Apple Responds to Report About Thieves Permanently Locking Out iPhone Users

[lindros2]

Is this even the case anymore? When I try to disable Find My, I'm prompted for my Apple ID password, not my passcode. Same if I try to log out of iCloud, this requires me to disable Find My as a part of the process prompting me t verify with my password, not my passcode.

All of this is common sense. You can't expect a 4-digit passcode to be all that secure. If you feel paranoid, use an alphanumeric passcode, aka password, instead.

But you aren’t sensationalized press with an agenda like Joanna Stern.

Does this deflect away from the Dominion settlement, by the also-owner Murdoch?
Or did she remove the “LGTBQ” part from the first series of articles, since she has an agenda and doesn’t want to taint certain people.

There are billions of iPhone users. And five morons are trying to claim the whole system is broken.

IMHO I get alerted all the time and often have to enter my Apple ID password, corporate password, or eight digit passcode.

 

[lindros2]

Did everyone miss the part about having a RECOVERY CONTACT?
which my entire family does?

 

[sk1ski1]

Did everyone miss the part about having a RECOVERY CONTACT?
which my entire family does?

Just like the thief can easily reset your recovery key, the thief can also easily remove all the recovery contacts for your Apple ID.

 

[lindros2]

Just like the thief can easily reset your recovery key, the thief can also easily remove all the recovery contacts for your Apple ID.

Has anyone here stepped through this - pretended to steal their own phone - and shot a video (screen recording)?

 

[sk1ski1]

Has anyone here stepped through this - pretended to steal their own phone - and shot a video (screen recording)?

Yes, the iPhone passcode is all that is needed to reset the Apple ID password and take control of it. The thief only needs the iPhone passcode to reset the Apple ID recovery key, remove any Yubikey security keys, and remove recovery contacts. The thief has full control of your Apple ID and your iCloud account and can permanently lock you out of it.

 

[CharlesShaw]

Has anyone here stepped through this - pretended to steal their own phone - and shot a video (screen recording)?

Several of us have changed our passwords using just the passcode on our trusted device (This can be done from iPhone, iPad, Watch, etc.), and since they don’t dare make Recovery Keys and Recovery Contacts irrevocable, it’s simple enough to remove those (and is documented in Apple’s support, along with information about other recovery methods).

 

[bobcomer]

All that needs to happen is to have a second passcode, one passcode for unlocking the phone only and another one for everything else. Not that hard.

That would work. Like Windows elevated prompt.

 

[bobcomer]

I always assumed this was intentional to make sure you have to input your password frequently enough that you dont forget it.

Well, all it really does is compromise security with FaceID.

 

[compwiz1202]

All that needs to happen is to have a second passcode, one passcode for unlocking the phone only and another one for everything else. Not that hard.

There technically are, but one shouldn't be able to reset the other

 

[I7guy]

[…]

There are billions of iPhone users. And five morons are trying to claim the whole system is broken.

[…]

Joanna Stern is pretty good. I like her blogs. I don’t believe this was sensationalized as much as pointed out.

However if there are two billion iPhone users out there and two hundred (whatever the number is and is the number accurate) have made bad decisions regarding usage of their iPhone is it really broke? Whatever the outcome of this I’m sure someone will be disenfranchised by the outcome. The number will never be zero. The harder it becomes (or the more steps) to change your password the more the legitimate user can get locked out either permanently or for a period of time. Neither is a great apple type option.

People have to be aware and careful to protect themselves from these types of social phishing schemes.

 

[sk1ski1]

Joanna Stern is pretty good. I like her blogs. I don’t believe this was sensationalized as much as pointed out.

However if there are two billion iPhone users out there and two hundred (whatever the number is and is the number accurate) have made bad decisions regarding usage of their iPhone is it really broke? Whatever the outcome of this I’m sure someone will be disenfranchised by the outcome. The number will never be zero. The harder it becomes (or the more steps) to change your password the more the legitimate user can get locked out either permanently or for a period of time. Neither is a great apple type option.

People have to be aware and careful to protect themselves from these types of social phishing schemes.

Apple at the very least, should give the security minded customer the option to turn on a higher level of security for the Apple ID. Just like Apple gives the customer an option to turn on 2FA, security Yubikeys, and Apple's new advanced data protection option.

 

[gank41]

Apple at the very least, should give the security minded customer the option to turn on a higher level of security for the Apple ID. Just like Apple gives the customer an option to turn on 2FA, security Yubikeys, and Apple's new advanced data protection option.

But they do! Recovery Keys and Trusted Account Recovery Contact.

 

[compwiz1202]

Apple at the very least, should give the security minded customer the option to turn on a higher level of security for the Apple ID. Just like Apple gives the customer an option to turn on 2FA, security Yubikeys, and Apple's new advanced data protection option.

The one thing with 2FA is it shouldn't go to the device you are using. You should have to use a different device, so unless somehow they stole two things, they couldn't do anything. And if by some chance you have nothing else, use a number or email not on the device.

 

[sk1ski1]

But they do! Recovery Keys and Trusted Account Recovery Contact.

That's my point! But neither of those protect in this type of attack! Both of those protections can be reset by the attacker by only knowing the phone's passcode.

 

[gank41]

That's my point! But neither of those protect in this type of attack!

Buuuuut, if the Recovery Key was already set up, it WOULD prevent this from happening. You can’t “begin recovery” without the Passkey or Trusted Account person. If those things AREN’T setup, sure. The nefarious person can then go ahead and set that up and lock the person out. Setup already? They’ve got a brick, unless they actively keep your phone unlocked while keeping it away. A lot of folks also have Family Sharing setup, to where their Family Member could look at Devices and at the very least see where it is or where it was last seen. Again, there’s only soooo much Apple can do in this case if the user isn’t taking advantage of everything.

 

[sk1ski1]

Buuuuut, if the Recovery Key was already set up, it WOULD prevent this from happening. You can’t “begin recovery” without the Passkey or Trusted Account person. If those things AREN’T setup, sure. The nefarious person can then go ahead and set that up and lock the person out. Setup already? They’ve got a brick, unless they actively keep your phone unlocked while keeping it away. A lot of folks also have Family Sharing setup, to where their Family Member could look at Devices and at the very least see where it is or where it was last seen. Again, there’s only soooo much Apple can do in this case if the user isn’t taking advantage of everything.

Wrong. If you have the phone and know its passcode, you can reset the recovery key and produce a new one. Which makes the old recovery key completely useless. And by only knowing the phone's passcode, you can remove everyone from the trusted contacts. Try it yourself, I did already!

 

[I7guy]

Apple at the very least, should give the security minded customer the option to turn on a higher level of security for the Apple ID. Just like Apple gives the customer an option to turn on 2FA, security Yubikeys, and Apple's new advanced data protection option.

I’m sure there are things apple could do to harden this type of situation. However it would have to be all or nothing. If one forgets or doesn’t have their “second level” of authentication the phone would be a brick. That would be on the phone owner. Plus imo, apple wouldn’t want to make the process so onerous that it would annoy people.

 

[sk1ski1]

I’m sure there are things apple could do to harden this type of situation. However it would have to be all or nothing. If one forgets or doesn’t have their “second level” of authentication the phone would be a brick. That would be on the phone owner. Plus imo, apple wouldn’t want to make the process so onerous that it would annoy people.

Same holds true if you turn on Apple's new advanced data protection and lose your Yubikey. That why it's optional and why it should be optional for improved Apple ID security. Also, it would not be a 'all or nothing' if Apple had a time delay to reset the Apple ID password if you don't remember the old Apple ID password.

 

[bobcomer]

Joanna Stern is pretty good. I like her blogs. I don’t believe this was sensationalized as much as pointed out.

However if there are two billion iPhone users out there and two hundred (whatever the number is and is the number accurate) have made bad decisions regarding usage of their iPhone is it really broke? Whatever the outcome of this I’m sure someone will be disenfranchised by the outcome. The number will never be zero. The harder it becomes (or the more steps) to change your password the more the legitimate user can get locked out either permanently or for a period of time. Neither is a great apple type option.

People have to be aware and careful to protect themselves from these types of social phishing schemes.

Yes, it's really broke, there just wont be 200 once more common thieves start doing it.

Make it so I can recover *my icloud account and data* before I'll even start talking about acceptable losses, because that one isn't acceptable.

 

[I7guy]

Yes, it's really broke, there just wont be 200 once more common thieves start doing it.

Make it so I can recover *my icloud account and data* before I'll even start talking about acceptable losses, because that one isn't acceptable.

Seems like a theft rate of .00001% is acceptable as in modern society nothing is perfect.

 

[lindros2]

Yes, the iPhone passcode is all that is needed to reset the Apple ID password and take control of it. The thief only needs the iPhone passcode to reset the Apple ID recovery key, remove any Yubikey security keys, and remove recovery contacts. The thief has full control of your Apple ID and your iCloud account and can permanently lock you out of it.

Several of us have changed our passwords using just the passcode on our trusted device (This can be done from iPhone, iPad, Watch, etc.), and since they don’t dare make Recovery Keys and Recovery Contacts irrevocable, it’s simple enough to remove those (and is documented in Apple’s support, along with information about other recovery methods).

This is contradictory with another post in the thread. I am a recovery contact for Contact_2, and MY recovery contact is Contact_3 (basically round-robin but not really).

I thought that if some jackazz tries to reset my password, a recovery contact could override this - or would be contacted first. I ALSO thought that it would ping other Apple devices (yes I know it says what it says earlier in the thread).

Maybe the simple change is to block changing Apple ID password without approving from another device.

 

[bobcomer]

Seems like a theft rate of .00001% is acceptable as in modern society nothing is perfect.

Not for me. Acceptable losses count how much a person losses as well.

 

[I7guy]

Not for me. Acceptable losses count how much a person losses as well.

Not going to stop it. Just like youre not going to stop aircraft from falling out of the sky. And yet travel by plane is considered safe. Same with the iPhone take proper precautions and there is less of a probability of being socially phished.

 

[chrfr]

Someone needs to sticky this post to the top. I consider myself a pretty savvy iOS user, but never once heard about this. Great tip.

It does not work. Here's what I posted in another thread on the same topic:
Again, setting a Screen Time restriction is no mitigation for Apple ID password resets. The Apple ID password can be reset by going into Settings/Privacy & Security/Safety Check and initiating the Emergency Reset process. This requires having only the phone's passcode.

 

[mikegoldnj]

Same holds true if you turn on Apple's new advanced data protection and lose your Yubikey. That why it's optional and why it should be optional for improved Apple ID security. Also, it would not be a 'all or nothing' if Apple had a time delay to reset the Apple ID password if you don't remember the old Apple ID password.

I assume this is also why you must have at least two YubiKeys to set this up. In case one is lost.