Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

[MacRumors]

An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a victim's iPhone passcode before stealing the device in order to gain access to the device, data, and money.

All of the victims interviewed said their iPhones were stolen while they were out socializing at bars and other public places at night. Some victims said the iPhones were grabbed out of their hands by strangers, while others said they were physically assaulted and intimidated. The report provides specific examples of these instances.

With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud. The thief can also remove other trusted Apple devices from the account to further lock out the victim.

The thief can also change an Apple ID's contact information and set up a recovery key in order to prevent a victim from recovering the account.

To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain. Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. In some cases, the report claims that thieves even opened an Apple Card by finding the victim's last four digits of their Social Security number in photos stored in apps like Photos or Google Drive.

Access to other passwords stored in iCloud Keychain allows the thief to further wreak havoc, as it could give them access to email accounts and other sensitive information. All in all, the report says thieves can essentially "steal your entire digital life."

Apple Responds

In response to the report, an Apple spokesperson said "security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all our users from new and emerging threats."

"We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare," the spokesperson added. "We will continue to advance the protections to help keep user accounts secure." Apple did not provide any specific details about any next steps it might take to increase security.

In a tweet, Stern recommended that Apple add extra protections to iOS and introduce additional Apple ID account recovery options.

How to Stay Protected

In a tweet, Stern recommended that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.

iPhone users can also use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.

To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.

Article Link: Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

 

[GMShadow]

...what, exactly, was the point of the 'report'?

"If someone steals your house keys, they could get in your house and take your stuff!" - Joanna Stern later today, probably.

 

[dannyyankou]

This is why you should enable Face ID

 

[TheYayAreaLiving 🎗️]

You just have to be careful when using your iPhone outside in public.
Apple needs to consider bringing back Touch-ID. Two Factor Authentication: Touch ID + Face ID simultaneously

 

[brianwells]

It seems that the short 4-digit passcodes are not very secure so maybe best to use alphanumeric and/or long passcodes (12 or more digits) ?

 

[antiprotest]

This is why I disagree with the users on here who keep saying passcode is more secure and stop using Face ID if you don't want people to take your phone and point it at you, etc. Perhaps the passcode is technically more secure, but it is practically way less secure. Face ID is secure especially if you enable "attention required." Always use Face ID. Never enter your passcode in public unless you are sure no one is looking at your screen (and to be extra secure, that no camera overhead is looking down at you).

Apple is not innocent either. Somehow they think it makes the phone more secure to occasionally demand your passcode at the most inconvenient times. This is way less secure. I have been asked for the passcode while in public and I actually waited until I went to a private location before entering it. Ask for it every restart, fair. But if the phone has been on and there are no multiple failed Face ID attempts, DO NOT ask for the passcode.

 

[Zaft]

What a pointless article.really?

 

[JPack]

In other words, don’t be an idiot.

You would have to be drunk beyond recognition for Face ID to not recognize your face and request a PIN. If you’re wearing a mask, just look down to unlock.

Why would anyone be entering their PIN in front of other strangers?

 

[KaliYoni]

This is why removing TouchID was shortsighted on Apple's part. In situations where FaceID doesn't work, for whatever reason, having TouchID as a backup is a lot more secure than having to input your phone's master password in public (and while drunk or high, ha!).

----------
ETA: Now that I'm thinking about it, TouchID was a reason, along with the headphone jack, that I held on to my 6s as long as I could. Apple Wallet is especially annoying to use when using FaceID isn't possible or is inconvenient.

 

[antiprotest]

It seems that the short 4-digit passcodes are not very secure so maybe best to use alphanumeric and/or long passcodes (12 or more digits) ?

Unless you enable Face ID, this is the only way:

 

[bsbeamer]

Seems like there should be an option to add an additional layer of security for Apple Watch users. Without Watch confirmation, nothing should happen unless on "home" WiFi or similar location/GPS restriction.

 

[fwmireault]

People messed with me in the past because I have an unusually long alphanumerical password, but it's exactly for stories like this that I have it. I use FaceID anyway, but good luck guessing my password.

Mobile phones today basically have access to every aspect of our lives. We cannot be lazy on the device password strength

 

[BeefCake 15]

You just have to be careful when using your iPhone outside in public.
Apple needs to consider bringing back Touch-ID. Two Factor Authentication: Touch ID + Face ID simultaneously

2FA for checking a text messages! I'll just leave the phone at home then lol.

 

[timshundo]

This isn’t a sign of iPhones being less secure, it’s a sign of increased desperation in an increasingly impoverished world. If it comes to physically threatening the owner to unlock the phone before they run off it doesn’t matter if it’s a 4 digit, 6 digit, alphanumeric, or biometric passcode.

 

[Dazzerukuk]

iPhone users still have four digit pins?! Wake up people !

 

[Spaceboi Scaphandre]

tl;dr: Shoulder Surfing attacks can happen with our phones too. This is why we have Face ID and Touch ID.

Once again: The iPhone and iPad ruined a generation of computer users. Apple's made so many people soft and forget basic cybersecurity as they think their phone and Apple will do it all for them.

 

[StellarVixen]

Stop asking tech companies to babysit people and start educating people instead.

 

[contacos]

I never understood why FaceID is enough for some parts but for other parts you suddenly need the Passcode like why? Is Apple implying faceid is less secure than a 4 digits passcode?

 

[enterthemerdaverse]

Good thing it’s not an NFT blockchain merdaverse creepto wallet phone. Those idiots get hacked and all their stuff stolen all the time. There’s no two factor authentication or support department for those dupes.

Web3 is Going Just Great

A timeline recording only some of the many disasters happening in crypto, decentralized finance, NFTs, and other blockchain-based projects.

web3isgoinggreat.com

 

[compwiz1202]

This isn’t a sign of iPhones being less secure, it’s a sign of increased desperation in an increasingly impoverished world. If it comes to physically threatening the owner to unlock the phone before they run off it doesn’t matter if it’s a 4 digit, 6 digit, alphanumeric, or biometric passcode.

Then we need duress passcode that let the iPhone look normal for so many minutes and then totally lock down and broadcast itself as stolen, and will not allow anything vital to be done, or also make it appear it is working but nothing actually happens.

 

[4odomi]

An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a victim's iPhone passcode before stealing the device in order to gain access to the device, data, and money.

All of the victims interviewed said their iPhones were stolen while they were out socializing at bars and other public places at night. Some victims said the iPhones were grabbed out of their hands by strangers, while others said they were physically assaulted and intimidated. The report provides specific examples of these instances.

With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud. The thief can also remove other trusted Apple devices from the account to further lock out the victim.

The thief can also change an Apple ID's contact information and set up a recovery key in order to prevent a victim from recovering the account.

To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain. Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. In some cases, the report claims that thieves even opened an Apple Card by finding the victim's last four digits of their Social Security number in photos stored in apps like Photos or Google Drive.

Access to other passwords stored in iCloud Keychain allows the thief to further wreak havoc, as it could give them access to email accounts and other sensitive information. All in all, the report says thieves can essentially "steal your entire digital life."

Apple Responds

In response to the report, an Apple spokesperson said "security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all our users from new and emerging threats."

"We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare," the spokesperson added. "We will continue to advance the protections to help keep user accounts secure." Apple did not provide any specific details about any next steps it might take to increase security.

In a tweet, Stern recommended that Apple add extra protections to iOS and introduce additional Apple ID account recovery options.

How to Stay Protected

In a tweet, Stern recommended that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.

iPhone users can also use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.

To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.

Article Link: Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

Who enters their passcode manually in a public place?
This is a narrative started by apps like 1password I suspect 😏

 

[Sir_Macs_A_Lot]

You just have to be careful when using your iPhone outside in public.
Apple needs to consider bringing back Touch-ID. Two Factor Authentication: Touch ID + Face ID simultaneously

I never thought of those two forms of authentication together until now. That would actually be perfect!

 

[antiprotest]

What a pointless article.really?

I don't think they should make it an iPhone issue, because the same thing is true for Android phones, and even our laptops. But it is a good point to never enter a passcode or password while someone can be watching. This is why biometrics are way better especially in public.

 

[oneMadRssn]

A pretty straightforward fix for this would be to have a setting that, if the user wants, scrambles the numbers on the numpad passcode entry screen in a random order every time. So it's still your 6-digit passcode to get in, but the numpad is not always 1 2 3, 4 5 6, 7 8 9, 0. This way, someone spying from a distance can't just memorize the "pattern" of where you tap. E.g., pressing on the top right button does not necessary mean "3".

 

[antiprotest]

Who enters their passcode manually in a public place?
This is a narrative started by apps like 1password I suspect 😏

Some people even on here keep saying it's more secure. Even if it is technically more secure, it is practically way less secure.