Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

[ADGrant]

Not exactly.
I have three cards linked to AP. Aside from that I also have most of my financial stuff via app or web page and guess where those passwords are keychained.

So yeah, if a thief got my passcode and phone, Screentime or not, they could do some serious damage rather quickly.

While I figure out a way to better safeguard this, I suppose the fact I mostly take my Android with me instead of my iPhone is a plus.

I have two credit cards in my physical wallet and an ATM card. Unlike AP the cards are not password protected.

The keychaining of banking app passwords is a potential issue and so is storing sensitive documents on iCloud.

 

[ADGrant]

What's your point?
Is this Apple's fault, or stupid users?

It is Apple’s fault that someone can reset your icloud password using only a six digit PIN. That is absurdly insecure.

 

[Crowbot]

I am aware, it also only gives you 1% cash back if you use the physical card so that is one of the cards I have locked away. Every other credit card or debit card I have has the number on the card. The physical card I use most frequently gets compromised about once every 12 months.

Ah. I may be the only one but I don't pay attention to cash back. I use my debit card (through the Apple Watch) and only use my other cards for bigger purchases. I rarely use a physical card.

 

[Mousse]

Without Banking apps on your phone, how do you deposit checks?

The OG way. I go to the bank.

 

[ADGrant]

Ah. I may be the only one but I don't pay attention to cash back. I use my debit card (through the Apple Watch) and only use my other cards for bigger purchases. I rarely use a physical card.

I don't have a debit card on my main bank account. I have a completely separate account at a different bank with a debit card. I keep about $100 in that account and only use the debit card to fund Apple Cash which I then send to my teenage daughter via iMessage. That way I don't have to give her access to a debit card or credit card.

 

[ADGrant]

The OG way. I go to the bank.

How incredibly tedious.

 

[compwiz1202]

My thoughts:

1) Convenience and security are but two sides of the same coin. A longer passcode is also more inconvenient for users to key in on a day to day basis. Making it harder to remember may also lead to less secure practices such as writing it down. Which is why many people default to a 4-6 digit passcode, and I don't think that is going to change anytime soon.

2) My understanding of the problem is that it's a social one - people are openly typing their passwords in public, but framing it as such won't make for as engaging a headline because then, it places the blame on the user instead of on Apple. In this case, they really are using their phone wrong. This is another classic case of clickbait headlines by a news outlet to attract clicks and views.

3) I can see why Apple is not able to respond directly to this, because their rebuttal (you are using your phone wrong) would have likely come across as shirking responsibility and victim blaming. But at the end of the day, I don't think Apple did anything wrong or has otherwise been remiss in any way.

4) I can think of another solution - linking your Apple Watch to your iPhone so it can only be unlocked when you are near it. This would be another way of doing away with the need to use a passcode in public (assuming Face ID is not an option for some reason). However, this doesn't extend to passwords for like say, when you are paying with Apple Pay. Perhaps Apple could go one step further here (eg: if I am wearing my Apple Watch and meeting a certain set of criteria, I don't need to key in my passcode for a couple of actions on my phone).

All in all, much ado over nothing.

Problem is it doesn't matter how long if they use a camera. The greatest piece of physical security someone list that I also though of was a privacy screen. Then they need the camera perfectly above you. On top of that it would be nice to do the random keypad like someone suggested. Then they couldn't just watch your fingers and know the code. And it is both fault. Person for letting the code be compromised unless under threat and Apple for letting that one piece do everything important without other authentication factors.

 

[compwiz1202]

That's not what I was replying to. The idea in question was to use two factor unlocking by requiring both TouchID and FaceID to be used simultaneously to unlock an iPhone. Of course this would require an iOS device that has both types of unlocking hardware.

Even with this hypothetical iPhone, if the thief knows your passcode, they can still wreak havoc. It doesn't matter if you have a 4 digit passcode or a 6 digit passcode or a 25 character one, if they see your passcode, you're compromised.

A potential solution is to allow users to have two passcodes, or more. One passcode can be used for unlocking the iPhone, just like normal. A second passcode could be used for higher level activities, like changing any aspect of your AppleID, adding more fingers to your TouchID, adding more faces to FaceID, getting into your Keychain, etc.

I'm sure the smart folks at Apple could implement this and come up with other scenarios to protect users.

I've been sayng about a guest PIN forever not just for thieves but to let someone use it without full access.

 

[sk1ski1]

Problem is it doesn't matter how long if they use a camera. The greatest piece of physical security someone list that I also though of was a privacy screen. Then they need the camera perfectly above you. On top of that it would be nice to do the random keypad like someone suggested. Then they couldn't just watch your fingers and know the code. And it is both fault. Person for letting the code be compromised unless under threat and Apple for letting that one piece do everything important

Also it doesn't help that on the lock screen, there is no way to turn off the character preview when typing in the password. So each character you type enlarges and pops up on the screen. Along with the last character showing in password box when typing. Making it easier for all to see.

 

[compwiz1202]

The OG way. I go to the bank.

Yea and don't even have to go in. I was able to deposit checks 30+ ago before Direct Deposit at an ATM.

 

[ADGrant]

Yea and don't even have to go in. I was able to deposit checks 30+ ago before Direct Deposit at an ATM.

Using an ATM doesn't feel very secure to me. Someone could easily discover your 4 digit PIN. I like to spend as little time as possible around ATMs.

 

[Crowbot]

Using an ATM doesn't feel very secure to me. Someone could easily discover your 4 digit PIN. I like to spend as little time as possible around ATMs.

My bank just forced me to change from a 6 digit PIN to a 4 digit one. I mentioned that this was less secure and I was unhappy about it. Their reaction was ¯\_(ツ)_/¯

 

[Crowbot]

I don't have a debit card on my main bank account. I have a completely separate account at a different bank with a debit card. I keep about $100 in that account and only use the debit card to fund Apple Cash which I then send to my teenage daughter via iMessage. That way I don't have to give her access to a debit card or credit card.

Some banks have "cards for kids" options so the parent can control the card but still link to a parent's account.

 

[ADGrant]

My bank just forced me to change from a 6 digit PIN to a 4 digit one. I mentioned that this was less secure and I was unhappy about it. Their reaction was ¯\_(ツ)_/¯

That's Banks for you. I minimize my exposure by never paying with cash for anything if at all possible.

 

[ADGrant]

Some banks have "cards for kids" options so the parent can control the card but still link to a parent's account.

I didn't want to give my daughter a physical card, particularly not one linked to one of my accounts.

 

[Crowbot]

I didn't want to give my daughter a physical card, particularly not one linked to one of my accounts.

Understood. I just wanted to point out that these cards can be effectively walled off. I had one for a relative years ago.

 

[Crowbot]

That's Banks for you. I minimize my exposure by never paying with cash for anything if at all possible.

Me too. I mostly carry singles for the street people.

 

[addamas]

Blocking in ScreenTime change of account, passwords, location services and paying without Apple ID password seems to work the best.

Cons - I don’t see subscriptions in Apple Store but have reminders for each of them.

Issue showed in main post is design flow. How on earth it’s possible to change so many things only based on PIN code… never ever store iCloud password in Keychain

 

[ADGrant]

Me too. I mostly carry singles for the street people.

They still take singles?

 

[ADGrant]

Blocking in ScreenTime change of account, passwords, location services and paying without Apple ID password seems to work the best.

Cons - I don’t see subscriptions in Apple Store but have reminders for each of them.

Issue showed in main post is design flow. How on earth it’s possible to change so many things only based on PIN code… never ever store iCloud password in Keychain

Never ever secure your iPhone with a numeric PIN code. Use a proper password with mixed case letters, numbers and special characters. Make it complicated enough that you have trouble typing it in.

 

[Mousse]

Never ever secure your iPhone with a numeric PIN code. Use a proper password with mixed case letters, numbers and special characters. Make it complicated enough that you have trouble typing it in.

Should it be so complicated that you have a hard time remembering it?😅

I hate the password system some Government websites forces me to use. Alphanumerical, special character, 10 characters long, change every 90 days. Well sh..., I'll have to write the thing down, which will make it no so secure.😒 It wouldn't be so bad if I didn't have to change it every 3 months. I can easily remember a complex password, but when you've generated dozens of them, they then to get jumbled up in your head.😑

For me, an easy to remember password is written in language of Old Country. Everyone expects a password to be in English.🤷‍♂️ Native language + number = easy to remember, hard to guess since "Nobody expects the Spanish password."

 

[compwiz1202]

My bank just forced me to change from a 6 digit PIN to a 4 digit one. I mentioned that this was less secure and I was unhappy about it. Their reaction was ¯\_(ツ)_/¯

I had a bank once where the online banking password was a MAX of eight chars with no symbols :/

 

[ADGrant]

Should it be so complicated that you have a hard time remembering it?😅

I hate the password system some Government websites forces me to use. Alphanumerical, special character, 10 characters long, change every 90 days. Well sh..., I'll have to write the thing down, which will make it no so secure.😒 It wouldn't be so bad if I didn't have to change it every 3 months. I can easily remember a complex password, but when you've generated dozens of them, they then to get jumbled up in your head.😑

I am not going to change my password every 90 days but yes, it should be as complicated as those government website passwords. I don't have to write mine down though, I have an offline password wallet not connected to iCloud accessible from my home computer.

I make sure I am logged in before I leave home and then just use FaceID.

 

[Crowbot]

I had a bank once where the online banking password was a MAX of eight chars with no symbols :/

Yes, I had that once. It wouldn't permit dashes. And since Apple's password generator always included them, I had to generate one I could remember.

 

[dk001]

If nothing else, this has brought to light that the almighty passcode is both a boon and a curse.
Hopefully Apple comes up with a solution.
Personally I would like to see the passcode for initial access only and nothing else at most.