just for convenience. The only thing anyone needs is the passcode to the phone. Then they can do whatever they want. This is a problem.

 

[laptech]

Identity theft is now your biggest problem because they have access to ALL of your personal information. They will be able to loans, credit cards, finance deals on cars and other things. You need to protect yourself from such a thing happening meaning you need to contact the police telling them your phone was stolen and that the criminals have been using it to take money from your bank account. You need to let your employer know, any insurance company you use, telephone company, your bank and credit card companies and any other financial body you use. You need to email all the social media companies you use telling them to block your accounts, you need to tell whatsapp to block your account so the thieves cannot abuse those in your contact list. You say you have children, if they are of school age you need to inform the school because if you do not and something happens, all they will say is 'why did you not inform us that this had happened because we could have taken steps to do something about it'.

 

[Unregistered 4U]

Lots of sensible discussion in here, but a handful of posters like you who miss the point really.

Pins can absolutely be stolen even if you do your best to hide them. What if you are violently attacked for it? Given the power the pin holds, this could sadly happen more often now, until this exploit is fixed.

The value of this pin is completely overpowered for all the reasons listed in this thread.

If violent attack is the course of action someone has decided to take, there’s NO SECURITY IN THE WORLD that can prevent that person from getting whatever they want from the target (especially if that target is adverse to pain). With a well wielded pipe wrench, even FaceID can be quite effectively defeated. And any 2 or 3 factor authentication can also be defeated as long as the pipe wrench is still in the vicinity and prepared to swing again. In that case, the attacker isn’t “stealing” anything so much as the user “giving” the credentials in an effort to avoid harm.

Heck, just from the THREAT of violence, people have been driven from ATM to ATM withdrawing as much as is allowed… and that doesn’t require the attacker to EVER know what the PIN is. At that point, the only saving grace is effectively avoiding being a target in the first place. There’s nothing Apple can do to help someone under duress NOT provide everything the attacker is asking for.

Outside of a violent attack (which, as I said, can gain an attacker EVERYTHING they want) I AM curious as to how a PIN could be “stolen” from someone doing their “best” (which, as someone else has said, could include going to the bathroom) to hide it. I’m also curious as to how a phone can go missing by someone doing their “best” to keep it in their possession. Entering a PIN in full view of others then laying the phone face up on a table are not examples of “best” in this case.

 

[Unregistered 4U]

In theory, yes. In practice, not necessarily. Phones are different in the sense that we carry them with us everywhere and use them in many public spaces, unlike, say, laptops. It is much more likely for someone to catch us entering our passcode because the nature of the OS is such that we are unlocking it every single time we pick up the device. Which is a lot. Maybe an even better solution is not to use our phones in public unless absolutely necessary, or not at all. But good luck getting people to do that.

And this is PRECISELY what people are learning about through stories like these. That people are actively LOOKING to see what their passcode is. They don’t have to be an “important” person to be targeted… and that’s what most likely assumed.

Some may not want to make a “big dramatic deal” of putting their phone under their jacket or a tablecloth to ensure no one is looking at their code fearful of what the folks they are out with would think. Stories like this should remove that particular bit of social anxiety. And the same for those that like to keep their phone handy next to them so they can see notifications as they happen. It means one can keep eye contact with the folks you’re with while also keeping tabs on those they’re not with. But NOW they can tell their friends that are not there that they kept their phone secured on their person while they were out, so they couldn’t respond as quickly.

we are unlocking it every single time we pick up the device.

With FaceID or TouchID most of the time. And, those folks are ignored by attackers because they’re looking for the easier target that JUST entered their PIN. And actually, now that I think of it, I would imagine that anyone LOOKING for folks entering their PINs can spot them easily, because everyone else is just picking up the phone and putting it back down (having unlocked it biometrically).

Maybe an even better solution is not to use our phones in public unless absolutely necessary, or not at all. But good luck getting people to do that.

More like “Don’t use your PIN in public unless absolutely necessary” and “IF you do, take precautions to avoid it being seen”. And, I’m betting that one won’t need luck to get folks to do that, especially as stories like these are being reported more and more frequently.

 

[Unregistered 4U]

Better low tech solution and much easier to put into action sooner rather than later… Apple should have an option randomize the 9 key keypad after each press for those that use a 4-6 digit PIN for those that want to use their phone in the open. Loss of muscle memory would impact some, but my guess is that they’d rather use their phone in the open, regardless of how insecure that is, and this would mean anyone just going by where the user tapped would no longer be getting useful information.

Of course, that doesn’t help people who shout their phone PIN across the table for their friend to unlock because the phone locked when they handed it over and they simply MUST share the meme on their screen, but… baby steps.

 

[Unregistered 4U]

Face ID is not a layer of security. It's just for convenience. The only thing anyone needs is the passcode to the phone. Then they can do whatever they want. This is a problem.

Understood. Just another level of security is required for those that provide their both their device and their passcode to others, either intentionally or unintentionally.

 

[onenorth]

More like “Don’t use your PIN in public unless absolutely necessary” and “IF you do, take precautions to avoid it being seen”. And, I’m betting that one won’t need luck to get folks to do that, especially as stories like these are being reported more and more frequently.

Look, I agree with what you are saying, but that doesn't mean Apple shouldn't offer a better solution for these situations. Even if it is imperfect it is still better than what is there now, which is "passcode unlocks everything and there is nothing else that can be done except hide your passcode from everyone else."

All security is imperfect, but the more difficult it becomes to take over someone's account, the better. The thieves move on to easier targets.

Even if there was a 30 minute waiting period (or some configurable time limit) to reset the Apple ID password, that would give victims of theft some time to remotely lock the device.

Something - anything - would be welcome.

 

[TechnoMonk]

Look, I agree with what you are saying, but that doesn't mean Apple shouldn't offer a better solution for these situations. Even if it is imperfect it is still better than what is there now, which is "passcode unlocks everything and there is nothing else that can be done except hide your passcode from everyone else."

All security is imperfect, but the more difficult it becomes to take over someone's account, the better. The thieves move on to easier targets.

Even if there was a 30 minute waiting period (or some configurable time limit) to reset the Apple ID password, that would give victims of theft some time to remotely lock the device.

Something - anything - would be welcome.

what if some one urgently needs to reset a password. I don’t think time limit is the right way to it, coz some one can’t keep their passcode and device safe. I think they should have ability from second device to authenticate the password changes.

1. Users with two apple devices, second level check to reset/confirm password change from other device.
2. One device, need both password and passcode before making account changes.

 

[Paddle1]

Look, I agree with what you are saying, but that doesn't mean Apple shouldn't offer a better solution for these situations. Even if it is imperfect it is still better than what is there now, which is "passcode unlocks everything and there is nothing else that can be done except hide your passcode from everyone else."

All security is imperfect, but the more difficult it becomes to take over someone's account, the better. The thieves move on to easier targets.

Even if there was a 30 minute waiting period (or some configurable time limit) to reset the Apple ID password, that would give victims of theft some time to remotely lock the device.

Something - anything - would be welcome.

Agreed. It's not realistic for people to never enter their passcode in public where a camera or another person can see the way things work right now.

 

[TechnoMonk]

What are the cops doing? I am sure there is a camera in every nook and corner of London.

 

[Paddle1]

OP hope police are

what if some one urgently needs to reset a password. I don’t think time limit is the right way to it, coz some one can’t keep their passcode and device safe. I think they should have ability from second device to authenticate the password changes.

1. Users with two apple devices, second level check to reset/confirm password change from other device.
2. One device, need both password and passcode before making account changes.

Perhaps they could implement a 24 hour wait period to changing the Apple ID password that can be bypassed within 5 minutes or so with Touch ID or Face ID when enabled.

And also require Apple ID password to edit/disable Touch or Face ID. Of course this would all be optional but default as a deterrent.

 

[TechnoMonk]

Perhaps they could implement a 24 hour wait period to changing the Apple ID password that can be bypassed within 5 minutes or so with Touch ID or Face ID when enabled.

And also require Apple ID password to edit/disable Touch or Face ID. Of course this would all be optional but default as a deterrent.

Time limit forces a fixed duration wait, which isn’t best solution. May be they cam make opt-in for folks who want to wait extra time to reset passwords. Authenticating with two devices or needing both Pass code and iCloud password from single device is a good compromise.

 

[JPBoney71]

I work in London and was at a restaurant/bar on Thursday. I use FaceID and have a 6 digit pin. During the night my FaceID must have failed at some point.

My phone went missing from my pocket and I realised within 5 mins. I was very suspicious. I instantly went on my friend's phone and attempted to login to my icloud. My password did not work.

Long story short from here but it had been stolen and the thieves had my passcode. They locked me out within minutes. There is a massive security flaw that allows this to happen.

I am reasonably cyber security aware (or so I thought). I had two step authentication set up on iCloud. I used my wife's number for this, thinking that makes things way more secure. It does not.

Apple allowed the thief to lock me out and change my password for icloud.

They have had full control of my phone and data for 5 days now. I can't disable my account and I can't login.

I am stuck in a recovery loop. 1 day later I had a new sim with my phone number. I can verify the code for this and also my wife's number. I verify the code sent to my email that I have regained control of.

Final request was for me to enter my bank card in full. I did this originally but I have had to cancel all cards as the thieves used my Apple pay to buy £1000s in Apple products!

I have visited an Apple store with my passport but absolutely nothing helps me. The power is with the criminals and I cannot stop them.

I waited 72 hours for recovery but then heard nothing. No sms or email.

I was told to try recovery again but it has gone back to where I was 5 days ago.

Meanwhile the criminals are using my WhatsApp to extort money from my contacts (1000+ of them) pretending to be me needing money. I have found out 4 have sent money and it could be a lot more.


I am powerless to stop this.

Does anyone know why my recovery is failing despite having all the information Apple asked me for?

Are the criminals with my device able to block my request from the device?

I haven't slept in 5 days with worry. They also sent threatening messages from my phone to my wife, with photos of my children.

Still Apple will do nothing to help. It is sickening.

First off,
Let me just say I am extremely sorry this has happened to you. I can only imagine the fear and panic you must be going through since this occurred.
The only advice I could possibly give at this juncture is for future reference:
------------------

How to use Screen Time to stop thieves from messing with your Apple ID​

To start, head to Settings > Screen Time > Use Screen Time Passcode, if you haven’t set one up already. Make sure it’s not the same passcode you use for your iPhone, since we’re going to assume a thief knows those digits already. Jump to Content & Privacy Restrictions, and choose down to Account Changes. Punch in your Screen Time passcode, then choose “Don’t Allow.”

When you return to the main Settings menu, you’ll find your name is grayed out at the top. Not only have you blocked access to your recovery key settings, you’ve blocked access to anything having to do with your Apple ID.
------------------
I currently use this method, hopefully I never have to find out how good it works...

I hope this method will save you heart ache and headache in the future, friend.
Cheers!

Here is the link to the original article:

How Screen Time Can Save You When Your iPhone Is Stolen

This usage monitoring app can actually help keep your Apple ID data out of a hacker's hands.

lifehacker.com

 

[Wando64]

Yeah some banking apps are easily accessed. Money was moved in my accounts. I had face ID on them and they could just let that fail and enter the phone passcode.

None of the banking apps I have would allow access with the phone passcode.
Bank apps use a separate, dedicated, passcode. This, of course, can be bypassed with Face ID if desired, but when Face ID fails you need to enter the dedicated banking passcode.
Obviously anyone using the same passcode for phone access and for banking apps, is asking for trouble.

 

[danclara]

And this is PRECISELY what people are learning about through stories like these. That people are actively LOOKING to see what their passcode is. They don’t have to be an “important” person to be targeted… and that’s what most likely assumed.

Some may not want to make a “big dramatic deal” of putting their phone under their jacket or a tablecloth to ensure no one is looking at their code fearful of what the folks they are out with would think. Stories like this should remove that particular bit of social anxiety. And the same for those that like to keep their phone handy next to them so they can see notifications as they happen. It means one can keep eye contact with the folks you’re with while also keeping tabs on those they’re not with. But NOW they can tell their friends that are not there that they kept their phone secured on their person while they were out, so they couldn’t respond as quickly.


With FaceID or TouchID most of the time. And, those folks are ignored by attackers because they’re looking for the easier target that JUST entered their PIN. And actually, now that I think of it, I would imagine that anyone LOOKING for folks entering their PINs can spot them easily, because everyone else is just picking up the phone and putting it back down (having unlocked it biometrically).


More like “Don’t use your PIN in public unless absolutely necessary” and “IF you do, take precautions to avoid it being seen”. And, I’m betting that one won’t need luck to get folks to do that, especially as stories like these are being reported more and more frequently.

I work in Fintech and rate myself as being reasonably tech savvy and security conscious.

I made safeguards on my iCloud account to prevent total lock out and theft. I (like so many others on here) simply did not realise all of those safeguards fail if someone steals my 6 digit passcode.

Unfortunately I am out all day most days tapping my phone for payments and travel across London. Maybe 10-15 per day, every day. I could use a physical card for this, but the point of my iPhone is convenience, right? You cannot swipe cards in the UK, it is pretty much all contact less via Apple pay now.

My iPhone face ID fails a few times a day. I think by design?

Somehow someone deliberately got my pin.

I get your point about protecting our passcodes. I truly believe I did this more than an average person. But still they got it. I don't exactly know how. Cameras most likely.

No one deserves a total lock out because of this theft. It sounds like the argument a person deserved to be attacked because of how they dressed or because they went out late at night.

 

[danclara]

None of the banking apps I have would allow access with the phone passcode.
Bank apps use a separate, dedicated, passcode. This, of course, can be bypassed with Face ID if desired, but when Face ID fails you need to enter the dedicated banking passcode.
Obviously anyone using the same passcode for phone access and for banking apps, is asking for trouble.

That is correct. I wasn't sure how they did it but now I know. Once they had locked me out of my Apple ID they quickly reset as many banking app passwords as possible.

They had around 15 minutes to do this, they were able to reset via two step authentication as they had access to my emails and my SMS codes.

 

[Wando64]

Yeah I was stupid to have somehow entered my 6 digit pin in public. I'm generally quite aware so feel like someone may have filmed me or used cctv cameras.

I get the pin is powerful once known. But it should NEVER be enough to turn off all the cloud based security users set up.

It's been traumatic enough, but Apple have made it far worse. It is so obvious my account has been stolen but I can't stop their access.

To make changes to anything related to iCloud would require entering the Apple ID password, which of course should be different from the phone passcode.
Which security feature you claim can be disabled with the passcode?

I am really sorry you ended up in this mess, but something here is not quite right.
Unless all of your passwords (including the one for Apple ID) are the same as your passcode, none of this should be possible.

EDIT:
I now realise that the Apple ID password CAN be changed by knowing the phone passcode.
I stand corrected. I had no idea that this was possible and it is frankly pathetic.
What is the point of two factor authentication if something like this can be done?

 

[Wando64]

That is correct. I wasn't sure how they did it but now I know. Once they had locked me out of my Apple ID they quickly reset as many banking app passwords as possible.

They had around 15 minutes to do this, they were able to reset via two step authentication as they had access to my emails and my SMS codes.

So, you had the banking app access code set to be the same as your phone passcode?