Apple Responds to Report About Thieves Permanently Locking Out iPhone Users

[bunty]

Not in my experience, i don’t use either daily, but I have to rescan my fingerprint(s) on the S22 Ultra and Pixel 7 Pro frequently. My daily phone is the Flip 4 and the side key finger print scanner is 100%.

To me patterns are just numerical codes without visible numbers. I see 1,4,7,8,9 which easy to remember or jot down. Just quickly drawing it with an arrow is even easier.

 

[Mr. Heckles]

"OMG!!!!! I left my keys on at the bar when I was drunk! I'm gonna sue Schlage for making it so easy for the guy who took 'em to break into my house!"

Do stupid things, win stupid prizes. Sorry folks, it may sound harsh but don't do stupid things!

Accidents happen. There was one case where the phone was taken from a persons hands.

 

[gank41]

Same goes for your wallet and credit cards, although you can't mark them as stolen or erase them

You actually can remotely remove all cards from all devices. You can also contact the bank directly and have them turn off the card.

 

[JCCL]

"OMG!!!!! I left my keys on at the bar when I was drunk! I'm gonna sue Schlage for making it so easy for the guy who took 'em to break into my house!"

Do stupid things, win stupid prizes. Sorry folks, it may sound harsh but don't do stupid things!

What if someone points a gun at you and asks for both your iPhone and iPhone passcode, would that classify as a stupid thing as well that the user is the guilty one?

The problem is that they can change Apple ID without even knowing the Apple ID's password.

 

[TheRealNick]

In Brazil thieves don't even need the passcode to invade the iPhone. They have realized that Apple defaults the Apple ID recovery contact to the number of the SIM card, then it's just a matter of putting the SIM in other phone, enter a few times the wrong password on the iPhone, then trigger a password reset. The other phone will receive the SMS with recovery link and they can change your Apple ID password and have access to all your data.

Don’t the thieves need to know the Apple ID though? If so how do they get the Apple ID just by stealing the phone?

 

[bunty]

"OMG!!!!! I left my keys on at the bar when I was drunk! I'm gonna sue Schlage for making it so easy for the guy who took 'em to break into my house!"

Do stupid things, win stupid prizes. Sorry folks, it may sound harsh but don't do stupid things!

This is a pretty good reply to the house keys analogy:

https://forums.macrumors.com/threads/apple-responds-to-report-about-thieves-spying-on-iphone-passcodes-to-steal-your-entire-digital-life.2381922/page-40?post=32106951#post-32106951

 

[gank41]

What if someone points a gun at you and asks for both your iPhone and iPhone passcode, would that classify as a stupid thing as well that the user is the guilty one?

The problem is that they can change Apple ID without even knowing the Apple ID's password.

If someone's holding a gun to your head, asking for your iPhone, Apple ID, Passcode & Password, I'm sorry but you've got more important things to worry about. Like living.

 

[laptech]

A company can give out as many security advice notices as they want, it will still not make any difference because people just will not learn even when faced being told nicely how to protect themselves. For years now there has been constant and persistent advice about email scams/phishing scams, tech support phone scams, banking scams, dating scams and yes thousands upon thousands of people still fall for the scams. There have been many security advisors for server admins to update the software on their servers to prevent hacks and yet they still do not update the servers.

I've been there done it kind of thing with family members who have been caught out by email and mobile phone scams. I've sat in the room when an advert comes on the television advising and information viewers about email and mobile phone scams and what to do to protect yourself. The a few weeks later family members ring me asking for help. I say to them 'you saw the TV advert, did you do what it advised?', their reply was 'I forgot'. This is why hackers and scammers are able to do what they do because there is far to many 'I forgot' people in this world.

 

[nylonsteel]

whatever happened to security questions for recovery. questions like - your first pets name?
i'm partially joking

 

[elvisimprsntr]

It’s called OPSEC people.

Pay attention to your surroundings. Sadly, it’s an unsafe world out there.

 

[compwiz1202]

Accidents happen. There was one case where the phone was taken from a persons hands.

Or at weaponpoint. I hope people won't die for their iPhone.

 

[MacsRgr8]

Like others have stated, FaceID usually works, but (as during iPhone X's FaceID demo...) occasionally iPhone requires you to type your passcode (at the worst moments of course.. ask Murphy), and if a thief is sitting behind you (and you do not know that) and sees what you type, the steels the iPhone etc. etc.

What bothers me is that FaceID is "just an easy, alternate way" to type the passcode. The passcode is the security, FaceID only makes it easy to use. Real FaceID as security would require FaceID. It does not do that now.

 

[PinkyMacGodess]

This would be less of an issue if iOS didn't randomly fail to FaceID and ask for a passcode, often at the least convenient time.

I wish Apple would get this resolved.

But, for me, it seems that it is more accurate if I look down slightly when trying to use FaceID.

 

[antiprotest]

In Brazil thieves don't even need the passcode to invade the iPhone. They have realized that Apple defaults the Apple ID recovery contact to the number of the SIM card, then it's just a matter of putting the SIM in other phone, enter a few times the wrong password on the iPhone, then trigger a password reset. The other phone will receive the SMS with recovery link and they can change your Apple ID password and have access to all your data.

How do they do that with eSIM on newer iPhones?

 

[compwiz1202]

To me patterns are just numerical codes without visible numbers. I see 1,4,7,8,9 which easy to remember or jot down. Just quickly drawing it with an arrow is even easier.

Yes this is why my PINS are an easy pattern to type and don't have anything to do with me.

 

[MacsRgr8]

Or at weaponpoint. I hope people won't die for their iPhone.

Well.. the iPhone including the passcode.... you're giving up a lot more... still not worth dying for, but it's not "just the device".

 

[PinkyMacGodess]

Like the old saying: (Paraphrased) Fences don't just keep things in, they keep things out. I thought this was referring to the parents whose kids have locked them out of their iPhones/iPads by over and over missing the passcode...

 

[erikkfi]

"blah blah blah, we remain committed to... highest standards of... love our users," said Apple, even though the company provides no support whatsoever for password- or account lockout-related issues. If this happens to you, you're 100% up a creek.

 

[Mr. Heckles]

Apple should make it whoever is using a physical security key, no account changes can be made unless you use the key.

 

[antiprotest]

Don’t the thieves need to know the Apple ID though? If so how do they get the Apple ID just by stealing the phone?

The Apple ID is literally the first thing that appears under settings, right at the top.

The point of the comment you replied to is that the thief can reset the password to that Apple ID with the phone passcode alone.

The thief does not need to know the Apple ID beforehand because it is pre-entered right in the settings app.

 

[GMShadow]

I wonder who's been encouraging these stories at WSJ. Definitely been a hitpiece feel to Stern's recent columns.

 

[barkomatic]

It’s called OPSEC people.

Pay attention to your surroundings. Sadly, it’s an unsafe world out there.

Sure, you can be hyper aware of everything around you at all times, but no human is capable of a constant state of alarm--not even you.

 

[kirbyrun]

With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app,

Just seems like a lot of people are missing this part in particular.

 

[00sjsl]

Sounds like the answer is not to rely on any single cloud service, or at least use something like drop box for anything important.

 

[bigboy29]

Just use Face ID or Touch ID and you should be fine. At times like this, I wish Apple had introduced an In-Display Fingerprint Scanner. The technology is obviously there.

So... I agree with this but it should go a step further. Imagine a scenario when a phone is snatched out of your hands when you are taking photos on a busy street, with screen unlocked. What happens? Not enough people (IMO) consider this scenario and things like:

1. Force Face ID / Touch ID for sensitive apps like banking and payments and/or shopping
2. Force Face ID for email clients (wish Mail supported this, but Outlook does)
3. Use Screen Time restrictions to put password and account changes behind a different Screen Time passcode / PIN, so changes to your iCloud account are not possible
4. Force Force ID / Touch ID when passwords are filled in in browsers; if browsers do not support this - do not sync / save passwords to such browsers

Unfortunately, Face ID fails back to screen lock PIN. Exposure of the PIN is therefore pretty catastrophic. Use of Screen Time restrictions can help mitigate some of the issues. I wish Apple had a feature where when Apple Watch is taken out of the range of the phone it is paired with, the phone locks the screen no matter what. (Yes I requested this feature).