Now I can see someone chasing the thief. "Stay in HS range so I can wipe the device!"
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
1. Not really. They can sign you out of Android but not lock you out of Android. For the heck of it I did both my S23U and 10 Pro with the same GMail account. Changed the password on my S23U and it let me log my 10 Pro out of that account. I went to the 10 Pro and did the "Forgot password" and and was shortly back in. btw - I go the alert in my Proton mail account on the initial change. The password change affect none of my other devices from phones to laptops.
Not worried about FMD. I assume once a phone is stolen I'll never see it again and they are not high enough in value to warrant a police effort.
Thanks for the discussion 👍
2&3 Most would use their main Gmail account however that doesn't get them into financial accounts other than GPay or SPay. It doesn't permanently lock them out of their digital world. Gotta remember that while many have Gmail as a mail service, many have more than one account but only have one Android device unless they bought a tablet. It isn't a keychained / linked ecosystem like Apple.
End of the day, other than some minimal (most likely) financial hit they can get everything back and back into everything. Most folks don't even use Google Pay. With Apple, it is very likely gone. Remember, I am not saying on Android you cannot get hurt, rather the potential damage is far far greater on iOS.
Safety Note: When traveling with an iPhone make sure you wear running shoes. 🏃♂️🏃♀️
We were talking about 2FA, presumably you won't be trying to login on a device a thief has just stolen.
Their main gmail account and phone number would be enough give a thief access to their bank accounts and last time I checked, Google Chrome had a password manager built in.
I am sure many Android users have one email account but yes, they probably only have one active Android device. Android tablets aren't really a thing and neither are smart watches really. Chrome books do use a google id but most Android users are probably using Windows laptops, not chrome books.
It’s only the second week, so I’ll continue to make changes, but there’s certainly a learning curve. It’s easier for someone like me since my cellular Apple Watch and iPad always do most of the heavy lifting —my phone is mostly to have cellular and to support the Watch and load workout playlists on the Watch, etc.
Apple apps that rely on the primary ID require a new strategy, but there are ways to share things, like calendar. As I noted in another post, I can’t get the HomeKit invite to work, but that seems to be a temporary issue, but in the meantime, I have other ways to control my lights. I quickly realized that I only need certain Notes on certain devices and I don’t need my iCloud drive on my phone.
I can’t use my Apple Card on my Watch or iPhone since it’s permanently tied to the ID it was issued under, but that’s not critical to me. I set up Apple Pay only my Watch anyhow. The Apple Card is still on my iPad in Wallet and I can do what I need there.
Speaking of bank stuff, I was thinking it was great that my banking app doesn’t store a user name or password and it can rely solely on FaceID and it won‘t default to the passcode. But, it occurred to me that someone with the passcode could reset FaceID to their own face, right? After realizing that I deleted the app. I really don’t need to do my banking and account reconciling on my phone.
It will take time to stop thinking that my primary emails on the phone, but that’s actually fine. I read mail on my iPad and now that can be focused thing to do instead of a nervous habit on the phone. And I can always log into iCloud if I need to.
I don’t take a lot of photos, but if I ever did, I could upload them to my Mac or maybe even sync them like we used to do pre-iCloud.
I’ve always had to use my old iTunes account logged into “Media & Purchases” so Music, Books, Podcasts, etc, are all the same as before and that secondary ID cannot have its password changed in Settings as long as that’s the only place it’s logged in (creating an email account in Mail would make it vulnerable to the passcode change thing).
The only thing I have changed is my device password to one that is longer and more complicated and hard for me to remember, particularly as I haven't had to use it to log into my phone since I changed it.
That I can't answer as I use Edge and FireFox on mine. Not a Chrome customer unless forced.
Maybe someone else can chime in.
Question: does Chrome store app passwords?
Update:
Found this: "If Offer to save passwords is on, you'll be prompted to save your password when you sign in to sites and apps on Android or Chrome. To save your password for the site or app, select Save."
I don't use Chrome (disabled) and have Bitwarden active. Maybe that makes it different for me as I am not seeing these requests.
Interesting! Thanks!
Last edited:
I guess if you are able to get back in on your non-stolen device simply by using the forget password link (same approach as the thief originally took) then the thief will be able to do the same again. Does it then just become a never ending tennis match of resetting passwords???? There must be a way to remove a device as a "trusted" device (which presumably ends this cycle) and I suspect that option is available to the thief when they originally gained control of the account (I'm not yet sure what it is though).
I don't quite understand why you seem to have the opinion that an Android user is less likely to use Google Pay and Google Password Manager than the equivalents on an iPhone (Apple Pay and Apple Keychain). Maybe you're not likely to use these features because you seem to be a cross-platform, but if an Android user doesn't also use iOS then I think they're just as likely to use these features as an iOS user (using the iOS equivalents).
Also, aside from being able to use Apple Pay for a short period until you inform your banks (which is also an issue with Google Pay), what additional financial damage can someone do with a stolen iOS device and device passcode that isn't possible with Android?
This is all true, but they're also highly likely to be using Chrome as their desktop browser (or a different Chrome-based browser). This makes Google Password Manager a highly convenient option if they don't want to use an independent 3rd party password manager like 1Password or Bitwarden, or maybe aren't even aware of them (which is probably the majority of people).
Last edited:
Thanks for the post. Really useful to hear how you have found it.
I suspect if a new FaceID is registered your bank won't allow sign in with the new face until you have re-entered a bank-specific password/pin. But might be worth testing as I'm not sure if that is something that needs to be implemented by the app-maker or if its a system-level protection.
Funny, that crossed my mind about an hour after I said it. I think you are probably correct, but I’m enjoying not thinking about the bank when I use my phone too much to test it or put it back, for now. I could always log into the website if I were away and needed to tend to a matter (I memorize that password and it’s never in a keychain).
A. Unfortunately it looks that way - OUCH! Not seeing what the benefit to the thief would be to hold the device long term. Get in. Get the cash. Get out. Move on.
B. Just looking at the published stats. In store purchase via device (phone or watch), these are almost all done via iOS. I've seen stats that >90% are iOS. These are US stats. Personally, I seldom use AP or GP except online. Easier to use a card (lower fail rate).
C. I could see that. I use Bitwarden as I am multi OS and found getting locked into Apple keychain a bit constricting.
Well, there's one thing good coming out right now and not just to do with Apple -- 2FA is being discussed in many places.
It's not all it's cracked up to be, both in workarounds like "trusted" devices and passcodes, SMS and phone numbers, everything. Most of the people talking are advocating authentication apps on your smartphones, but that has the same problem with trusted devices, too easy to get around if the bad guys have your phone. (or even just a SIM takeover for SMS auth)
I don't know the fix, but everyone has the problem, and it does need to be fixed. Maybe we need to go back to using dumb phones altogether, or not keeping *any* personally identifiable information on what we have. That really sucks for how I deal with my bank, but, ...
It's not all it's cracked up to be, both in workarounds like "trusted" devices and passcodes, SMS and phone numbers, everything. Most of the people talking are advocating authentication apps on your smartphones, but that has the same problem with trusted devices, too easy to get around if the bad guys have your phone. (or even just a SIM takeover for SMS auth)
I don't know the fix, but everyone has the problem, and it does need to be fixed. Maybe we need to go back to using dumb phones altogether, or not keeping *any* personally identifiable information on what we have. That really sucks for how I deal with my bank, but, ...
I mentioned this before but, set up 2 Apple ID's. When you go out on the town or on vacation etc., use the stock Apple ID that doesn't have any purchases, credit card information, and nothing in Keychain. In places where you feel more secure, use the personalized Apple ID. Granted, it isn't a perfect but, it will help with security.
Access Pin needs to be just that - device access.
The ability to reset ID passwords and access to password information needs to be more robust - secondary pin codes or biometrics or something. This goes for both OSs.
I think there needs to be a delay built into password reset if the password reset is only authenticated with one device and its passcode. That delay need not be present if you can approve the password reset with a 3rd factor (e.g. another device or backup codes kept at home).
Out of interest how do you make this work when it comes to contacts and photos.
I'm assuming you'd wan to sync contacts between the two Apple IDs?
I'm also assuming you'd want any photo backups when using your limited apple id to be transferred to your main apple id?
Or a phone you keep at home in a locked box, and a phone you carry. Inconvenient, but definitely better.
Hmmm, maybe if there was a secure way to switch ID's on the same phone. Well, like the next post said, not allowing the device pin code to do anything other than unlock the lock screen would make that workably secure.
I don’t sync between the two ID’s. If I want something, I manually transfer.
I was just thinking something along those lines. LIke if you have a spare Android phone or buy a cheap android phone and buy limited SIM Card for traveling.
I already have two id's: Norm and Dev.
In your thoughts, would this work like having two login id's on one device?
Along these lines there are actually a couple of nice options on Android
1) Since many Android phones support multi-user profiles you can create a second profile which contains your sensitive apps and accounts and just never use that profile in a location where someone could be spying on you for the password. I can't really see Apple introducing this option.
2) Samsung devices have a secure folder which you can protect with a passcode separate from your device passcode. You can install your sensitive apps in this folder (or even second instances of apps that are in your main area). I think its more likely Apple could introduce something like this.
Looking at exactly that on my S23U.
So far working good - you have to activate via your Samsung Account. I can access via pin (6 digit - different from device sign-in) or biometric. With Face Recognition it acts like just another folder.
So far so good.