Other WSJ: A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life

[BootsWalking]

An examination of the recent spate of thefts reveals a possible gap in Apple’s armor. The company’s defenses are designed around common attack scenarios—the hacker on the internet attempting to use a person’s login credentials, or the thief on the street looking to snatch an iPhone for a quick sale.

They don’t necessarily account for the fog of a late-night bar scene full of young people, where predators befriend their victims and maneuver them into revealing their passcodes. Once thieves possess both passcode and phone, they can exploit a feature Apple intentionally designed as a convenience: allowing forgetful customers to use their passcode to reset the Apple account password.

https://www.wsj.com/articles/apple-...ps-criminals-steal-your-digital-life-cbf14b1a

 

[BugeyeSTI]

The thieves are exploiting a simple vulnerability in the software design of over one billion iPhones active globally. It centers on the passcode, the short string of numbers that grants access to a device; and passwords, generally longer alphanumeric combinations that serve as the logins for different accounts.

With only the iPhone and its passcode, an interloper can within seconds change the password associated with the iPhone owner’s Apple ID. This would lock the victim out of their account, which includes anything stored in iCloud. The thief can also often loot the phone’s financial apps since the passcode can unlock access to all the device’s stored passwords.

“Once you get into the phone, it’s like a treasure box,” said Alex Argiro, who investigated a high-profile theft ring as a New York Police Department detective before retiring last fall.

He said there have been hundreds of these sorts of crimes in the city in the past two years. “This is growing,” he said. “It is such an opportunistic crime. Everyone has financial apps.”

https://www.wsj.com/articles/apple-...ps-criminals-steal-your-digital-life-cbf14b1a

Sorry not paying for a subscription to WSJ just to read the article you linked..

 

[Thoradin]

Sorry not paying for a subscription to WSJ just to read the article you linked..

This should work:

http://archive.today/kJoO2

 

[I7guy]

Not sure of the point. Social engineering attacks on unsuspecting people are succeeding? It's a double edge sword using more security on such a personal device as a cell phone. Sure you can require a passcode and a token but what happens if you lose the hardware.

I see it as no easy answer.

But that is where touch id and face id helps. This is a rehash of prognostications early on with touch id saying a criminal would hack off your finger or point a gun to your head etc. Best thing imo to without face id or touch id is long alphanumeric easy to remember hard to visualize passwords. But the iphone does let you use "1234" as a passcode. Also when in a place that presents opportunity, which is any crowded public space, treat the phone like your wallet.

 

[BootsWalking]

Not sure of the point. Social engineering attacks on unsuspecting people are succeeding? It's a double edge sword using more security on such a personal device as a cell phone. Sure you can require a passcode and a token but what happens if you lose the hardware.

I see it as no easy answer.

Sure, except this isn't a social engineering attack.

 

[NT1440]

Sure, except this isn't a social engineering attack.

The scenario laid out absolutely is.

No one should know your passcode other than significant others (if that’s what you’ve agreed upon). Getting it at a bar is absolutely a social engineering attack, by definition.

 

[BootsWalking]

The scenario laid out absolutely is.

Getting it at a bar is absolutely a social engineering attack, by definition.

Stealing something at a bar is automatically a social engineering attack?

The article lists several scenarios, many of which don't fall under social engineering, including being physically assaulted and being drugged. Even the scenario which does fall under it, like coercing someone to enter their passcode by asking them to check something, still involves later physically stealing their phones. The root issue is Apple's and Google's lax stance on password resets for those who have physical possession of the phone.

 

[I7guy]

Stealing something at a bar is automatically a social engineering attack?

Yes, by looking over a shoulder.

The article lists several scenarios, many of which don't fall under social engineering, including being physically assaulted and being drugged.

Yes, I just mentioned them above when I edited my post.

Even the scenario which does fall under it, like coercing someone to enter their passcode by asking them to check something, still involves later physically stealing their phones. The root issue is Apple's and Google's lax stance on password resets for those who have physical possession of the phone.

The root issue is people should be using face id and touch id. The iphone is customizable and one can use it as they see fit, but don't blame the vendors for making it easy to use the phone. If someone robs you of your car keys and then steals the car, is it Ford's fault?

 

[BootsWalking]

Yes, by looking over a shoulder.

First paragraph from wiki:

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.[1] It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests.

Source: https://en.wikipedia.org/wiki/Social_engineering_(security)

How is looking over a shoulder qualify as the above?

 

[BootsWalking]

The root issue is people should be using face id and touch id. The iphone is customizable and one can use it as they see fit, but don't blame the vendors for making it easy to use the phone. If someone robs you of your car keys and then steals the car, is it Ford's fault?

How does using face id or touch id prevent a thief from using your passcode to gain access to your phone, including rebooting it and entering your passcode at startup?

 

[I7guy]

First paragraph from wiki:

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.[1] It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests.

Source: https://en.wikipedia.org/wiki/Social_engineering_(security)

How is looking over a shoulder qualify as the above?

If you want to defend your definition of social engineering, then go ahead. To me it's social engineering because one was unintentionally coerced into giving up your passcode by someone looking over your shoulder. At any rate, I have a feeling you will blame Apple even when Apple has built in the tools to limit this type of thing. (eg face id and touch id) "The article calls it shoulder surfing."

 

[I7guy]

How does using face id or touch id prevent a thief from rebooting your phone and entering your passcode to gain access to it?

If you use face id you do not enter the passcode? You weren't aware?

 

[BootsWalking]

If you use face id you do not enter the passcode? You weren't aware?

Passcodes are required to use face id. You weren't aware?

https://support.apple.com/en-us/HT208109#:~:text=To set up Face ID,way to verify your identity

 

[I7guy]

Passcodes are required to use face id. You weren't aware?

https://support.apple.com/en-us/HT208109#:~:text=To set up Face ID,way to verify your identity

If you are going to promulgate that users setup face id in a crowded bar, is just ridiculous. Of course, the first time you setup face id you need a passcode and hopefully you aren't doing that in a venue where you can't be aware of your surroundings. But if you are not awarem, when you unlock face id you do not need a passcode. Now if after you unlock face id and someone snatches the phone from your hand, there's not much you can do.

I thought we would have a reasonable discussion, but guess not.

 

[BootsWalking]

If you want to defend your definition of social engineering, then go ahead. To me it's social engineering because one was unintentionally coerced into giving up your passcode by someone looking over your shoulder. At any rate, I have a feeling you will blame Apple even when Apple has built in the tools to limit this type of thing. (eg face id and touch id) "The article calls it shoulder surfing."

That was from wikipedia - not my definition. What exactly are you coercing someone into doing by looking over their shoulder while they're doing something you had no part in causing, either directly or indirectly? Face ID and Touch ID do not prevent this issue, as I mentioned above.

 

[Thoradin]

The whole thing in essence falls under social engineering.
Yes, including the drugging, snooping over a shoulder and the threats of violence.

Source: Me, the holder of a first class BSc in cyber security.

They all involve physical manipulation of the phones owner, in some way or another and as such class as social engineering.

 

[BootsWalking]

If you are going to promulgate that users setup face id in a crowded bar, is just ridiculous. Of course, the first time you setup face id you need a passcode and hopefully you aren't doing that in a venue where you can't be aware of your surroundings. But if you are not awarem, when you unlock face id you do not need a passcode. Now if after you unlock face id and someone snatches the phone from your hand, there's not much you can do.

I thought we would have a reasonable discussion, but guess not.

You don't need to watch someone set up their Face ID or Touch ID to use their passcode to get into their phone. You only need to learn of their passcode via the methods described in the article. It's the fact that Apple and Google require you to have a passcode defined to use Face ID or Touch ID, and then lets users enter their phones with only that passcode to reset their password which creates this vulnerability.

 

[I7guy]

You seem confused. You don't need to watch someone set up their Face ID or Touch ID to use their passcode to get into their phone. You only need to learn of their passcode via the methods described in the article. It's the fact that Apple and Google require you to have a passcode defined to use Face ID or Touch ID, and then lets users enter their phones with only that passcode which creates this vulnerability.

That is not the point I was making. If you give your phone to someone to take a picture and nefariously they turn off your phone and trust them enough and they shoulder surf and get your password, there is not much you can do. If you are aware enough you can go to a private area to unlock your phone. That is a form of social engineering though.

 

[BootsWalking]

That is not the point I was making. If you give your phone to someone to take a picture and nefariously they turn off your phone and trust them enough and they shoulder surf and get your password, there is not much you can do. If you are aware enough you can go to a private area to unlock your phone.

The point you made was that using Face ID or Touch ID prevents this issue. But it doesn't, for the reasons I listed.

That is a form of social engineering though.

Watching someone do something of their own accord and with zero influence by you is social engineering? If that's the case then a lot of old people sitting in the park have some explaining to do.

 

[NoBoMac]

Also being discussed here:

https://forums.macrumors.com/threads/apple-responds-to-report-about-thieves-spying-on-iphone-passcodes-to-steal-your-entire-digital-life.2381922/