Apple Responds to Report About Thieves Permanently Locking Out iPhone Users

[Apple_Robert]

whatever happened to security questions for recovery. questions like - your first pets name?
i'm partially joking

Once you turn on 2FA, security questions no longer come into play, as far as I have observed.

 

[bigboy29]

The problem is once they have access to your phone you can change to a new Apple ID password without knowing the old one. (I found that hard to believe but try it yourself). All you have to do is enter the iPhone’s passcode to change the Apple account password. And then anything is possible.

Set Screen Time restrictions to your own device. Disallow password and account changes and use a different PIN for that.

 

[corinthos]

OR they cab just hold your iPhone to your face and then runaway with it.

 

[compwiz1202]

Like others have stated, FaceID usually works, but (as during iPhone X's FaceID demo...) occasionally iPhone requires you to type your passcode (at the worst moments of course.. ask Murphy), and if a thief is sitting behind you (and you do not know that) and sees what you type, the steels the iPhone etc. etc.

What bothers me is that FaceID is "just an easy, alternate way" to type the passcode. The passcode is the security, FaceID only makes it easy to use. Real FaceID as security would require FaceID. It does not do that now.

And sometimes they use cameras which defeats the longer code solution.

 

[Apple_Robert]

Set Screen Time restrictions to your own device. Disallow password and account changes and use a different PIN for that.

Apple should offer 6 digit and alpha-numeric with Screen Time.

 

[TheRealNick]

In Brazil thieves don't even need the passcode to invade the iPhone. They have realized that Apple defaults the Apple ID recovery contact to the number of the SIM card, then it's just a matter of putting the SIM in other phone, enter a few times the wrong password on the iPhone, then trigger a password reset. The other phone will receive the SMS with recovery link and they can change your Apple ID password and have access to all your data.

The Apple ID is literally the first thing that appears under settings, right at the top.

The point of the comment you replied to is that the thief can reset the password to that Apple ID with the phone passcode alone.

The thief does not need to know the Apple ID beforehand because it is pre-entered right in the settings app.

But the original comment said they don’t need the passcode. How is the Apple ID seen without the phone passcode in the first place? It’s under settings but they can’t get to settings without the phone passcode. Sure you can put the SIM in another phone but if you don’t know the passcode for the phone or the Apple ID that’s on the phone how can you get a password reset?

 

[vertsix]

This could be rapidly fixed if Apple prevents changes to Apple ID or password reset from the passcode. Grandmas rely on this feature as they may consistently forget their password and security questions, so it is convenient for reset, but this shouldn't be a thing for everyone.

 

[Matsamoto]

The problem is how much the devices with Face ID and Touch ID still rely on you inputting your passcode in everyday use. “Just use FaceID” can’t be the answer when apple themselves doesn’t let you just use FaceID

Countless times have I been ready to pay for something, double tap the side button to pull up my card and tap to pay, when I’m suddenly prompted to put in my entire password just to use Apple Pay. Instead of FaceID which is like, what the iPhone is supposed to use? Isn’t this the entire reason why the iPhone has FaceID in the first place?


It’s honestly a stupid system if the iPhone is only going to rely on FaceID sometimes and force you to input the password other times.


Not only does this hold up the line wherever I am, now everyone behind me can clearly see me type in my entire password. Awesome.


Add to that all the times that FaceID actually does attempt to activate but fails anyway and you still have to put in your password, and it’s a system that ultimately can’t be relied on for security OR convenience.

This!
The number of times i have to enter my pin/password instead of Face-id is hilarious.
Actually I don’t think Apple believes in their own Face-id.
When I downloading something on Appstore I have to enter my iCloud password and/or double tap the side button🤪🤣

And also the countless number when the face-id can’t recognize my face and then I have to put in my pin. Happens several times a day. No sunglasses, glasses or extra facial hair. Just my old face😁

 

[bigboy29]

This!
The number of times i have to enter my pin/password instead of Face-id is hilarious.
Actually I don’t think Apple believes in their own Face-id.
When I downloading something on Appstore I have to enter my iCloud password and/or double tap the side button🤪🤣

And also the countless number when the face-id can’t recognize my face and then I have to put in my pin. Happens several times a day. No sunglasses, glasses or extra facial hair. Just my old face😁

Those are two different issues, I think.

Apple ID password might be a requirement for purchases in the app store. It is a setting. If this is enabled, then yes, you'll need to enter the Apple ID password.

But I have to say that I cannot even remember when Face ID failed for me and took me to the PIN, except when I'm wearing my motorcycle helmet (in which case, this is expected). Did you try re-training Face ID or setting alternative appearance?

 

[emulajavi]

A simple feature they could add is the option to enable/disable this:

Ask for passcode when turning on Airplane Mode

 

[GraXXoR]

And the irony is that my wife forgot her password and locked herself out of her dot.Mac address and subsequently her iPad mini and iPhone 4s back in 2017 and the devices have been sitting, uselessly on the shelf for five years. Apple refuse to unlock them even if she provides a passport and current proof of address... For some reason, they will only accept a receipt from the shop where they were purchased... But we can't find the receipts.

Their sage advice re the iPad mini was, "it's an old device. New ones have a Retina display."

 

[Matsamoto]

Those are two different issues, I think.

Apple ID password might be a requirement for purchases in the app store. It is a setting. If this is enabled, then yes, you'll need to enter the Apple ID password.

But I have to say that I cannot even remember when Face ID failed for me and took me to the PIN, except when I'm wearing my motorcycle helmet (in which case, this is expected). Did you try re-training Face ID or setting alternative appearance?

I have this setting on that my face-id wouldn’t ask for my pin, but it doesn’t work so well.
I have not set alternative appearance or re-trained the face-id.
Maybe I have to to it🙂

 

[Godspeed8230]

Why isn't there a 2FA method within the Apple ecosystem or is there?

 

[pugxiwawa]

It’s total BS after 2+ months Apple still hasn’t added extra security check requiring AppleID password before allowing it to be reset. SERIOUSLY what’s going on? Totally unacceptable!

 

[BaldiMac]

I don't think thieves are the biggest concern here. If this loophole isn't dealt with, we're going to see some pissed off partners using it to screw over their significant others.

 

[supergt]

Apple when this keeps happening over and over again while not taking any meaningful action:

"We send our thoughts and prayers."

 

[bobcomer]

So basically, sympathies but we aren't going to do anything to stop this scenario from happening. (getting locked out of your icloud account forever and losing whatever you had stored there.)

You also lose all that media you purchased from Apple through iTunes and the TV app. And there's no legal way for you to play that content again, if if you did have it backed up. (I've purchased a LOT!!) I'd probably sue Apple if this scenario happens to me just to get the media back.

I am totally not happy. At least with Android they can't lock me out of my stuff forever, but that doesn't help with my already purchased stuff.

 

[bobcomer]

Is this even the case anymore? When I try to disable Find My, I'm prompted for my Apple ID password, not my passcode. Same if I try to log out of iCloud, this requires me to disable Find My as a part of the process prompting me t verify with my password, not my passcode.

All of this is common sense. You can't expect a 4-digit passcode to be all that secure. If you feel paranoid, use an alphanumeric passcode, aka password, instead.

You can reset your apple id password with a trusted device and its passcode. (you iPhone for instance) Having a complex password doesn't do squat if they see you key it in. You can't account for all eyes and cameras in the room...

 

[pugxiwawa]

Why isn't there a 2FA method within the Apple ecosystem or is there?

It’s a bug/loop hole Apple refused to address. You can have 2FA on and it will work for login, but for some inexcusable reason no additional check is required to reset iCloud password. Apple is totally botching this.

 

[bobcomer]

Just use Face ID or Touch ID and you should be fine. At times like this, I wish Apple had introduced an In-Display Fingerprint Scanner. The technology is obviously there.

Unfortunately my iPhone decides it needs the passcode itself about once a week, even though I use FaceID.

I would like Touch ID back as well, it worked better for me, but if it still asks for the passcode once a week, it's still a fail!

 

[dk001]

Latest from the WSJ.

 

[bobcomer]

You actually can remotely remove all cards from all devices. You can also contact the bank directly and have them turn off the card.

Only if you have control of your iCloud account.

 

[bobcomer]

Don’t the thieves need to know the Apple ID though? If so how do they get the Apple ID just by stealing the phone?

If you have the passcode, just go into settings and see what the Apple ID is..

 

[CharlesShaw]

Sure, you can be hyper aware of everything around you at all times, but no human is capable of a constant state of alarm--not even you.

Exactly. It’s when you’re standing on the [subway] train near the door, getting upset about a comment to your post on MacRumors and you stop paying attention.

 

[andresebr]

"OMG!!!!! I left my keys on at the bar when I was drunk! I'm gonna sue Schlage for making it so easy for the guy who took 'em to break into my house!"

Do stupid things, win stupid prizes. Sorry folks, it may sound harsh but don't do stupid things!

Wow… it seems like some of you have everything figured out and won’t ever be in a situation where you get your phone stolen when it is already unlocked. Or even worse, being robbed at gunpoint by someone that also wants you to give out your phone’s passcode.

Get out of your bubble man! This is a real problem no matter how rare it is (not so rare in developing countries), and Apple needs to work on a way to make things difficult for someone that takes control of your device. No one should ever be able to change your account password or recovery key with just your phone’s unlock code. It’s as simple as that.

Btw, that “losing your keys because you were drunk” comparison is a terrible one, if that ever happens, you can always change the locks. Not in this case. That’s the whole point of the article.