Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

[JakeRocket]

An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a victim's iPhone passcode before stealing the device in order to gain access to the device, data, and money.

All of the victims interviewed said their iPhones were stolen while they were out socializing at bars and other public places at night. Some victims said the iPhones were grabbed out of their hands by strangers, while others said they were physically assaulted and intimidated. The report provides specific examples of these instances.

With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud. The thief can also remove other trusted Apple devices from the account to further lock out the victim.

The thief can also change an Apple ID's contact information and set up a recovery key in order to prevent a victim from recovering the account.

To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain. Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. In some cases, the report claims that thieves even opened an Apple Card by finding the victim's last four digits of their Social Security number in photos stored in apps like Photos or Google Drive.

Access to other passwords stored in iCloud Keychain allows the thief to further wreak havoc, as it could give them access to email accounts and other sensitive information. All in all, the report says thieves can essentially "steal your entire digital life."

Apple Responds

In response to the report, an Apple spokesperson said "security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all our users from new and emerging threats."

"We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare," the spokesperson added. "We will continue to advance the protections to help keep user accounts secure." Apple did not provide any specific details about any next steps it might take to increase security.

In a tweet, Stern recommended that Apple add extra protections to iOS and introduce additional Apple ID account recovery options.

How to Stay Protected

In a tweet, Stern recommended that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.

iPhone users can also use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.

To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.

Article Link: Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

Apple should not allow the change of your iCloud password without asking for the old password first. That allows the thief to remove the device from Find My and disables any ability for the owner to remotely wipe the phone.

 

[msvadi]

Assuming you have that optional feature on your car. But yeah, Apple should help -- that doesn't mean they can help on the spot though.

Apple doesn’t help at all, if you check the article. A thieve takes over your Apple ID, and even you can prove who you are, Apple won’t restore your access - years of data are lost and expensive devices are bricked.

Banks compensate customers for losses due to fraud. Apple says too bad, we value your privacy, so we won’t help you.

 

[dbwie]

Even my AT&T account allows for a secondary PIN, beyond 2FA to protect the account if anyone tries to change the user ID/password or tries to make any changes to the cell phone plan. When I'm in a AT&T store, they won't do anything with my account if I don't provide the correct secondary PIN. The Apple ID could benefit from something similar. It should be on by default. I'm sure other commenters have good ideas, was not able to read all 500+ posts! Obviously, it is something for Apple to address rather than minimize.

 

[Apple_Robert]

Apple needs to change the Password Reset security hole on the iPhone. It would be better if you needed your Device Passcode AND your current iCloud Password in order to change the password.

That would cut off a lot of exposure. Yes, ApplePay would still be an exposure, but at least you could save your iCloud account and find a way to remote wipe the device.

With Apple's new use of the hardware key account option, a hardware key should be required to reset the account password.

 

[dk001]

1. What a smartphone has the capability to do in 2023 is independent of ones' individual use case.

2. Enter current password will lock out those who forget their password. Apple wants product the majority of folks can successfully and easily use.

I numbered yours to make it a bit easier responding.

1. People generally buy a specific smartphone due to either brand loyalty or features. Adding accounts is driven by the manufacturer (Apple Pay or Google Pay) or the company itself - every one of my financial institutions, my utilities, and my email providers recommend their apps. People use case differs considerably but most have some of the mentioned apps.

2. If I forget my “Current Password” for my iCloud account I have several ways of recovering it. I agree that Apple’s ”consideration” resulted in this “gap”. DOesn;t mean they cannot go back and fix it and look for another method to provide a similar service.

 

[dk001]

I'm starting to re-think what my iPhone should have and have not. If only Apple will enable constant Face ID verification while in use. Soon as you sign in even with just the passcode, when the home screen opens, Face ID should still auto check that you are the user. Right now, it seems like this is a huge hole in security.

I had not really considered the “power of the passcode” before this. I am not changing how I use the phone but am looking at ways to better secure it if snatched.

 

[ifxf]

It seems that the short 4-digit passcodes are not very secure so maybe best to use alphanumeric and/or long passcodes (12 or more digits) ?

The article indicated that they video recorded the passcode so it doesn’t matter have long or complicated you make it.

 

[I7guy]

Apple doesn’t help at all, if you check the article. A thieve takes over your Apple ID, and even you can prove who you are, Apple won’t restore your access - years of data are lost and expensive devices are bricked.

Banks compensate customers for losses due to fraud. Apple says too bad, we value your privacy, so we won’t help you.

There have been MR postings about Apple helping to recover a phone in the past. I don't recall the exact circumstance, but I would think with proper documentation they should help.

I numbered yours to make it a bit easier responding.

1. People generally buy a specific smartphone due to either brand loyalty or features. Adding accounts is driven by the manufacturer (Apple Pay or Google Pay) or the company itself - every one of my financial institutions, my utilities, and my email providers recommend their apps. People use case differs considerably but most have some of the mentioned apps.

2. If I forget my “Current Password” for my iCloud account I have several ways of recovering it. I agree that Apple’s ”consideration” resulted in this “gap”. DOesn;t mean they cannot go back and fix it and look for another method to provide a similar service.

My point was some people may or may not have specific applications on their phone and there is a delicate balance between security and usability. Whether Apple does something or not in the case your password is social engineered I don't know.But requiring a current password if you forgot your password doesn't seem the way to bridge this gap in a way two billion devices won't start an avalanche of hurt for people forgetting passwords. An easy and effective way to stop this type of social engineering is through situational awareness and knowing that cameras can be trained on your smartphone use caution.

 

[Branaghan]

Apple should not allow the change of your iCloud password without asking for the old password first. That allows the thief to remove the device from Find My and disables any ability for the owner to remotely wipe the phone.

What about Screen Time? It already takes care of that by preventing you to change the passcode/modifying account details, if you try from the device itself.

It also prevents that someone turns off "FIND MY..." by disabling Location Services modifications.

So this is a 2nd password that needs to be guessed. Problem is, it's a 4 digit one, so the thief may somehow disable it with a hacking software. Which won't happen with the main passcode from the device, as far as I know...

The Screen Time password can be redefined by gaining access to the email account associated with the Apple's ID. The problem is, such (email) account cannot be easily accessible inside your iPhone, it has to be logged out from ALL devices and there shouldn't be a way for a thief to access it right there. Not even by YOU.

I guess this is easily done because most Apple users make the mistake of leaving that email account logged 24/7 on their devices. But this is a mistake, that email address should be kept hidden and not constantly used/revealed everywhere.

If needed, create more email accounts for other uses...

 

[JakeRocket]

Apple doesn’t help at all, if you check the article. A thieve takes over your Apple ID, and even you can prove who you are, Apple won’t restore your access - years of data are lost and expensive devices are bricked.

Banks compensate customers for losses due to fraud. Apple says too bad, we value your privacy, so we won’t help you.

Once the thief has enabled Recovery Key for Account Recovery in Settings, there is nothing Apple can do without that recovery key. The iCloud account is then lost to the original owner forever. The problem really is that the simple 4 digit screen lock passcode has way too much unchecked power. It makes even the iCloud password redundant.

 

[sk1ski1]

There have been MR postings about Apple helping to recover a phone in the past. I don't recall the exact circumstance, but I would think with proper documentation they should help.

Apple cannot recover your iCloud data if you or the thief turns on Apple's new Advanced Data Protection. That is one of the 'features' of Apple's Advanced Data Protection. Apple no longer has a backup key to your encrypted iCloud data.

 

[JakeRocket]

Apple cannot recover your iCloud data if you or the thief turns on Apple's new Advanced Data Protection. That is one of the 'features' of Advanced Data Protection. Apple no longer has a backup key to your encrypted iCloud data.

That was exactly what happened to one of the victims in the article because all the thief needed to turn on advanced data protection and set a recovery key was her pin. There needs to be more checks and balances before a recovery key can be set or changed. There is none right now other than your pin, not even your iCloud password.

 

[sk1ski1]

From several news articles I have read, it appears this type of theft has been happening and growing for at least a few years. Surely Apple has been informed by their victimized customers and the police about it. And yet Apple still has not fixed this giant security hole. Hopefully the publicity from the WSJ article will finally convince Apple to fix it.

 

[I7guy]

Apple cannot recover your iCloud data if you or the thief turns on Apple's new Advanced Data Protection. That is one of the 'features' of Apple's Advanced Data Protection. Apple no longer has a backup key to your encrypted iCloud data.

People have to protect their iPhone password like their name, dob and ssn. If apple does anything they can’t make the user experience worse or else they’ll have a tsunami of issues.

It may not be great but apple should at least be able to disable the compromised Apple ID. And if it’s possible to reset the recovery id that should be given a 24 hour timeout after a forced reset using a device passcode.

 

[sk1ski1]

It may not be great but apple should at least be able to disable the compromised Apple ID. And if it’s possible to reset the recovery id that should be given a 24 hour timeout after a forced reset using a device passcode.

Best solution is to have a 24 hr waiting period on an Apple ID password reset by a device passcode. That will give the victim a chance to remove/wipe the stolen device from the Apple account before the victim is permanently locked out of their Apple account by the thief.

 

[Vref]

If you do any banking or other secure activities on your phone, you should use an alphanumeric password of >8 characters. The passcode really does allow full access to anything on an iPhone. Banking apps that allow logging in with Face ID are only as secure as your passcode.

The same really goes for any device that can receive email though. Most of your Internet accounts can be accessed and reset with just your email. Unless you do literally nothing on your phone besides calling, texting, and have never used your number for 2FA, anything less secure than an 8+ character alphanumeric password is irresponsible.

This I don’t get, online baking? I mean if you use your phone for anything you need to be secure, especially if you use the same password for many things


Also more important (banking is FDIC insured) be situationally aware, those feral humans will kill you or take your phone just the same, keep your head on a swivel, if someone is close enough to me to see me type my password that’s unsat, and not because of my password, because that’s way to damn close behind me

 

[evertjr]

I'd like Apple to add an optional second layer of protection to iOS, if the thief get the lock screen password he just can do too much and access too much. Using screen time passcode somewhat helps but things like iCloud Keychain can easily be accessible, some Apps protected by FaceID can by opened with the passcode as well.

The biggest flaw is the Mail app actually, because with that the thief can reset most passwords from banking to social media and makes someones life a living horror movie. That's why I'm using Spark, it's the only app that allows you to lock it with a unique password and limit what can be shown in notifications.

 

[Hashp]

What’s the deal at apple prioritizing passcode over face id ? Shouldn’t more secure biometrics be a step above the passcode ? Despite face id apple constantly request passcode to do something which includes the popular and regular “Face ID is not available right now enter passcode” prompt.

 

[nikaru]

First: Don't use your iPhone when you socialize in the bar or in other public places. It is rude.

Second: Use faceId.

Third: Be more careful with your personal stuff, like your smartphone.

Forth: Use at least 6 digit code to make it more difficult for thieves to find your passcode.

Fifth: Stop crying as if it is Apple's fault that you are victim of a crime.

 

[Henrik H]

An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a victim's iPhone passcode before stealing the device in order to gain access to the device, data, and money.

All of the victims interviewed said their iPhones were stolen while they were out socializing at bars and other public places at night. Some victims said the iPhones were grabbed out of their hands by strangers, while others said they were physically assaulted and intimidated. The report provides specific examples of these instances.

With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud. The thief can also remove other trusted Apple devices from the account to further lock out the victim.

The thief can also change an Apple ID's contact information and set up a recovery key in order to prevent a victim from recovering the account.

To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain. Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. In some cases, the report claims that thieves even opened an Apple Card by finding the victim's last four digits of their Social Security number in photos stored in apps like Photos or Google Drive.

Access to other passwords stored in iCloud Keychain allows the thief to further wreak havoc, as it could give them access to email accounts and other sensitive information. All in all, the report says thieves can essentially "steal your entire digital life."

Apple Responds

In response to the report, an Apple spokesperson said "security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all our users from new and emerging threats."

"We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare," the spokesperson added. "We will continue to advance the protections to help keep user accounts secure." Apple did not provide any specific details about any next steps it might take to increase security.

In a tweet, Stern recommended that Apple add extra protections to iOS and introduce additional Apple ID account recovery options.

How to Stay Protected

In a tweet, Stern recommended that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.

iPhone users can also use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.

To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.

Article Link: Apple Responds to Report

 

[Henrik H]

One can protect against this with Screen Time

Set Screen Time on, protected by a separate PIN. Disallow account changes and passcode changes. Done!

 

[bluecoast]

Im astounded by the comments blaming the users and not bad design by Apple, so lets get things straight:

1.- FaceID does not work all the time and sometimes you need to enter passcode while maybe distracted.
2.- Even with a long passcode, they are recording it so they can reproduce it easily.
3.- Someone with a passcode to a device should NOT be able to remove the security keys and change the password of the icloud account. Apple should ask master password or biometrics without passcode for certain changes.
4.- It is a passcode for the DEVICE and NOT for the entire appleiD account.


The recent adition of security keys to increase the security of appleID and that they can be removed with just access to a device is a complete joke in security design.

Well said.

Let's not blame victims and instead realise that in its quest for a 'magical' and seamless iPhone UX, Apple has gone too far and left people vulnerable.

 

[okkibs]

Apple could just offer a keypad scrambling option which stops many attacks where the location of the fingers is tracked but the actual numbers on the screen aren't visible. GrapheneOS for example provides that as an optional toggle in settings. They could make that mandatory for 4-digit PIN passcodes. As long as the code isn't 0000 or 1234, even 4 digit PIN codes will be absolutely safe this way on an iPhone where bruteforcing is simply impossible nowadays and you'll be locked out after a couple tries.

And before anyone says that this is too inconvenient, with biometric unlock enabled you'll be prompted for the passcode rarely, once a day or less even.

That requires almost zero effort from Apple to implement and would really help stop such attacks. It's not like Apple has an issue with forcing users to do the safer more inconvenient thing, for example they forced new AppleID accounts to use 2FA and made that mandatory. And even though people complain about 2FA to this day, it remains mandatory and that was a good choice to improve account security.

But nobody knows what Apple does and what's the Apple way. They might implement an obvious safety feature and make it mandatory, or refuse to.

 

[I7guy]

Best solution is to have a 24 hr waiting period on an Apple ID password reset by a device passcode. That will give the victim a chance to remove/wipe the stolen device from the Apple account before the victim is permanently locked out of their Apple account by the thief.

I don’t think that’s the best solution, but it’s not up to you or me.

 

[I7guy]

Well said.

Let's not blame victims and instead realise that in its quest for a 'magical' and seamless iPhone UX, Apple has gone too far and left people vulnerable.

Maybe someone could send feedback to apple and point them to this thread. After all many helpful suggestions were made that Apple apparently missed.