Wallet needs an option to use a different passcode to make purchases.
That's already solved with biometric authentication. Do you have that disabled?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
That's already solved with biometric authentication. Do you have that disabled?
Well I agree - but wondering around a big city and saying hi to random people in the street is a bit weird.
YES! This is a HUGE gap with everything.Wallet needs an option to use a different passcode to make purchases.
Especially with border security in Canada, USA and Australia having the potential to ask for your PIN code.
Has almost nothing at all to do with the thread.
It's been this way for some time and doesn't make it wrong as some of this could be mitigated with a screen time password. I'm presuming its been this way to make it easier to change/remember passwords. Not everybody needs the same security standard and it should be up to the user to decide theirs. In the same vein one can establish a password of 1111, one can also establish a much harder password. And then one can lock down a number updates via content restrictions including account changes, password changes, location changes and sharing changes. The thing that is unprotected is apple pay if set up.
There are three scenarios where a hijacked phone is mostly protected:
1. Your locked phone is grabbed: Phone properly secured on lock screen not much can be done.
2. Unlocked phone is grabbed and password is not known and screen time restrictions are in place: if proper content restrictions are set and password is not known to thief most of the phone will be protected.
3. Unlocked phone is grabbed and password is known and screen time restrictions are in place: Apple pay is mostly vulnerable. Maybe some other apps where the iphone password can be used in lieu of face id.
You should be careful when paying with your wallet cause someone might snatch it. Damn it Gucci! Wait. NYC Subway... Careful you might get pick-pocketed!! Damnit Levi's!!!
What? my password of 1234 is not secure? it's apple's fault! Seriously, this is the lamest issue yet. someone steals a device and gets the password, oh no, it is so insecure.
(portion of note I sent to the WSJ writers)
This article comes across as strikingly alarmist. Even if you're not a cybersecurity expert, if you open something up in the presence of strangers you run the risk of it being exploited or taken advantage of. If a stranger steals your purse, they get your house keys and probably your wallet, which would show them where you live and allow them to rack up a ton of charges on your debit/credit cards before you found out.... that's the physical equivalent of what you're saying is happening here for the article. And remember being told to 'guard' your ATM PIN codes when at a crowded ATM?
Admittedly, this is a vulnerability and folks should be more aware of their surroundings and/or whom they share their phones with -- or what they use on their phones along w/how much of their life they link to their phone, which could help minimize such risks. So while I agree letting people know about this is a good idea (because many people don't think about security/privacy stuff) in my view after 30 years in this domain, this article comes across as more alarmist than it should be.
This article comes across as strikingly alarmist. Even if you're not a cybersecurity expert, if you open something up in the presence of strangers you run the risk of it being exploited or taken advantage of. If a stranger steals your purse, they get your house keys and probably your wallet, which would show them where you live and allow them to rack up a ton of charges on your debit/credit cards before you found out.... that's the physical equivalent of what you're saying is happening here for the article. And remember being told to 'guard' your ATM PIN codes when at a crowded ATM?
Admittedly, this is a vulnerability and folks should be more aware of their surroundings and/or whom they share their phones with -- or what they use on their phones along w/how much of their life they link to their phone, which could help minimize such risks. So while I agree letting people know about this is a good idea (because many people don't think about security/privacy stuff) in my view after 30 years in this domain, this article comes across as more alarmist than it should be.
I've always wondered why that isn't a feature on IOS. Many facilities I've entered had that kind of 'scrambled' keypad for door entry, and it'd be a no-brainer to incorporate onto the iPhone.
It would be SO EASY for Apple to implement an "TheftLock" feature that auto-locks the iPhone whenever quick movement is detected ...like when a thief (or friend, partner, snoop, etc ) snatches it out your hand, the quick movement would instantly lock the phone.
To deal with the stolen password issue, Apple could 10x this security by using FaceID to auto-lock the phone anytime your own face isn't detected. This could be an always on thing (for high security worth the battery burn situations), or a simple extra security check that prevents (a correct password) login when the FaceID doesn't also match.
From there it wouldn't be difficult for Apple to enable ways for the real owner to lock/unlock the entire user account as needed when a true/false situation occurs. Heck you could even have the scan only start after 10pm Fridays when you know you're gonna be s***faced at the bar! LOL
To deal with the stolen password issue, Apple could 10x this security by using FaceID to auto-lock the phone anytime your own face isn't detected. This could be an always on thing (for high security worth the battery burn situations), or a simple extra security check that prevents (a correct password) login when the FaceID doesn't also match.
From there it wouldn't be difficult for Apple to enable ways for the real owner to lock/unlock the entire user account as needed when a true/false situation occurs. Heck you could even have the scan only start after 10pm Fridays when you know you're gonna be s***faced at the bar! LOL
You can use Apple Wallet with your device password as a backup to biometric authentication.
100% !!! It's such a simple solution that should be the default. Like WHY are you displaying my code right on the screen Apple?!?!?! I've literally requested this scrambling (and my Auto-Lock suggestion above) to Apple, after every iOS release for a decade!
the moral of the story is to simply stay out of bars - you'll be doing yourself a favor on so many levels...
An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a victim's iPhone passcode before stealing the device in order to gain access to the device, data, and money.
All of the victims interviewed said their iPhones were stolen while they were out socializing at bars and other public places at night. Some victims said the iPhones were grabbed out of their hands by strangers, while others said they were physically assaulted and intimidated. The report provides specific examples of these instances.
With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud. The thief can also remove other trusted Apple devices from the account to further lock out the victim.
The thief can also change an Apple ID's contact information and set up a recovery key in order to prevent a victim from recovering the account.
To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain. Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. In some cases, the report claims that thieves even opened an Apple Card by finding the victim's last four digits of their Social Security number in photos stored in apps like Photos or Google Drive.
Access to other passwords stored in iCloud Keychain allows the thief to further wreak havoc, as it could give them access to email accounts and other sensitive information. All in all, the report says thieves can essentially "steal your entire digital life."
Apple Responds
In response to the report, an Apple spokesperson said "security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all our users from new and emerging threats."
"We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare," the spokesperson added. "We will continue to advance the protections to help keep user accounts secure." Apple did not provide any specific details about any next steps it might take to increase security.
In a tweet, Stern recommended that Apple add extra protections to iOS and introduce additional Apple ID account recovery options.
How to Stay Protected
In a tweet, Stern recommended that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.
iPhone users can also use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.
To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.
Article Link: Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
Just tried that on mine. Needed the current password.
If Apple makes the underlying security a bit harder to change that would be good.
If it isn’t easy to use, people are not going to use it.
I have already reported this to apple long time ago. For me was an obvious security flaw.
Knowing the passcode, you can access keychain( so all passwords !) and you can change the Apple ID.
This is not acceptable from a security point of view. A 4(!) code that someone can see you type could not open the gates to all your info.
And there’s simple ways to improve this. Require Apple ID or Face ID to reach sensitive data instead of a ridiculous pin that can be easily copy.
Knowing the passcode, you can access keychain( so all passwords !) and you can change the Apple ID.
This is not acceptable from a security point of view. A 4(!) code that someone can see you type could not open the gates to all your info.
And there’s simple ways to improve this. Require Apple ID or Face ID to reach sensitive data instead of a ridiculous pin that can be easily copy.
On my 12 ProMax and 13 ProMax I have had issues with FaceID at events and clubs. I always assumed it had something to do with the lighting being used.
According to the article, that is about two minutes too late.
This is such a silly perspective. People have also been robbed and had their passcodes taken. It’s poor design. I love apple too. But failing to hold them accountable for a bad design is embarrassing. These are real users using their phones in normal ways, and that allowing them to have everything taken including the account itself in some cases is insane to suggest.
As someone who lives in a big city, people making generalizations like this drives me nuts too. You’re part of the problem!