Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
This all makes me think of some movie I can't remember the name. They have this massive door with all kinds of locks and security, but the wall next to it is garbage, so the guy just punches through it and opens the door from the inside.
Yes I never understood why it sends 2FA to the device you are on. Doesn't that defeat its purpose. If you don't have a second device, let you use on within your family, or a CTN or email separate from what is on your device.
Sounds like a plot for a Sherlock Holmes story, The Red-Headed League. Short version: crooks broke through bank vault floor via sewer system, bypassing the vault door completely.
That was like the one movie I just watched which I don't remember the name again
Some guy stole some important city item from the museum and used some old sewer tunnels to get to the school and plant it in the trophy case to frame a museum worker who used to coach there.It also sounds a lot like WW2. The French built an elaborate set of fortifications called the Maginot Line to protect against invasion but the line did not extend to their border with Belgium. No prizes for guessing what happened next.
Yes it’s totally stupid. Don’t understand why you need hardware keys at all. Looks like a big scam from Apple?!
Have an iPhone and a MBP. I'm not at home (traveling?) and need to reset.
Have an iPhone and a bunch of Home items.
Have an iPhone and a wifi iPad for entertainment.
Haven multiple Apple devices but multiple Apple ID's (mine)
I can think of a number of instances like this.
We need something different that will not allow a "thief" to lock your digital world and Apple devices.
Steel door with all kinds of locks yet crappy construction for the walls.
Apple needs to react fast!
It’s such a big fail I cannot believe it’s true 🙈
What about hardware keys for example. Totally useless at the moment. But maybe then can implement it that they protect your account b
It’s such a big fail I cannot believe it’s true 🙈
What about hardware keys for example. Totally useless at the moment. But maybe then can implement it that they protect your account b
An in-depth report published today by The Wall Street Journal's Joanna Stern and Nicole Nguyen highlights instances of thieves spying on a victim's iPhone passcode before stealing the device in order to gain access to the device, data, and money.
All of the victims interviewed said their iPhones were stolen while they were out socializing at bars and other public places at night. Some victims said the iPhones were grabbed out of their hands by strangers, while others said they were physically assaulted and intimidated. The report provides specific examples of these instances.
With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud. The thief can also remove other trusted Apple devices from the account to further lock out the victim.
The thief can also change an Apple ID's contact information and set up a recovery key in order to prevent a victim from recovering the account.
To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain. Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. In some cases, the report claims that thieves even opened an Apple Card by finding the victim's last four digits of their Social Security number in photos stored in apps like Photos or Google Drive.
Access to other passwords stored in iCloud Keychain allows the thief to further wreak havoc, as it could give them access to email accounts and other sensitive information. All in all, the report says thieves can essentially "steal your entire digital life."
Apple Responds
In response to the report, an Apple spokesperson said "security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all our users from new and emerging threats."
"We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare," the spokesperson added. "We will continue to advance the protections to help keep user accounts secure." Apple did not provide any specific details about any next steps it might take to increase security.
In a tweet, Stern recommended that Apple add extra protections to iOS and introduce additional Apple ID account recovery options.
How to Stay Protected
In a tweet, Stern recommended that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.
iPhone users can also use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.
To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.
Article Link: Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Tap Content & Privacy Restrictions. If asked, enter your passcode, then turn on Content & Privacy Restrictions.
With iOS 16, while you're setting up Screen Time for a child's device, you can set age-related restrictions for content in apps, books, TV shows, and movies. Just follow the onscreen instructions during setup.
If you forgot your Screen Time passcode, update your device to the latest iOS or iPadOS then reset your passcode. If you can’t update your device, erase it and set it up as new to remove the passcode and choose a new one. Restoring your device from a backup won't remove your passcode.
Last edited:
screen time moves Face ID and code
With iOS 16, while you're setting up Screen Time for a child's device, you can set age-related restrictions for content in apps, books, TV shows, and movies. Just follow the onscreen instructions during setup.
If you forgot your Screen Time passcode, update your device to the latest iOS or iPadOS then reset your passcode. If you can’t update your device, erase it and set it up as new to remove the passcode and choose a new one. Restoring your device from a backup won't remove your passcode.
- Tap Content & Privacy Restrictions. If asked, enter your passcode, then turn on Content & Privacy Restrictions.
With iOS 16, while you're setting up Screen Time for a child's device, you can set age-related restrictions for content in apps, books, TV shows, and movies. Just follow the onscreen instructions during setup.
If you forgot your Screen Time passcode, update your device to the latest iOS or iPadOS then reset your passcode. If you can’t update your device, erase it and set it up as new to remove the passcode and choose a new one. Restoring your device from a backup won't remove your passcode.
Wonder how long this is been an issue. Been a while if the criminal community has been using this.
Not a warm and fuzzy feeling.
I can change my Google password on my Android phone with just my lock screen passcode.
Settings > Google > Manage your Google Account > Personal Info > Password > Forgot Password > Confirm your screen lock > Tap Yes on your phone or tablet
After following the above I was able to change my Google password. No need to enter my Google password and no need to confirm on a separate device. I have 2FA enabled on my Google account but I guess they consider my phone and it's screen lock code as two separate factors.
What special setting do you all have enabled to prevent the above method from working on on your Android devices?
If you don't have multiple Apple devices logged into the same account, you can't really do 2FA properly. So if every device is on its own account, 2FA with out hardware keys seems pointless.
I assume by "Home items" you mean things like HomePods and Apple TVs. You obviously can't use a HomePod for 2FA and if I had an Apple TV I would not log into using my main Apple ID.
If you are traveling maybe bring the MacBook or that Wifi iPad with you. You can setup a hotspot via your phone if you need to.
The preferred Apple device for 2FA should really be the Apple Watch. It's a separate device and you probably always have it with you.
A hardware key would be better of course assuming Apple actually implemented it properly.
The Google account associated with my Android is not one that has a mail or other app on device.
You have to get there via the browser. You can start the process from Settings. Not that hard - the rest is just a link if you can get past the security questions or pincode (not the device login one). Still, what does resetting the password get the thief?
btw - say they change the password. They still cannot cut you out of your digital life. You can use another device to get back in. They can do some damage for sure but unlike Apple you can get your digital life back and the ability to get into your finances is very limited.
It isn't the password reset that is the issue, it is the fact that on iOS you can take total control of a persons digital life and if the are using keychain you have pretty much all their passwords too. Android doesn't have that level of integration nor that level of vulnerability
Last edited:
I have separate as my iPhone is my main work phone and my laptop is Windows. My main personal phone is Android.
Surprisingly, or maybe not, work does ask us to make our iPhone a trusted device. My MBP stays home.
For Home items, you are correct.
AW is an idea. Have to look at that. I have one even if I don't always wear it.
Once they have your phone and have reset your Google password surely they can just remotely sign you out of other devices and sessions, disable find my device, and disable recovery methods. This would lock you out, wouldn't it?
Regarding finances - they are able to access Google wallet with your screen unlock code so could use any cards you have stored in there. They could access any financial apps that have screen unlock code as backup to biometrics (hopefully not many do but I think that's also true on iPhone). I'm not quite sure how the situation from financial theft perspective is worse on iPhone?
Are you saying you don't use the Google account associated with your Android device for email or any other important data? This is certainly an option for minimising the impact of this sort of crime, in the same way avoiding use of iCloud for email, document storage, and photo backup is an option for an iPhone user. But lots of people (maybe most Android users???) will be using their Android-linked Google account for these sorts of things.
Last edited:
What is the consequence of this from a useability perspective?
I assume it means you can no longer use your primary apple ID for Apple/iCould services on your iPhone (e.g. facetime, photos, etc). Or can you use an Apple ID for those apps which is different to the one linked to the phone?
I numbered your responses to better answer.
1. Uh, no. If they reset the password on my Android, how do they use that to log me out of my other devices.
- Thinkpads (1&2) - nope
- MBP - nope
- iPhone - nope
- iPad - nope
- Other Android phone (no SIM) - nope
If you can think of a way they could do this kindly let me know. I am not aware how they could do this.
2. I only have two cards stored in GWallet. None of my finance apps or via the browser use my device access code. They all have separate logins and passwords underlying the biometrics. So other than using GPay to pay for something, they are SOL.
3. I do not. I have a couple of GMail accounts but the account associated with my device is specific. I started doing that back in the earlier days of Samsung and Nexus (Note 5 and earlier) as the account would get bombed with ads and junk mail. I found if I set it up clean and only use it for this feature it stays relatively quiet. Still, if the thief resets that password, what does it gain them?
Not sure about yourself, but how many gmail accounts do you have? I had a bunch. Scaled them way back when I migrated to Proton.
That is actually a decent idea. You lose keychain but can use something like Bitwarden or just look stuff up on another Apple device with original account. Airdrop and items you need to your old account.
Not a bad short term fix.
Hopefully short term.
1)
Settings > Google Account > Manage Your Account > Security
They could then sign out every device/session except the phone they have stolen ("Your Devices" section)
They could also change the recovery email and recovery phone and disable 2-step verification.
They could also disable Find My Device
Settings > Google > Find My Device
If they do this you would presumably have a hard time regaining access to your Google account (since you no longer know the correct password because the thief has changed it).
2 & 3)
You're describing actions you personally take which minimise your exposure to account takeover vulnerability. These risk reduction behaviours aren't limited to Android - they can be accomplished on iPhone if you choose to treat your Apple account in the same way you treat your Android-associated-Google account (i.e. containing limited content).
Nevertheless, although you may be different, I think most Android users want their Android-associated-Google account to be their primary Google account in the same way that I think most iPhone users want their iPhone-associated-Apple account to be their primary Apple account. So many smartphone users on both platforms are probably very vulnerable to this issue.
Last edited: