Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

I7guy said:
That’s not the point I was making. According to apple the functionality is working as expected. And in the case where the password is compromised either out of duress or social engineering the software still is working as expected.
Click to expand...
Of course it's working as "they expected". Such like other security design choices they didn't expect to become an issue, and they later changed/improved. Security is always a moving target. Trouble is that this seems to be a growing crime. And will be even more so with the latest publicity. The damage when it happens is devastating. There are solutions Apple can implement to help mitigate this issue.
 
Last edited:
sk1ski1 said:
Of course it's working as "they expected". Such like other security design choices they didn't expect to become an issue, and they later changed/improved. Security is always a moving target. Trouble is that this seems to be a growing crime. And will be even more so with the latest publicity. The damage when it happens is devastating. There are solutions Apple can implement to help mitigate this issue.
Click to expand...
There are two billion active users it’s not a rampant thing. You’re preaching to the choir that security is a moving target and not a destination. Unfortunately there are risks inherent in modern society and this is one of those things where risks can be minimized, unlike planes falling out of the sky.
 
  • Like
Reactions: Crowbot
I7guy said:
There are two billion active users it’s not a rampant thing. You’re preaching to the choir that security is a moving target and not a destination. Unfortunately there are risks inherent in modern society and this is one of those things where risks can be minimized, unlike planes falling out of the sky.
Click to expand...
You're preaching to the choir that there are risks inherent in a modern society. But there are ways to reduce different risks. And this should be one of them for Apple to improve.
 
I7guy said:
Not going to be able threats of physical intimidation but people could have more situational awareness as well as complex passwords, set up a recovery key and
Account.
Click to expand...
Recovery key is completely useless if the thief quickly changes the Apple ID PW and resets the recovery key. Takes all but 30 seconds to permanently lock the victim out of their Apple iCloud account.
 
Last edited:
  • Like
Reactions: rxs0 and dk001
I7guy said:
Not going to be able to mitigate threats of physical intimidation but people could have more situational awareness as well as complex passwords, set up a recovery key and
Account.
Click to expand...
(Half in jest) Theoretically, Apple could include a "kill" password. When entered under duress it would present the thief with bad info and then erase the user's info and lock the account up.
 
  • Love
  • Like
Reactions: Ac1d 8urn and compwiz1202
_Spinn_ said:
In other news if thieves steal your keys they can get into your house.
Click to expand...
Yes, but your house keys doesn't unlock all your financial institutions, and permanently locks you out of all your iCloud pictures and documents. And your stolen house keys doesn't cause you to permanently lose your house.
 
Last edited:
  • Like
Reactions: dk001 and MisterSavage
I7guy said:
That’s the point. If one forgets their current password the person is SOL? I’m guessing most thefts are iphone due to the popularity of the iPhone.
Click to expand...

I really doubt it.
These “thieves” have this down to a science. Simple, quickest bang for the effort. On Android you need more than your passcode to change id’s and empty bank accounts and lock out the user.

Still vulnerable, but take a good bit longer and can get into far less.
 
Last edited:
dk001 said:
I really doubt it.
These “thieves” have this down to a science. Simple, quickest bang for the effort. On Android you need more than your passcode to change id’s and empty bank accounts and lock out the user.
Click to expand...
What exactly is needed on android and what happens if you dont have it? But I think iPhone thefts are due to the popularity and the perception the ecosystem holds more monetary value than android.
 
Crowbot said:
(Half in jest) Theoretically, Apple could include a "kill" password. When entered under duress it would present the thief with bad info and then erase the user's info and lock the account up.
Click to expand...
That could get one hurt during a robbery.
sk1ski1 said:
Yes, but your house keys doesn't unlock all your financial institutions, and permanently locks you out of all your iCloud pictures and documents. And your stolen house keys doesn't cause you to permanently lose your house.
Click to expand...
Yes it does if your name, dob, and ssn are found in the house.
 
  • Like
Reactions: ADGrant
What about passkeys stored in your keychain? If someone has your passcode and your phone, obviously they get all the passwords. But passkeys are made using the owner's face. So even if the thief can go in and change the face, or delete the owner's face, that still would not give him/her access to the passkey...right? The passkey would fail because it can't authenticate and you couldn't change the passkey without getting into the account in the first place. Is this understanding of how passkeys work correct? OR does the "authenticate" part just compare the current face displayed (e.g. the thief's face) with all the "faces" stored in FaceID (which the thief can change using the passcode)? Hopefully, it's the former not the lattter, otherwise passkeys offer no more security than the passcode itself...
 
Last edited:
  • Like
Reactions: compwiz1202
I7guy said:
What exactly is needed on android and what happens if you dont have it? But I think iPhone thefts are due to the popularity and the perception the ecosystem holds more monetary value than android.
Click to expand...

iPhone vs Android? I find it more likely it is the environment. If my group was doing this I would pick a club/bar/pub … something that the well off visit.

I pulled up my iPhone (13PM) and I under a minute I had the AppleID changed and the user was locked out of the account. I opened Passwords and started on the financial apps. In under 10 minutes I could bleed everything dry. A professional would likely take far less.

I pulled up my Android (S23 Ultra). No specific account to lock out of. I could identify the associated email account and do a forgot password change. That can be gotten back and they cannot lock me out of my “digital life”. My passcode won’t allow me into the financial apps. The overall damage is far less and I can recover pretty much everything.
 
anynamethatstarts said:
What about passkeys stored in your keychain? If someone has your passcode and your phone, obviously they get all the passwords. But passkeys are made using the owner's face. So even if the thief can go in and change the face, or delete the owner's face, that still would not give him/her access to the passkey...right? The passkey would fail because it can't authenticate and you couldn't change the passkey without getting into the account in the first place. Is this understanding of how passkeys work correct?
Click to expand...

Why would they want the passkeys?
 
dk001 said:
iPhone vs Android? I find it more likely it is the environment. If my group was doing this I would pick a club/bar/pub … something that the well off visit.

I pulled up my iPhone (13PM) and I under a minute I had the AppleID changed and the user was locked out of the account. I opened Passwords and started on the financial apps. In under 10 minutes I could bleed everything dry. A professional would like take far less.

I pulled up my Android (S23 Ultra). No specific account to lock out of. I could identify the associated email account and do a forgot password change. That can be gotten back and they cannot lock me out of my “digital life”. My passcode won’t allow me into the financial apps. The overall damage is far less and I can recover pretty much everything.
Click to expand...
I guess because there is no ecosystem in android to speak of. I want you to try an experiment. Set a screen time password lock out password changes etc , log in and pretend you don’t know the device password. How much damage can you do?

At any rate this is still user education to mitigate a lot of this.
 
  • Like
Reactions: BugeyeSTI and dk001
anynamethatstarts said:
What about passkeys stored in your keychain? If someone has your passcode and your phone, obviously they get all the passwords. But passkeys are made using the owner's face. So even if the thief can go in and change the face, or delete the owner's face, that still would not give him/her access to the passkey...right? The passkey would fail because it can't authenticate and you couldn't change the passkey without getting into the account in the first place. Is this understanding of how passkeys work correct?
Click to expand...
Passkeys are not created with data from FaceID. Once someone has the passcode they can use the passkey to log-in to the service for which they have been created.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back