Right. Only in this case it balances your security with Apple's convenience. A really bad trade in my book.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen iPhone - Criminals have full control and Apple cannot help!
- Thread starter danclara
- Start date
- Sort by reaction score
It balances with user convenience too. My dad can reset his forgotten Apple ID password by just entering his device passcode. I don’t even know how else Apple would be able to authenticate that it was my dad resetting the Apple ID password in that instance, if not for his device passcode.
If Apple sent my dad a 2FA code it would go to his iPhone (the device he is using and thus the thief already has access to) or they could send an SMS code, same issue, or email a code, same issue.
Apple could send a code to a different device, but that would require the user to have another device and have access to it. Or Apple could send a code to another trusted number that isn’t the compromised device phone number, but that would require the user to have setup and authenticated that number on their Apple account and for the user to have access to it to receive the code.
All of these options are fraught with difficulties and trade offs between security and convenience.
Last edited:
OK, then it balances the security of all the careful, security-aware users, who do everything by the book, with the convenience of some forgetful, non-tech-savy users, who have no concept of security and good practices.
Still a bad trade.
Why does the Apple Id password exist at all, then? What's the point? Why not authenticate into the cloud with the device PIN and be done with it? Let's skip the iCloud authentication completely, lest someone's dad has trouble with it.
Still a bad trade.
Why does the Apple Id password exist at all, then? What's the point? Why not authenticate into the cloud with the device PIN and be done with it? Let's skip the iCloud authentication completely, lest someone's dad has trouble with it.
Products need to be designed for the general population, not the security aware tech nerds.
People who are security aware would already be vigilant about their surroundings when entering their device passcode, so wouldn’t have this issue in the first place.
The Apple ID password exists in the first place because there has to be a way to first login to a new device before it can become a trusted device. A device passcode can only be used to reset the Apple ID on that device once you’ve logged into that Apple ID on that device.
A device passcode just becomes another password to your Apple ID.
Last edited:
Yeah, but it's precisely the general population that needs to be protected. And in this day and age you don't have to be a tech nerd anymore to be security-conscious.
Still, why have an Apple Id password at all under these circumstances?
OK, we'll have to agree to disagree on this.
From the point of view of a security-conscious person who's aware of cyberthreats and good security practices, this design is massively, massively, flawed. For those like your dad it's a blessing. Fair point. I'm aware that you can't please everyone, but at least we should have options. Settling for the lowest common denominator is not the answer.
You can't claim to have a secure cloud if you leave a massive hole open and then say, "screw the tech nerds, we're catering for the general population". Well, in that case we tech nerds should start looking elsewere, shouldn't we?
From the point of view of a security-conscious person who's aware of cyberthreats and good security practices, this design is massively, massively, flawed. For those like your dad it's a blessing. Fair point. I'm aware that you can't please everyone, but at least we should have options. Settling for the lowest common denominator is not the answer.
You can't claim to have a secure cloud if you leave a massive hole open and then say, "screw the tech nerds, we're catering for the general population". Well, in that case we tech nerds should start looking elsewere, shouldn't we?
Last edited:
Agreed, you don’t need to be a tech nerd to be security conscious. Which is why everyone should be vigilant when entering their device passcode in a public location.
The whole thing is almost completely solved by being vigilant when entering your device passcode in a public location. If thieves don’t know your passcode, none of this can happen.
A security conscious person wouldn’t have this issue as thieves wouldn’t know their passcode, because they are security conscious and have mitigated against a thief being able to steal their passcode!
If you don’t know the methods that thieves use to steal passcodes, I’d suggest you aren’t as security conscious as you think you are.
For everyone else, tell your friends and family to be vigilant.
Last edited:
You don't seem to be very familiar with security concepts and practices. Security is a layered approach. Having one single key that gives you access to absolutely everything, no questions asked, is really, really bad. Sure, you must take care not to lose that key, but that's not the point. The point is, keys do get lost whether we like it or not, and whatever happens next makes the difference between a secure and an unsecure environment.
Nope.
That balance is hugely skewed towards convenience.
I’d be more than happy to have to provide additional information to reset my Apple ID password.
It is not much of an inconvenience if the one time in a lifetime when you forget your password you have to type a combination of mother maiden name, place of birth, the name of first school, etc…
I understand the layered approach, which is why to setup the device as a trusted device you likely need both your Apple ID password and a 2FA code. But as a trusted device, you have already peeled back those layers. This is why you need to be extra vigilant with your device passcode.
What are the cops doing? It’s a law and order issue now. Apple responded to people who were forgetting passwords and wanted pass code to be used to recover accounts.
The reason people think it’s a fake post is, why aren’t the cops involved? Something doesn’t add up here. If they are threatening the kid, phone is least of your problem. There is camera in every nook and corner of London, it’s not hard to track the thieves.
The reason people think it’s a fake post is, why aren’t the cops involved? Something doesn’t add up here. If they are threatening the kid, phone is least of your problem. There is camera in every nook and corner of London, it’s not hard to track the thieves.
That can help, but these pieces of information can also fairly easily be obtained, even more so if the thief already has access to all of the users personal data on the device.
That combination is too easy, and has failed in the past, not hard to social engineer. Apple could just add an extra step of entering iCloud password for one Apple device users, and for users with multiple devices, allow Password change with passcode if confirmed by other apple trusted device.
Does anyone know what happens if you set 'erase data after 10 failed passcode attempts'?
Is the phone empty but still connected to your Apple account and protected by FindMy, or can anyone just enter their own Apple ID and take over the phone at that point.
It's not something I want to test out!
Is the phone empty but still connected to your Apple account and protected by FindMy, or can anyone just enter their own Apple ID and take over the phone at that point.
It's not something I want to test out!
But that makes no sense. If you don’t know your iCloud password, Apple can’t make knowing that a requirement to resetting it!
Are you saying that your dad would be unable to answer a set of additional questions that he has created himself?
Such as:
- name of my son,
- place of birth,
- place or year of marriage
ect… whatever information your dad is comfortable remembering, but would not be available to anyone in the street.
It is not rocket science. Banks are using this all the time.
My understanding is Findmy IPhone still shows the location. Some one stole her phone in the gym, it had erase on password, also erased remotely, but was able to track it. Interestingly, the phone was in one of the worst parts of Houston, showed up in Nigeria a week later. They probably scrapped it for parts.
I’m not saying he wouldn’t remember it, I’m saying of the examples you have provided, these are not secure because it’s information that can quite easily be gleaned, especially as the thief has access to the device.
A thief could simply open the Facebook app and glean a lot of personal information about the user to be able to answer those additional security questions. The user might use the notes app on their phone to store security questions and answers that they have used elsewhere. The thief has access to all of this information.
Apple would need to have the questions be something that the thief could NOT learn about from the phone.
The trick is to be vigilant when entering your passcode in a public location.
Well that’s the point. Convenience for extra security. If you have multiple devices, skip the password requirement to change iCloud account credentials from other trusted device.
Just spoke to MET police on this.
They had 4 similar reports at this venue since last Tuesday. They now suspect that one or more card machines are set up in such a way as to make face ID fail.
There could be covert cameras set up to obtain the passcode.
They have applied for a warrant on this address.
So perhaps, all the know-it-all smart Alecs who could never possibly be compromised are wrong?
Gangs know this exploit and are out to make hay whilst they can.
I made a choice to not carry physical cards with me and to use Apple wallet.
I thought that if my phone and passcode were stolen I would be able to almost instantly disable my phone and entire wallet within moments. I totally secured my iCloud to ensure this.
But the passcode they stole gave them total power, without requiring a single piece of extra authentication.
They had 4 similar reports at this venue since last Tuesday. They now suspect that one or more card machines are set up in such a way as to make face ID fail.
There could be covert cameras set up to obtain the passcode.
They have applied for a warrant on this address.
So perhaps, all the know-it-all smart Alecs who could never possibly be compromised are wrong?
Gangs know this exploit and are out to make hay whilst they can.
I made a choice to not carry physical cards with me and to use Apple wallet.
I thought that if my phone and passcode were stolen I would be able to almost instantly disable my phone and entire wallet within moments. I totally secured my iCloud to ensure this.
But the passcode they stole gave them total power, without requiring a single piece of extra authentication.
Bear in mind I was taking work clients out on this night. If, like many suggest, no one should ever input their passcode in public, I would have been unable to pay for the food bill/check.
For the premium I pay Apple, I believed their ecosystem was more secure than physical cards, which can be 'tapped' contactless in the UK WITHOUT a pin code.
Apple have proven to be totally the wrong option in terms of bank card security.
I would say: As with any of Apple's security measures, it's a design that replaces security with convenience.
I don’t think the card machine would be able to know whether the payment was authorised by Face ID or passcode, and how it would then know which to fail.
Maybe it was setup in such a way (certain lightning, a particular angle) to make it more likely that Face ID would fail due to how the user was holding the device, and then have strategically positioned cameras to see you type in your passcode to authenticate the payment.
That would certainly be a very well organised criminal activity.
It’s not about being right or wrong, it’s about being as vigilant as you can be, and being aware of the tactics used by criminals to try and obtain your passcode. Criminals will always be trying new ways to steal stuff.