One obvious thing they could to is to stop encouraging people to set a 6 digit PIN by default.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
This requirement is what screws up everything.😩
A complicated PW that fits that criteria and easy to remember. Easy peasy. For example N=1kg*m/s^2. That's easy to remember for someone who has studied Physics. Hint: Newton.😉
Well, having to come up with something complex yet easy to remember every 90 days.😬
To only real way to keep a password secure is have it exist only in your head. The change your password every 90 days decrease security because you'll eventually have to write it down somewhere.🤦♂️ What paper pushing idiot came up with that idea?😠 I can guarantee you it wasn't an IT guy.😤
How would that work? Plug in a dongle into the lightning port?🤔
The Yubico Key plugs into the device or you can also hold it close and it will read.
Another aspect of the iPhone that I highly suggest securing are your apps. What I am referring to is adding biometric confirmation to apps that don't already require it before gaining access to.the app. One such app is Apple Mail. The mail app holds a lot of personal and sometimes sensitive data that needs protecting, especially if your phone is being used by anyone else but you (or your trusted spouse).
You can secure the stock mail app from opening without proper authorization by using the Shortcuts app.
1) Open the Shortcuts app
2) Select Automation at the bottom of the app
3) Tap on Create personal automation
4) Select "App" from the choices
5) Pick the mail app or any other app(s) you want to protect from unauthorized access
6) Once you have all the app(s) selected that you want to secure tap on Next
7) Tap on Add Action
8) In search bar, type in Timer
9) Tap on Start Timer
10 Change Timer default to 1 second and tap on Next
11) Make sure "Ask to run and Notify when run" are toggled off and tap Done
12) Open up the Clock app, select Timer and change the default play sound to "stop playing."
Once that automation has been created, you won't be able to open the app without proper biometric authentication.
You can secure the stock mail app from opening without proper authorization by using the Shortcuts app.
1) Open the Shortcuts app
2) Select Automation at the bottom of the app
3) Tap on Create personal automation
4) Select "App" from the choices
5) Pick the mail app or any other app(s) you want to protect from unauthorized access
6) Once you have all the app(s) selected that you want to secure tap on Next
7) Tap on Add Action
8) In search bar, type in Timer
9) Tap on Start Timer
10 Change Timer default to 1 second and tap on Next
11) Make sure "Ask to run and Notify when run" are toggled off and tap Done
12) Open up the Clock app, select Timer and change the default play sound to "stop playing."
Once that automation has been created, you won't be able to open the app without proper biometric authentication.
The only reason this is an "iPhone" issue is because no one wants to steal an Android or Google phone. lol. But seriously though, if someone forcibly takes your phone after shouldering you that is not an Apple or iPhone issue. Use common sense and the security available to you.
Use physical security keys and an MDM. If you enroll in an MDM you can lock and wipe the phone remotely.
Use physical security keys and an MDM. If you enroll in an MDM you can lock and wipe the phone remotely.
Apple encourages us to use “One Account for Everything Apple” and to make that the primary ID for our devices. So with Find My turned on by default, a passcode-equipped phone thief could also render my other devices useless to me. I‘m maintaining two ID’s going forward and dealing with the extra effort.
If that were only true.
If you can get the pin or pattern code for an Android device, you cannot lock the user out and have pretty much free reign like you can in iOS.
That is a challenge - make it secure enough and easy enough that the user will actually use it.
Now I‘m wondering if the thief could in theory also locate [and steal] the victim’s other devices using Find My and be able to log into them? I know that I have my Mac’s user password set to be reset with an Apple ID. And wouldn’t the thief be holding a trusted device if they had control of the phone? [Edit: the Mac is a trusted device and would receive the 2FA code, duh.]
Last edited:
In a tweet, Stern recommended that users....not get drunk; not hand over their pass codes to others (strangers) and USE COMMON SENSE when in public. Like, maybe, when you're at an ATM???
An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a victim's iPhone passcode before stealing the device in order to gain access to the device, data, and money.
All of the victims interviewed said their iPhones were stolen while they were out socializing at bars and other public places at night. Some victims said the iPhones were grabbed out of their hands by strangers, while others said they were physically assaulted and intimidated. The report provides specific examples of these instances.
With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud. The thief can also remove other trusted Apple devices from the account to further lock out the victim.
The thief can also change an Apple ID's contact information and set up a recovery key in order to prevent a victim from recovering the account.
To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain. Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. In some cases, the report claims that thieves even opened an Apple Card by finding the victim's last four digits of their Social Security number in photos stored in apps like Photos or Google Drive.
Access to other passwords stored in iCloud Keychain allows the thief to further wreak havoc, as it could give them access to email accounts and other sensitive information. All in all, the report says thieves can essentially "steal your entire digital life."
Apple Responds
In response to the report, an Apple spokesperson said "security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all our users from new and emerging threats."
"We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare," the spokesperson added. "We will continue to advance the protections to help keep user accounts secure." Apple did not provide any specific details about any next steps it might take to increase security.
In a tweet, Stern recommended that Apple add extra protections to iOS and introduce additional Apple ID account recovery options.
How to Stay Protected
In a tweet, Stern recommended that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.
iPhone users can also use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.
To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.
Article Link: Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
ALL: Watch Garys EXCELLENT video (03/01/2023) at his site 'MacMost .com'. Share it with those 'concerned ' about this latest . albeit still a PSA, FUD. Also:don't go to use the ATM whist drunk with that stranger standing behind you....
An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a victim's iPhone passcode before stealing the device in order to gain access to the device, data, and money.
All of the victims interviewed said their iPhones were stolen while they were out socializing at bars and other public places at night. Some victims said the iPhones were grabbed out of their hands by strangers, while others said they were physically assaulted and intimidated. The report provides specific examples of these instances.
With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud. The thief can also remove other trusted Apple devices from the account to further lock out the victim.
The thief can also change an Apple ID's contact information and set up a recovery key in order to prevent a victim from recovering the account.
To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain. Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. In some cases, the report claims that thieves even opened an Apple Card by finding the victim's last four digits of their Social Security number in photos stored in apps like Photos or Google Drive.
Access to other passwords stored in iCloud Keychain allows the thief to further wreak havoc, as it could give them access to email accounts and other sensitive information. All in all, the report says thieves can essentially "steal your entire digital life."
Apple Responds
In response to the report, an Apple spokesperson said "security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all our users from new and emerging threats."
"We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare," the spokesperson added. "We will continue to advance the protections to help keep user accounts secure." Apple did not provide any specific details about any next steps it might take to increase security.
In a tweet, Stern recommended that Apple add extra protections to iOS and introduce additional Apple ID account recovery options.
How to Stay Protected
In a tweet, Stern recommended that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.
iPhone users can also use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.
To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.
Article Link: Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
MBP, iPad Pro, iPhone 13Pro Max - phone is a trusted device.
And yes, if you have FM active, you can find all your other devices. Once they have control of your phone, they can lock you permanently out of all your other devices.
Ouch!
And once they saw that you were carrying your MBP they could track you until a good time to steal. And ironically they would be the only one who could use it.
I guess we could call that "pre-theft" or "pre-stealing." Yeah, it's just nuts, with the device passcode alone they can possibly steal your other devices from you while you continue to possess them. One could go home and find their desktop or laptop just locked or wiped and iCloud backups just inaccessible.
I wonder if they could see where you are through your AirTags maybe (on your keychain or something), then they could know you're not home but your desktop or laptop is...
Oh, the scenario I was describing is after they learn your passcode and grab your phone they later see in Find My that you are carrying your MBP so they come follow you.
[Edit:
[And it appears that the Watch can also be used to change the Apple ID password using the passcode.]
Last edited:
Right you can be a victim in many ways thanks to your iPhone if compromised.
Last edited:
The definition of what sense is common will require some re-education and fine tuning because many iPhone users believe that their ecosystem is the most secure.
A lot of that was that once you set FaceID or TouchID and cannot change it unlike a password. Can’t swap your face or fingerprints. Born with one set.
Stop looking at this like a security guru. We are talking typical users and use case.
Quick fix? Make the pincode device access only. Nothing more.Problem solved for s-surfers.
Aside from that, the way these “thieves” are ransacking iPhones is not possible on Android devices. Yes, you can still do damage but not cut someone out of their digital life.
Is that realistic for the average user? There are a significant number of folks whose only computer device is their smartphone. Some predictors are saying that approx 70% of users will only web access via a smartphone by 2025.