Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
Sadly Apple’s response was a non response. Saying the phone is secure but this is a pretty big loop hole in a lot of phones not just apple.
It should be addressed as it is bad if someone gets access to your phone they get control over your life and very quickly at that.
It should be addressed as it is bad if someone gets access to your phone they get control over your life and very quickly at that.
Nah, that's just being an idiot.
Everyone knows iPhone holds critical personal info. That's the reason why Apple built features like the Secure Enclave and other platform and data security features. If you defeat that by entering your PIN in plain view of strangers, that's on you.
Don’t give out your iPhone password. Have situational awareness.
This is why I have a 22 character long alphanumeric password. It’s a pain in the butt to enter, but it’s better safe than sorry.
All your photos, documents, and passwords saved in iCloud are compromised. And you can be permanently locked out of your Apple ID account.
Better still use a cellular Apple Watch and leave your iPhone safely at home.
Your device passcode is usually less complex than your normal passwords that you use on other accounts. And you type this passcode in public that can be snooped. Your device passcode should not have the capability to permanently lock you out of your Apple ID account that has your entire life.
Apple recently added the capability for the Apple ID account to be changed to advanced data protection. Where even Apple cannot get you back your hacked account. And it can be all setup that way with your stolen phone and your device passcode due to Apple’s security flaw.
Last edited:
If Apple wanted to make these devices secure they would avoid putting a default email app that doesn't even need Touch/Face/IDs to unlock.
Also would prevent users from NOT using alphanumeric passcodes.
Also would prevent users from NOT using alphanumeric passcodes.
I always wonder about this. All the best security, encryption, 2FAs, are just being held by a simple passcode.
One idea would be to have the option of randomizing the number locations on the keypad. Some touch screen PoS systems do this. That way, a stranger cannot really guess your passcode by simply glancing at where you tap your fingers.
One idea would be to have the option of randomizing the number locations on the keypad. Some touch screen PoS systems do this. That way, a stranger cannot really guess your passcode by simply glancing at where you tap your fingers.
That is the single simple item many keep missing, ignoring, or just blowing off.
Pretty damn critical I would think.
I wouldn’t like at all someone locking the AppleID tied to my Dev account (which you will need to do in the future if you Dev Beta test).
I haven't read all 19 of so pages of comments but since some shoulder surfers are video recording someone typing in their passcode, randomizing the positions of the numbers would do nothing to help. I've always recommended to people to use an alphanumeric passcode, anyway.
One idea I had to improve security is to have all settings that enable/disable a service and/or allow you to change a password or code, should be behind an additional passcode. It's more of a hassle, sure, to remember two passcodes but the one you would use to change critical security settings or change passwords or turn Find My on or off or access passwords or whatever, would be rarely used anyway. This way if some thief did grab your phone and recorded your unlock screen passcode they still would not have a way to change critical security settings.
One idea I had to improve security is to have all settings that enable/disable a service and/or allow you to change a password or code, should be behind an additional passcode. It's more of a hassle, sure, to remember two passcodes but the one you would use to change critical security settings or change passwords or turn Find My on or off or access passwords or whatever, would be rarely used anyway. This way if some thief did grab your phone and recorded your unlock screen passcode they still would not have a way to change critical security settings.
I'm positive that if anything were to happen it would be that.
It's just sad that for something so obviously preventable we'd rather engage in a cybersecurity arms race than address the underlying issues that actually motivates individuals to commit such a crime.
This is what I do to protect my device...
1) Apple ID: uses GMAIL. *
* "ACCOUNT-A@gmail.com". This Google account is working with a 30 second authenticator token (Aegis or Raivo OTP), plus the password, of course.
This GMAIL is not logged into any device, not even my PC. If I wanted to check the emails from said account , I do it from a browser (with incognito mode on), not any app (this is not my main account, it's the one where I associated with banks and any other service/website which may leak information that can compromise me). Also not configured to use a cell-phone number to reset password or to be used with 2FA.
This procedure for my GMAIL is never needed: https://www.wikihow.com/Sign-Out-of-Your-Google-Account-on-All-Devices-at-Once
The browser that logs into such account is logged out automatically once I am done with it. Meaning there's no way to gain access to it from "trusted devices".
2) Repeat step 1), for the recovery email of ACCOUNT-A@gmail.com, which I am going to call "ACCOUNT-B@gmail.com". Apple-ID also relies on a recovery email, which is "ACCOUNT-B", too.
Note: ACCOUNT-B@gmail.com uses ACCOUNT-A@gmail.com as recovery email...
Bottom line: Email accounts relying on email accounts for recovery, not a phone number.
NONE of the Google accounts have cell-phone numbers associated with it. (If it's your case, delete it and wait a few days for their servers to recognize that change).
3) Apple ID not using 2FA.
It relies on 3 security questions and answers, and such answers have nothing to do with what was asked or anything from my life. For example: if asked "what was the name of your 1st pet", the answer would be "Blackjack21" or anything that can't be guessed.
What if I forgot the answers?
I am saving ALL my passwords in an encrypted Notepad++ TXT file (for that, you need to enable a plugin), with a strong password to open it. If I don't want to check it from my PC, I use a PDF with the same strong password, it contains all my other passwords/sensitive data (and that includes bank accounts).
Plus: not informing any cell-phone number to be associated with that Apple-ID, for recovery.
A few reasons for not relying on phone numbers for recovery:
- SMS
- You need to pay eventually for the phone number to not be cancelled. That defeats the idea of using free email.
- PIN will not protect you unless a) you restart or turn off the device (rare events...), or b) there's SIM SWAP attempt.
- The PUK code will disable your PIN, and the thieves may get the PUK combination by knowing more about you and asking to the company that provides that (while pretending to be the victim).
Some people get a 2nd phone number, due to companies relying on SMS. They also use a 2nd (cheap) device and leave it 24/7 turned off, so the PIN can be asked when turned on again.
What if your device is not simply stolen, and the thief forces you to open it before leaving with your device? That can happen.
4) Screen Time: set a 4 digit passcode. If we forgot the code, then it will rely on the email from 1).
Enable:
- Passcode Changes: Prevent changes to your passcode
- Account Changes: Prevent changes to settings for Accounts & Passwords *
* This will need to be disabled temporarily if you want to visit your account settings.
- Don't allow: LOCATION SERVICES to be modified. It will prevent "Find My Device" from being turned off (if I am not mistaken).
5) To protect bank accounts: not sure how this works in the U.S., where I live we can reduce the limit of payments and how much $ we can transfer daily. Either to ourselves, a favorite destination, or strangers.
If I wanted to increase, say, from 100 $ to 101, there's a minimum 24h delay for that to happen.
I NEVER pay anything outside if it's not with a credit card or real cash. And that card may have only a fraction of all the $$$ I have.
Always enable: temporary blocking all transactions with these credit cards, when you aren't going to use them (a cool feature);
- Always disable: the contactless feature (too risky).
Aaaaaaaand that's all.
1) Apple ID: uses GMAIL. *
* "ACCOUNT-A@gmail.com". This Google account is working with a 30 second authenticator token (Aegis or Raivo OTP), plus the password, of course.
This GMAIL is not logged into any device, not even my PC. If I wanted to check the emails from said account , I do it from a browser (with incognito mode on), not any app (this is not my main account, it's the one where I associated with banks and any other service/website which may leak information that can compromise me). Also not configured to use a cell-phone number to reset password or to be used with 2FA.
This procedure for my GMAIL is never needed: https://www.wikihow.com/Sign-Out-of-Your-Google-Account-on-All-Devices-at-Once
The browser that logs into such account is logged out automatically once I am done with it. Meaning there's no way to gain access to it from "trusted devices".
2) Repeat step 1), for the recovery email of ACCOUNT-A@gmail.com, which I am going to call "ACCOUNT-B@gmail.com". Apple-ID also relies on a recovery email, which is "ACCOUNT-B", too.
Note: ACCOUNT-B@gmail.com uses ACCOUNT-A@gmail.com as recovery email...
Bottom line: Email accounts relying on email accounts for recovery, not a phone number.
NONE of the Google accounts have cell-phone numbers associated with it. (If it's your case, delete it and wait a few days for their servers to recognize that change).
3) Apple ID not using 2FA.
It relies on 3 security questions and answers, and such answers have nothing to do with what was asked or anything from my life. For example: if asked "what was the name of your 1st pet", the answer would be "Blackjack21" or anything that can't be guessed.
What if I forgot the answers?
I am saving ALL my passwords in an encrypted Notepad++ TXT file (for that, you need to enable a plugin), with a strong password to open it. If I don't want to check it from my PC, I use a PDF with the same strong password, it contains all my other passwords/sensitive data (and that includes bank accounts).
Plus: not informing any cell-phone number to be associated with that Apple-ID, for recovery.
A few reasons for not relying on phone numbers for recovery:
- SMS
- You need to pay eventually for the phone number to not be cancelled. That defeats the idea of using free email.
- PIN will not protect you unless a) you restart or turn off the device (rare events...), or b) there's SIM SWAP attempt.
- The PUK code will disable your PIN, and the thieves may get the PUK combination by knowing more about you and asking to the company that provides that (while pretending to be the victim).
Some people get a 2nd phone number, due to companies relying on SMS. They also use a 2nd (cheap) device and leave it 24/7 turned off, so the PIN can be asked when turned on again.
What if your device is not simply stolen, and the thief forces you to open it before leaving with your device? That can happen.
4) Screen Time: set a 4 digit passcode. If we forgot the code, then it will rely on the email from 1).
Enable:
- Passcode Changes: Prevent changes to your passcode
- Account Changes: Prevent changes to settings for Accounts & Passwords *
* This will need to be disabled temporarily if you want to visit your account settings.
- Don't allow: LOCATION SERVICES to be modified. It will prevent "Find My Device" from being turned off (if I am not mistaken).
5) To protect bank accounts: not sure how this works in the U.S., where I live we can reduce the limit of payments and how much $ we can transfer daily. Either to ourselves, a favorite destination, or strangers.
If I wanted to increase, say, from 100 $ to 101, there's a minimum 24h delay for that to happen.
I NEVER pay anything outside if it's not with a credit card or real cash. And that card may have only a fraction of all the $$$ I have.
Always enable: temporary blocking all transactions with these credit cards, when you aren't going to use them (a cool feature);
- Always disable: the contactless feature (too risky).
Aaaaaaaand that's all.
Last edited:
Well, Apple needs something like a PIN Genie algorithm from Lockly https://lockly.com/pages/lockly-technology
An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a victim's iPhone passcode before stealing the device in order to gain access to the device, data, and money.
All of the victims interviewed said their iPhones were stolen while they were out socializing at bars and other public places at night. Some victims said the iPhones were grabbed out of their hands by strangers, while others said they were physically assaulted and intimidated. The report provides specific examples of these instances.
With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud. The thief can also remove other trusted Apple devices from the account to further lock out the victim.
The thief can also change an Apple ID's contact information and set up a recovery key in order to prevent a victim from recovering the account.
To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain. Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. In some cases, the report claims that thieves even opened an Apple Card by finding the victim's last four digits of their Social Security number in photos stored in apps like Photos or Google Drive.
Access to other passwords stored in iCloud Keychain allows the thief to further wreak havoc, as it could give them access to email accounts and other sensitive information. All in all, the report says thieves can essentially "steal your entire digital life."
Apple Responds
In response to the report, an Apple spokesperson said "security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all our users from new and emerging threats."
"We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare," the spokesperson added. "We will continue to advance the protections to help keep user accounts secure." Apple did not provide any specific details about any next steps it might take to increase security.
In a tweet, Stern recommended that Apple add extra protections to iOS and introduce additional Apple ID account recovery options.
How to Stay Protected
In a tweet, Stern recommended that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.
iPhone users can also use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.
To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.
Article Link: Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
It's the WSJ so likely they were targeting people working in financial services and the thieves were likely hanging around the sort of bar that people who work in that sector commonly go to, for rich pickings.
I guess the point is - if (presumably) intelligent highly paid people (who might not be technology enthusiasts or experts) can be victims, anyone can.
Seriously? I have a Pixel 7 Pro and Face Unlock works 100% with decent lighting and Apple's Face Unlock is supposedly 100% better.
That’s all well and good, unless you lose your iCloud password.
That’s the reason Apple allows you to reset it with your phone passcode.
What they should do is use biometrics + passcode for an iCloud reset.
There’s security vs usability. Maybe the device passcode should be that powerful. Apple is not hiding that fact. Maybe users should carefully choose how they use their phone what apps are on their phones and ensure they protect the device password.
Maybe a good possible solution would be to have a 24 hr waiting period to be able to reset an Apple ID password on a iPhone with only a device passcode. That would give the victim a chance to sign-in to Apple and remove the iPhone from the Apple ID account and wipe it.
Last edited:
What happens if you forget your current password? Everything is all well and good for requiring other information that you presumably know to change a password. But if you forget a piece of information or lose that hardware key you’re still screwed.
Since we’re discussing possible solutions a better alternative is to not be able to modify the recovery key or account for a period of time.
That still doesn't stop anything if you have the passcode. After so many incorrect tries you can type the passcode in and boom, face ID/Touch ID is no longer needed.