Apple Responds to Report About Thieves Permanently Locking Out iPhone Users

[MacRumors]

The Wall Street Journal's Nicole Nguyen and Joanna Stern today published a report highlighting how thieves can use Apple's optional recovery key security option to permanently lock out iPhone users from their Apple ID account.

As the journalists first revealed in February, there have been increasing instances of thieves spying on an iPhone user's passcode in public and then stealing the device in order to gain widespread access to the device and its contents, including financial apps. All of the victims interviewed in the initial report said their iPhones were stolen while they were out socializing at bars and other public places at night.

With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud.

Today's report places more focus on an additional step that thieves can take: using the stolen device to set or reset a recovery key, a randomly generated 28-character code that is required to regain access to an Apple ID once enabled.

"Apple's policy gives users virtually no way back into their accounts without that recovery key," the report states. With unmitigated access to a stolen iPhone, the device's passcode, and the Apple ID password, thieves can steal money via Apple Pay and potentially other banking apps, view sensitive information like photos and emails, and more.

Apple's website does warn that losing access to both your trusted devices and recovery key means that "you could be locked out of your account permanently." In this scenario, however, thieves spying on iPhone passcodes before stealing the devices means that victims only need to lose their device in order to potentially be permanently locked out. The report serves as a valuable reminder to protect your iPhone's passcode in public.

For more details, read our previous coverage.

Apple Responds

In a statement shared in response to the report, Apple said it is "always investigating additional protections against emerging threats like this one."

"We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare," an Apple spokesperson told The Wall Street Journal. "We work tirelessly every day to protect our users' accounts and data, and are always investigating additional protections against emerging threats like this one."

How to Stay Protected

iPhone users should use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.

The report also recommends that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.

To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.

Users can enable Screen Time parental controls to further lock down their device, the report adds.

Article Link: Apple Responds to Report About Thieves Permanently Locking Out iPhone Users

 

[cgs1xx]

So, Apple’s response was “aahh… sympathies” ?

 

[andyring]

"OMG!!!!! I left my keys on at the bar when I was drunk! I'm gonna sue Schlage for making it so easy for the guy who took 'em to break into my house!"

Do stupid things, win stupid prizes. Sorry folks, it may sound harsh but don't do stupid things!

 

[RamGuy]

Is this even the case anymore? When I try to disable Find My, I'm prompted for my Apple ID password, not my passcode. Same if I try to log out of iCloud, this requires me to disable Find My as a part of the process prompting me t verify with my password, not my passcode.

All of this is common sense. You can't expect a 4-digit passcode to be all that secure. If you feel paranoid, use an alphanumeric passcode, aka password, instead.

 

[ELman]

Essentially, be responsible for the device you own. It's not our issue.

 

[MauiPa]

so, don't use a simple password, don't get your device stolen, or leave it behind for someone to grab.

If you do, go to Find my on another device and quickly mark it as lost, and/or remotely erase it. Same goes for your wallet and credit cards, although you can't mark them as stolen or erase them

 

[TheYayAreaLiving 🎗️]

Just use Face ID or Touch ID and you should be fine. At times like this, I wish Apple had introduced an In-Display Fingerprint Scanner. The technology is obviously there.

 

[roar08]

Joanna Stern should be up in arms at car manufacturers not doing more to protect consumers who have their keys stolen. Stern used to be interesting, but it's been a while. Quite a while.

 

[vegetassj4]

So this even works with security key enabled accounts? Sometimes one has to use the passphrase, like if a phone, etc has recently been charged/rebooted.

 

[brandoman]

All one has to do is turn on Screen Time > Content & Privacy Restrictions > Passcode Changes > Don't Allow. Be sure to use a different passcode for Screen Time.

Oh, and Account Changes (Don't Allow). Thanks for that tip @ypl.

 

[hybrid_x]

I recently set up a recovery key and keep a printed version stashed with important documents. I'm now considering enabling the Screen Time passcode to prevent account changes.

 

[CharlesShaw]

It’s a learning curve and a hassle, but after the first WSJ article, I created a separate Apple ID for my iPhone that leaves the house. Nothing from my primary ID (which now includes my Apple Savings account) is on or connected to my phone and it’s going stay like that for the foreseeable future.

 

[Jarutais]

In Brazil thieves don't even need the passcode to invade the iPhone. They have realized that Apple defaults the Apple ID recovery contact to the number of the SIM card, then it's just a matter of putting the SIM in other phone, enter a few times the wrong password on the iPhone, then trigger a password reset. The other phone will receive the SMS with recovery link and they can change your Apple ID password and have access to all your data.

 

[Seeds]

In Brazil thieves don't even need the passcode to invade the iPhone. They have realized that Apple defaults the Apple ID recovery contact to the number of the SIM card, then it's just a matter of putting the SIM in other phone, enter a few times the wrong password on the iPhone, then trigger a password reset. The other phone will receive the SMS with recovery link and they can change your Apple ID password and have access to all your data.

Don’t they have to unlock the other device to get the code?

 

[contacos]

huh? it is asking for my iCloud password to deactivate Find My Phone on my iPhone. Also, maybe its time to use more than a 4 digits code

 

[ypl]

All one has to do is turn on Screen Time > Content & Privacy Restrictions > Passcode Changes > Don't Allow. Be sure to use a different passcode for Screen Time.

It's also good idea to disable "Account changes". It blocks access to all iCloud settings. It's hardly ever used by owner (requires enabling in Screen Time settings if access is needed), and thief definietely shouldn't have access to this critical part of Settings.

 

[Jarutais]

Don’t they have to unlock the other device to get the code?

Only if you add a PIN to your SIM card, which by default is disabled

 

[bunty]

So we're gonna have our 989 post conversation all over again? https://forums.macrumors.com/thread...teal-your-entire-digital-life.2381922/page-40

The point is the passcode to unlock an iPhone can also be used to access or recover anything that asks for your Apple ID password...if you forget or pretend to forget your Apple ID password. Try it. It's all covered in the other conversation thread.

The screentime passcode can be circumvented easily. https://forums.macrumors.com/thread...e.2381922/page-38?post=32028392#post-32028392

 

[topmounter]

Just use Face ID or Touch ID and you should be fine. At times like this, I wish Apple had introduced an In-Display Fingerprint Scanner. The technology is obviously there.

Not in my experience, i don’t use either daily, but I have to rescan my fingerprint(s) on the S22 Ultra and Pixel 7 Pro frequently. My daily phone is the Flip 4 and the side key finger print scanner is 100%.

I do have an iPhone and FaceId is outstanding. I’m just surprised that there are still enough iPhone users relying on passcodes instead of Touch or Face ID to make this a worthwhile approach for thieves.

 

[BobVB]

Is this even the case anymore? When I try to disable Find My, I'm prompted for my Apple ID password, not my passcode. Same if I try to log out of iCloud, this requires me to disable Find My as a part of the process prompting me t verify with my password, not my passcode.

All of this is common sense. You can't expect a 4-digit passcode to be all that secure. If you feel paranoid, use an alphanumeric passcode, aka password, instead.

The problem is once they have access to your phone you can change to a new Apple ID password without knowing the old one. (I found that hard to believe but try it yourself). All you have to do is enter the iPhone’s passcode to change the Apple account password. And then anything is possible.

 

[TheYayAreaLiving 🎗️]

Anyone prefers the unlocking pattern how they have on Android smartphones?

 

[ACHD]

The problem is once they have access to your phone you can change to a new Apple ID password without knowing the old one. (I found that hard to believe but try it yourself). All you have to do is enter the iPhone’s passcode to change the Apple account password. And then anything is possible.

Because people who.... ya know forget their password complained about needing an easier way to change their **** because no one could remember the 2-step recovery key........ literally no one would remember their **** or forget where they put it or deny they had to verify it and its endless.


But for reals. I want people to think a bit more. For this attack to work they need to know their passcode and in a significant number of cases its found that someone associated with them took the phone as well. Not all your friends are friends.The reality is there IS NO ISSUE.

We all have known for YEARS to not expose or give up your PASSWORD or passcode to anything.

Or are people forgetting and making story lines out of it because no one knows computers and tech anymore?

 

[zorinlynx]

This would be less of an issue if iOS didn't randomly fail to FaceID and ask for a passcode, often at the least convenient time.

I wish Apple would get this resolved.

 

[MrRom92]

Just use Face ID or Touch ID and you should be fine. At times like this, I wish Apple had introduced an In-Display Fingerprint Scanner. The technology is obviously there.

The problem is how much the devices with Face ID and Touch ID still rely on you inputting your passcode in everyday use. “Just use FaceID” can’t be the answer when apple themselves doesn’t let you just use FaceID

Countless times have I been ready to pay for something, double tap the side button to pull up my card and tap to pay, when I’m suddenly prompted to put in my entire password just to use Apple Pay. Instead of FaceID which is like, what the iPhone is supposed to use? Isn’t this the entire reason why the iPhone has FaceID in the first place?


It’s honestly a stupid system if the iPhone is only going to rely on FaceID sometimes and force you to input the password other times.


Not only does this hold up the line wherever I am, now everyone behind me can clearly see me type in my entire password. Awesome.


Add to that all the times that FaceID actually does attempt to activate but fails anyway and you still have to put in your password, and it’s a system that ultimately can’t be relied on for security OR convenience.

 

[dk831]

The problem is once they have access to your phone you can change to a new Apple ID password without knowing the old one. (I found that hard to believe but try it yourself). All you have to do is enter the iPhone’s passcode to change the Apple account password. And then anything is possible.

This is crazy!