Apple Responds to Report About Thieves Permanently Locking Out iPhone Users

[bobcomer]

Not going to stop it. Just like you're not going to stop aircraft from falling out of the sky. And yet travel by plane is considered safe. Same with the iPhone take proper precautions and there is less of a probability of being socially phished.

You must misunderstand my argument.

Yeah, you're not going to stop the thefts totally, no argument from me there. We can stop Apple locking you out of your property, and it is *our* property and it's inexcusable that Apple wont let us recover it. Like I said before I'd sue Apple over it if I ever get in that situation and I bet I'd win.

 

[I7guy]

You must misunderstand my argument.

Yeah, you're not going to stop the thefts totally, no argument from me there. We can stop Apple locking you out of your property, and it is *our* property and it's inexcusable that Apple wont let us recover it. Like I said before I'd sue Apple over it if I ever get in that situation and I bet I'd win.

Well about the lawsuit. You could try to win. The FaceTime bug lawsuit also thought the plaintiffs would win, but they didn’t. Apple could argue it’s your job to keep the password safe. Anyway who knows about such things. We’ll have to wait and see.

 

[bobcomer]

Well about the lawsuit. You could try to win. The FaceTime bug lawsuit also thought the plaintiffs would win, but they didn’t. Apple could argue it’s your job to keep the password safe. Anyway who knows about such things. We’ll have to wait and see.

Mine would be about property, that's not even close to the facetime suit. Hopefully it never happens to anyone again, but Apple's going to have to make that so and that's all I'm asking for. The phone that gets stolen itself is a minor part of the equation for me anyway. It's all your devices and your IP.

 

[mikeenglish]

Mine would be about property, that's not even close to the facetime suit. Hopefully it never happens to anyone again, but Apple's going to have to make that so and that's all I'm asking for. The phone that gets stolen itself is a minor part of the equation for me anyway. It's all your devices and your IP.

You know you wouldn’t sue! All talk.

I think if you’re that confident go and do it and be the saviour for every iPhone user!

 

[bobcomer]

You know you wouldn’t sue! All talk.

You bet I would, it would cost me thousands to replace what I have in my icloud account.

I think if you’re that confident go and do it and be the saviour for every iPhone user!

Nope, I'm just talking about me in the suit and recovering my property, not a class action. As for apple doing something, what helps me helps everyone else and vice versa.

 

[I7guy]

Mine would be about property, that's not even close to the facetime suit. Hopefully it never happens to anyone again, but Apple's going to have to make that so and that's all I'm asking for. The phone that gets stolen itself is a minor part of the equation for me anyway. It's all your devices and your IP.

It probably will happen to someone. Especially if it’s an assault and that would negate all potential future protections.

However whether you can win a lawsuit should you decide to sue is anybody’s guess. But you can try.

 

[JTK Awesome]

iPhone users should use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode.

Except TouchID inevitably fails within hours of recording a fingerprint, leading to the passcode screen.

FaceID all the things. TouchID is old tech and bad news.

 

[BlueSkyMike1]

i'm not going to do this because it's a royal pain to change my apple ID password as it affects so many things, but if you have two factor authentication enabled, won't your attempt to change the Apple ID password result in a verification request on another device?

 

[I7guy]

i'm not going to do this because it's a royal pain to change my apple ID password as it affects so many things, but if you have two factor authentication enabled, won't your attempt to change the Apple ID password result in a verification request on another device?

I don’t know if you can direct 2fa to a device other than your iPhone. But if that is the case I would assume the password change wouldn’t go through.

 

[chrfr]

i'm not going to do this because it's a royal pain to change my apple ID password as it affects so many things, but if you have two factor authentication enabled, won't your attempt to change the Apple ID password result in a verification request on another device?

Unfortunately the 2FA prompt will also go to the phone. It’s a deeply flawed system.

 

[Morac]

i'm not going to do this because it's a royal pain to change my apple ID password as it affects so many things, but if you have two factor authentication enabled, won't your attempt to change the Apple ID password result in a verification request on another device?

Since your phone is a trusted device, it won’t even get a 2FA verification request. The only way to prevent your phone from doing anything with your account is to remove it from another trusted device.

On a related note, you should set an alternate Face ID appearance. If you don’t then the thief could set their face as an alternate appearance and then have access to all your apps protected by Face ID.

 

[I7guy]

Since your phone is a trusted device, it won’t even get a 2FA verification request. The only way to prevent your phone from doing anything with your account is to remove it from another trusted device.

On a related note, you should set an alternate Face ID appearance. If you don’t then the thief could set their face as an alternate appearance and then have access to all your apps protected by Face ID.

All of my financial apps require the sites’ password to be reentered when Face ID is changed. Example Amex.

 

[Pleonasm]

I set it up (with skip option) and was able to remove Screen Time passcode using iCloud account…

I'm writing to follow-up on the possibility of disabling the Screen Time passcode, when Screen Time Passcode Recovery has been skipped during its setup. Under this condition, I fail to see how a thief can reset/remove the Screen Time passcode, even if the Apple ID + password and/or the iPhone passcode is known. Am I mistaken? Has anyone been able to successfully reset/remove the Screen Time passcode (with passcode recovery disabled) - and, if so, how?

Assuming that circumventing the Screen Time passcode is not possible, the following approach may worthwhile to consider.

1. Setup a recovery contact (Settings | [name] | Password & Security | Account Recovery)
2. Setup a Screen Time passcode (with passcode recovery disabled; Settings | Screen Time)
3. Secure access to Account Changes with the Screen Time passcode (Settings | Screen Time | Content & Privacy Restrictions | Account Changes = Don't Allow)

Although a thief with your iPhone and passcode could reset your Apple ID, it would still be possible for the owner of the iPhone to recover the Apple account using the recovery contact. Why? Because the thief is prevented from removing the recovery contact, which is protected by the Screen Time passcode and which cannot be reset/removed using the Apple ID password.

Ultimately, the goal is not to prevent a thief from resetting a user's Apple ID - rather, the goal is to prevent a thief from permanently locking out a user from their own Apple account. I encourage the community to critically examine the above (hopefully helpful) approach and to determine if flaws exist.

 

[sk1ski1]

I'm writing to follow-up on the possibility of disabling the Screen Time passcode, when Screen Time Passcode Recovery has been skipped during its setup. Under this condition, I fail to see how a thief can reset/remove the Screen Time passcode, even if the Apple ID + password and/or the iPhone passcode is known. Am I mistaken? Has anyone been able to successfully reset/remove the Screen Time passcode (with passcode recovery disabled) - and, if so, how?

Assuming that circumventing the Screen Time passcode is not possible, the following approach may worthwhile to consider.

1. Setup a recovery contact (Settings | [name] | Password & Security | Account Recovery)
2. Setup a Screen Time passcode (with passcode recovery disabled; Settings | Screen Time)
3. Secure access to Account Changes with the Screen Time passcode (Settings | Screen Time | Content & Privacy Restrictions | Account Changes = Don't Allow)

Although a thief with your iPhone and passcode could reset your Apple ID, it would still be possible for the owner of the iPhone to recover the Apple account using the recovery contact. Why? Because the thief is prevented from removing the recovery contact, which is protected by the Screen Time passcode and which cannot be reset/removed using the Apple ID password.

Ultimately, the goal is not to prevent a thief from resetting a user's Apple ID - rather, the goal is to prevent a thief from permanently locking out a user from their own Apple account. I encourage the community to critically examine the above (hopefully helpful) approach and to determine if flaws exist.

As has been previously discussed many times in the thread and others, Screen Time has the same flaw that can be easily bypassed and reset by only using the phone's passcode.

 

[_Spinn_]

I didn’t know about the screen time passcode.

 

[Pleonasm]

As has been previously discussed many times in the thread and others, Screen Time has the same flaw that can be easily bypassed and reset by only using the phone's passcode.

Thank you, @sk1ski1. Can you please elaborate on how the Screen Time passcode - with Screen Time Passcode Recovery disabled - can be "reset by only using the phone's passcode"?

I understand how the Apple ID can be reset using the iPhone together with its passcode, and in turn how the Screen Time passcode can be reset with the Apple ID. However, I am unclear on how the Screen Time passcode can be reset when Screen Time Passcode Recovery is disabled. Can you please share a link to an article or video that documents and demonstrates the process?

P.S.: I am not saying that you are incorrect. I am simply asking for additional information and guidance.

 

[chrfr]

I'm writing to follow-up on the possibility of disabling the Screen Time passcode, when Screen Time Passcode Recovery has been skipped during its setup. Under this condition, I fail to see how a thief can reset/remove the Screen Time passcode, even if the Apple ID + password and/or the iPhone passcode is known. Am I mistaken? Has anyone been able to successfully reset/remove the Screen Time passcode (with passcode recovery disabled) - and, if so, how?

Assuming that circumventing the Screen Time passcode is not possible, the following approach may worthwhile to consider.

1. Setup a recovery contact (Settings | [name] | Password & Security | Account Recovery)
2. Setup a Screen Time passcode (with passcode recovery disabled; Settings | Screen Time)
3. Secure access to Account Changes with the Screen Time passcode (Settings | Screen Time | Content & Privacy Restrictions | Account Changes = Don't Allow)

Although a thief with your iPhone and passcode could reset your Apple ID, it would still be possible for the owner of the iPhone to recover the Apple account using the recovery contact. Why? Because the thief is prevented from removing the recovery contact, which is protected by the Screen Time passcode and which cannot be reset/removed using the Apple ID password.

Ultimately, the goal is not to prevent a thief from resetting a user's Apple ID - rather, the goal is to prevent a thief from permanently locking out a user from their own Apple account. I encourage the community to critically examine the above (hopefully helpful) approach and to determine if flaws exist.

All of this can be bypassed using the Emergency Reset features. You can remove recovery contacts and reset the Apple ID password from there with only the iPhone's passcode.

 

[Pleonasm]

All of this can be bypassed using the Emergency Reset features. You can remove recovery contacts and reset the Apple ID password from there with only the iPhone's passcode.

Circumventing a Screen Time passcode by performing an Emergency Reset (Settings | Privacy & Security | Safety Check) is an intriguing idea. But, if this worked, wouldn’t a child use it to easily bypass the Screen Time restrictions placed on an iPhone by their parents? I have not seen reports that such is the case, which causes me to question the concept.

The Apple documentation only says “If your iPhone has Screen Time restrictions turned on or has a mobile device management (MDM) profile installed, you can still use Safety Check, but some functionality may not be available.” I do not see any indication in the documentation that Safety Check (Emergency Reset) disables the Screen Time passcode. In addition, although emergency contacts can be updated, there is no mention that recovery contacts can be changed by using Emergency Reset.

Yet, I recognize could certainly be mistaken, and look forward to hearing more about this possibility from the community….

 

[dk001]

All of my financial apps require the sites’ password to be reentered when Face ID is changed. Example Amex.

Hopefully you aren't using keychain or have removed your passwords from the Password setting.

 

[I7guy]

Hopefully you aren't using keychain or have removed your passwords from the Password setting.

Not worried about being password phished and my phone is locked down should it be ripped from my hands while unlocked.

The thing that annoys me is that google apps don’t support the option of Face ID.

 

[Michael Scrip]

The thing that annoys me is that Google apps don’t support the option of Face ID.

Google Authenticator does...

 

[I7guy]

Google Authenticator does...

Lol. Okay…I stand corrected. All google apps.

 

[fredrik9]

The majority of advice you quoted is easily in the user’s hand. Taking care of your stuff and having better password security are easily achievable. Crime will always happen and I don’t think that anyone expects that to change soon.

Sure but my point was that if someone points a gun at you and shoots you dead, I don’t think you, the victim, should be blamed for it.

 

[I7guy]

Sure but my point was that if someone points a gun at you and shoots you dead, I don’t think you, the victim, should be blamed for it.

Think the point is the crime in this world is inevitable, but you can take steps to keep yourself out of dangerous situations and along the thread topic to protect your phone password. Nothing is guaranteed in this life however one does have a say to how it goes.

 

[addamas]

As has been previously discussed many times in the thread and others, Screen Time has the same flaw that can be easily bypassed and reset by only using the phone's passcode.

Few cents from me… as I have sent to Apple 2 ways to reset iCloud using data found on “stolen” iPhone and its passcode they answered in PR words which can be translated to human as: “we don’t give a f, Screen Time is made for other purposes than protecting security but we still are focused on privacy and security”.

Huge facepalm 🤦‍♂️