Stolen iPhone - Criminals have full control and Apple cannot help!

[Seeds]

Main problem is faceID is not perfect, requiring users to use a pin, too bad apple doesn't give users a choice to use touchID.

What about when TouchID fail?

 

[Seeds]

I wonder how they could even fix this. Seems like the best option is the physical security keys? But then how do you log into a HomePod or an Apple TV?

A little follow up security keys can be disabled and then it just goes back to the 6 digit code. I should have guessed.

 

[mrochester]

I wonder how they could even fix this. Seems like the best option is the physical security keys? But then how do you log into a HomePod or an Apple TV?

And who has physical security keys! Not many.

 

[contacos]

What is even the point of having 2 factor authentification and what not if all you need is a (in most cases) 4 digit phone code to reset your unrelated iCloud like wtf Apple. Why does it not ask for the actual iCloud password to reset it?!

 

[mrochester]

What is even the point of having 2 factor authentification and what not if all you need is a (in most cases) 4 digit phone code to reset your unrelated iCloud like wtf Apple. Why does it not ask for the actual iCloud password to reset it?!

2FA is for setting up and logging into new devices. These devices are already 2FA authorised.

 

[Cunir]

All they have to do is dont allow passcode to change icloud password, and dont allow passcode to turn off screentime protections.

 

[mrochester]

All they have to do is dont allow passcode to change icloud password, and dont allow passcode to turn off screentime protections.

They could but another known bit of information would then be needed to reset the iCloud password.

 

[Cunir]

They could but another known bit of information would then be needed to reset the iCloud password.

They should just let you reset it the normal way, by asking for the old password first

 

[mrochester]

They should just let you reset it the normal way, by asking for the old password first

What if you don’t know the old password? I suspect most password resets are because the user CAN’T remember their current password.

You’d need the user to provide a different bit of known information.

 

[laptech]

One thing this thread has shown is at what point does an owner of an iphone take full responsibility for it's security?

 

[Yuvix]

I think the best way to save all this trouble is to activate screen time pin and disable password changes and account changes…..

 

[danclara]

I think the best way to save all this trouble is to activate screen time pin and disable password changes and account changes…..

I tested this and it helps a little but you can reset screen time if you have the passcode?

 

[Jackbequickly]

Finally people are talking about it! Someone close to me had his phone stolen and locked him out by knowing JUST the 4-digits pin, the thief were able to go in to setting and change the iCloud password, then disable iCloud. When disabling iCloud, iPhone will ask the user to authenticate using the "4-digits PIN", and even if u have 2FA, 3FA, 3000FA, will lock you out and allow you to deassociate your Apple ID from your stolen device.

This is an insane security flaw. Your entire digital life secured by 4 or 6 digits numeric key. There are groups of thiefs that deliberately exploit this, one person would watch you type in your pin in public and another person would snatch your phone. I know face ID is a thing but even with face ID, i still find myself typing pins atleast once or twice a day for whatever reasons.

Apple should acknowledge this asap.

Not a security flaw! If you let your PIN out and you phone get stolen, it is YOUR fault!

 

[mrochester]

Not a security flaw! If you let your PIN out and you phone get stolen, it is YOUR fault!

To me, a security flaw suggests a way to bypass the designed process.

The process isn’t being bypassed in this instance, the problem is the attacker knows the user’s security codes/passwords.

 

[BaErv]

There's actually a very easy fix to this issue until Apple creates a better barrier to the account settings. It involves setting a passcode to Screen Time settings. Under Content and Privacy Restrictions enable the button and change Passcode Changes and Account Changes to "Don't Allow". Just create a different passcode for Screen Time than your phone unlock passcode. Unless the thief has both codes they can't get into your Apple ID and iCloud settings. After the Screen Time passcode is enabled the Apple ID setting are greyed out.

 

[mrochester]

There's actual a very easy fix to this issue until Apple creates a better barrier to the account settings. It involves setting a passcode to Screen Time settings. Under Content and Privacy Restrictions enable the button and change Passcode Changes and Account Changes to "Don't Allow". Just create a different passcode for Screen Time than your phone unlock passcode. Unless the thief has both codes they can't get into your Apple ID and iCloud settings. After the Screen Time passcode is enabled the Apple ID setting are greyed out.

Can the user easily remove the screen time passcode if they forget what it is to restore access to the Apple ID settings?

 

[BaErv]

Can the user easily remove the screen time passcode if they forget what it is to restore access to the Apple ID settings?

The Screen Time passcode can be turned off but you'll have to know the passcode to do it. I've never tried bypassing that particular setting on another Apple device. Might work if you tun off "Share Across Devices".

 

[mrochester]

The Screen Time passcode can be turn off but you'll have to know the passcode to do it. I've never tried bypassing that particular setting on another Apple device. Might work if you tun off "Share Across Devices".

The point being there’s no point securing access to Apple ID settings using a passcode that people are likely to forget because they don’t use it often enough because that forms another means of account lockout, unless that security can also be bypassed using yet another method.

I could easily believe the whole reason the device passcode can be used to regain access to an iCloud account is precisely because people are unlikely to forget their device passcode/word because they will enter it fairly regularly, even if they predominantly used Face ID or Touch ID.

 

[BaErv]

The point being there’s no point securing access to Apple ID settings using a passcode that people are likely to forget because they don’t use it often enough because that forms another means of account lockout, unless that security can also be bypassed using yet another method.

I'm sorry you're disappointed with my response but it's a work around that merely prevents account settings exposure without reinventing the wheel for Apple. I suppose the inconvenience of writing the code down and putting it in a safe place might outweigh the problems associated with getting totally burned from theft.

 

[mrochester]

I'm sorry you're disappointed with my response but it's a work around that merely prevents account settings exposure without reinventing the wheel for Apple. I suppose the inconvenience of writing the code down and putting it in a safe place might outweigh the problems associated with getting totally burned from theft.

It works fine if everyone does exactly what you’ve said and doesn’t forget the code, but we know the reality is very different. But as you’ve said, it’s a workaround, not a solution.

Being vigilant about who or what is watching you as you enter your device passcode in a public space is probably better advice. That way even if your phone is stolen, they can’t get access at all.

 

[BaErv]

Here's two suggestions: Buy a ring and have the code engraved on the inside...or sign up for monthly delivery of Prevagen 😁

 

[Vlad Soare]

How you gonna remember 9 digits unless it’s your phone number?

Easy. My PIN is ten randomly generated digits, and I can remember it just fine.

Not a security flaw! If you let your PIN out and you phone get stolen, it is YOUR fault!

Have you read the whole story? I think you've missed the point.
Gaining control of the phone itself by knowing the PIN is fair game. No one is disputing that. But gaining control of the entire iCloud account by knowing just a device PIN is an unbelievably, mindblowingly HUGE security flaw. Once you set up a physical key and generate a recovery key, resetting the Apple Id password without at least one of them should be absolutely impossible no matter what.

 

[mrochester]

Easy. My PIN is ten randomly generated digits, and I can remember it just fine.


Have you read the whole story? I think you've missed the point.
Gaining control of a phone itself by knowing the PIN is fair game. Gaining control of the entire Apple iCloud account by knowing just a device PIN is an unbelievably HUGE security fault.

Gaining control of the iCloud account by knowing the device PIN is by design. The key is to not let your device PIN fall into the wrong hands. The OP appears to not have known the tricks that thieves use to learn your device PIN so didn't take measures to mitigate against the PIN falling into the wrong hands. The lesson is to be vigilant and be aware of your surroundings when entering your device PIN in a public location.

Make your friends and family aware that they must be vigilant when typing in a device passcode/word.

 

[Vlad Soare]

Gaining control of the iCloud account by knowing the device PIN is by design.

Sure it is. I don't think anyone is disputing this either.
But it is, without any shadow of a doubt, an astonishingly flawed design.

 

[mrochester]

Sure it is. I don't think anyone is disputing this either.
But it is, without any shadow of a doubt, an enormously flawed design.

As with any security measure, it’s a design that balances security with convenience.