Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

[Dammit Cubs]

I think that for one, having a passcode be the gateway for your entire system is just dumb. Apple should allow for multiple passcodes and security levels such as password keychain to be stored with a different set of passcodes.

What baffles me is that to change your password, you can use your passcode? There is just so many blunders on this that maybe someone from Apple should lose their phone and see how it feels to go through this nightmare. I sympathize for all those that went through hell.

Also recovery mode should not have an option to regenerate new recovery key without inputing the old key or atleast make that an option.

 

[bobcomer]

Well, I'm trying a different (deaf and dumb) apple id on my phone and it's a total pita. Still the same passcode, and it's a total pain to sign out of one apple id and sign in to another apple id and vice versa. Maybe when you're traveling or going somewhere you know is iffy it would be worth it, but come on, there's got to be something better they can do. Oh well, gave the excuse to set up another apple id if I need it and to make my passcode more complex.

 

[dk001]

Well, I'm trying a different (deaf and dumb) apple id on my phone and it's a total pita. Still the same passcode, and it's a total pain to sign out of one apple id and sign in to another apple id and vice versa. Maybe when you're traveling or going somewhere you know is iffy it would be worth it, but come on, there's got to be something better they can do. Oh well, gave the excuse to set up another apple id if I need it and to make my passcode more complex.

Looks like you ran into the reason I don't like swapping Apple IDs on device. It's a pita.
Looking at a second user account on my Android. Will update later on this.

Be cool if they switched to: Access pin and a System pin - be a good start.

 

[bobcomer]

Looks like you ran into the reason I don't like swapping Apple IDs on device. It's a pita.

Yep!!

Looking at a second user account on my Android. Will update later on this.

I'm also going to try this, I hope it's better. What I'd really like is users on a Windows or Mac PC, but I suspect I'm asking for too much. I may just switch to carrying my android phone when I'm out of the house if it's any better at this than the iPhone.

Be cool if they switched to: Access pin and a System pin - be a good start.

Definitely.

 

[bobcomer]

Be cool if they switched to: Access pin and a System pin - be a good start.

Like the computer concept of normal user and administrator. (or user and root) That would go a long way towards protecting the Apple ID. Sure, physical violence could always be a problem, but simple theft or just losing your phone would make it hard to steal someone's identity. I actually wonder why they haven't done it yet. Maybe it makes too much sense.

 

[maj71303]

I can change my Google password on my Android phone with just my lock screen passcode.

Settings > Google > Manage your Google Account > Personal Info > Password > Forgot Password > Confirm your screen lock > Tap Yes on your phone or tablet

After following the above I was able to change my Google password. No need to enter my Google password and no need to confirm on a separate device. I have 2FA enabled on my Google account but I guess they consider my phone and it's screen lock code as two separate factors.

What special setting do you all have enabled to prevent the above method from working on on your Android devices?

I have advanced protection on my account and it requires my physical security key to change the password. The option to change via pin is deactivated when you're in the advance protection program. So, if you enroll in the advance protection program you will need fido/titan physical security keys to register and it blocks all account changes by pin.

 

[Apple_Robert]

Well, I'm trying a different (deaf and dumb) apple id on my phone and it's a total pita. Still the same passcode, and it's a total pain to sign out of one apple id and sign in to another apple id and vice versa. Maybe when you're traveling or going somewhere you know is iffy it would be worth it, but come on, there's got to be something better they can do. Oh well, gave the excuse to set up another apple id if I need it and to make my passcode more complex.

What is so painful about the process? It is no different than signing in and out the account at any time. Granted, it isn't a super fast process but, there isn't anything hard about it. It take me no more than 1 minute to sign out and in to a different ID. I will take that 1 minute that affords me better security until Apple comes up with something more seamless.

 

[dk001]

What is so painful about the process? It is no different than signing in and out the account at any time. Granted, it isn't a super fast process but, there isn't anything hard about it. It take me no more than 1 minute to sign out and in to a different ID. I will take that 1 minute that affords me better security until Apple comes up with something more seamless.

For me it is MDM (work) and other certificates.
Wish it was as simple. Something always seems to go wrong.

 

[maj71303]

For me it is MDM (work) and other certificates.
Wish it was as simple. Something always seems to go wrong.

Yep, my iPhone is also has my work account on it as well and it would be a pain to change apple id's I bet.

 

[fabsgwu]

With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud. The thief can also remove other trusted Apple devices from the account to further lock out the victim.

The thief can also change an Apple ID's contact information and set up a recovery key in order to prevent a victim from recovering the account.

To make matters worse, knowing an iPhone's passcode allows a thief to use Apple Pay, send Apple Cash, and access banking apps using passwords stored in iCloud Keychain. Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. In some cases, the report claims that thieves even opened an Apple Card by finding the victim's last four digits of their Social Security number in photos stored in apps like Photos or Google Drive.

Access to other passwords stored in iCloud Keychain allows the thief to further wreak havoc, as it could give them access to email accounts and other sensitive information. All in all, the report says thieves can essentially "steal your entire digital life."
How to Stay Protected

In a tweet, Stern recommended that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.

iPhone users can also use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.

To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.

Article Link: Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

Who enters their passcode manually in a public place?
This is a narrative started by apps like 1password I suspect 😏

The problem is sometimes thieves will either manufacture a need for people to re-enter the pin (eg. offer to take a photo then squeeze the side buttons to lock/require authentication), or will prey on people who often use pins. They can also work in teams to surveil victims. So while rare, this could happen to even more tech savvy people.

To actually protect yourself the best combo of advice I’ve heard is to 1) use alphanumeric passcodes, 2) be more careful and guard the screen when entering the passcode, 3) use ScreenTime (and separate screentime passcode option without Apple ID recovery option) to disable iCloud account changes, Passcode changes, and cellular data changes.

Apple’s response to this was weak and disappointing, I hope they have plans to increase security around this issue. Google has a similar problem with Android, so it’s not like consumers have a lot of better choices at the moment.

 

[Abazigal]

The problem is sometimes thieves will either manufacture a need for people to re-enter the pin (eg. offer to take a photo then squeeze the side buttons to lock/require authentication), or will prey on people who often use pins. They can also work in teams to surveil victims. So while rare, this could happen to even more tech savvy people.

To actually protect yourself the best combo of advice I’ve heard is to 1) use alphanumeric passcodes, 2) be more careful and guard the screen when entering the passcode, 3) use ScreenTime (and separate screentime passcode option without Apple ID recovery option) to disable iCloud account changes, Passcode changes, and cellular data changes.

Apple’s response to this was weak and disappointing, I hope they have plans to increase security around this issue. Google has a similar problem with Android, so it’s not like consumers have a lot of better choices at the moment.

The problem is basically reason 2, which basically makes it a user issue.

I am not sure what you expect Apple to say in response to this, and I am not convinced it’s a serious issue that even warrants intervention by Apple.

 

[bobcomer]

What is so painful about the process? It is no different than signing in and out the account at any time. Granted, it isn't a super fast process but, there isn't anything hard about it. It take me no more than 1 minute to sign out and in to a different ID. I will take that 1 minute that affords me better security until Apple comes up with something more seamless.

Maybe it's the flow that bothers me, or the question about what to keep on my iPhone and if I want to merge my account when I log into a new ID -- it's not just a simple sign out and sign in...

 

[CharlesShaw]

Maybe it's the flow that bothers me, or the question about what to keep on my iPhone and if I want to merge my account when I log into a new ID -- it's not just a simple sign out and sign in...

Using a separate ID, and especially swapping between them (not part of my plan) is definitely for an organized person who thinks ahead before merging. I’m thinking it would be too easy to end up with duplicates, like the old days of syncing with iTunes on our early iPhones (at one point I just accepted that certain photos and playlists were going to doubled, lol).

I kept my contact list and merged with the new ID and think I will benefit from having (and maintaining manually) two distinct lists.

 

[dk001]

Been playing with the Secure Folder on my S23 Ultra. Works great!
Wish the iPhone had something like it.

 

[ozaz]

Been playing with the Secure Folder on my S23 Ultra. Works great!
Wish the iPhone had something like it.

Yep, it's a really good feature. I'm surprised Samsung don't promote it more as I think its unique to Samsung (I don't think other Android device makers have an equivalent feature). Also, the name doesn't really do it justice as its more of an environment than a folder.

The only thing I don't like is when you lock the folder the apps from the folder still show up in your recent apps screen (app switcher screen). They can't be accessed without the secure folder credentials, but from a privacy perspective it would be nice if locking the folder also removed the apps from from the recent apps screen.

 

[dk001]

Yep, it's a really good feature. I'm surprised Samsung don't promote it more as I think its unique to Samsung (I don't think other Android device makers have an equivalent feature). Also, the name doesn't really do it justice as its more of an environment than a folder.

The only thing I don't like is when you lock the folder the apps from the folder still show up in your recent apps screen (app switcher screen). They can't be accessed without the secure folder credentials, but from a privacy perspective it would be nice if locking the folder also removed the apps from from the recent apps screen.

I'll have to keep an eye on that. I am not seeing that but maybe because I am running Nova Launcher instead of One UI. Hadn't considered that. Thx!

 

[fromgophonetoiphone]

I can change my Google password on my Android phone with just my lock screen passcode.

Settings > Google > Manage your Google Account > Personal Info > Password > Forgot Password > Confirm your screen lock > Tap Yes on your phone or tablet

After following the above I was able to change my Google password. No need to enter my Google password and no need to confirm on a separate device. I have 2FA enabled on my Google account but I guess they consider my phone and it's screen lock code as two separate factors.

What special setting do you all have enabled to prevent the above method from working on on your Android devices?

This is fair. I should point out the standard of asking for a password before changing it is still good, which Google does here.

The problem you pointed out is actually a universal problem. Forget password is a HUGE weakness in overall security. For instance, if I have your email address compromised (most people use the same email address for every single login item), then I can go through every major provider's login and hit forget password and get all those passwords reset. It doesn't matter that you use a 25+ character randomly generated password like

rt17J&B8@A2u68Kg$EGZ@3L4t

.

The same holds true for 2FA. Everyone talks about how SMS gets hijacked easily--ok, but unless you're personally targeted, it's not that simple to just do a SIM swap. How do I know login@apple.com corresponds to 1-800-555-1212? I don't. And given most of these credential stuffing attacks likely come from overseas, the likelihood that a US user has to worry about a hacker in the US walking into a T-Mobile store trying to SIM swap them is far lower than many think. However, whether it's SMS 2FA, TOTP 2FA, or even hardware 2FA like a Yubikey, there's always a reset mechanism that involves something like pleading to support that you lost your phone, changed your phone number lost your Yubikey that you need to change it.

To me it seems that mechanism is super weak. I even covered a similar topic where having an emergency phone # or email address in your Google account actually makes it much weaker, especially the phone number. You'd be better off not even having that with the risk being that you lose access to your account if you forget your password / lose 2FA.

I don't have a silver bullet for the forgot password weakness, but to me if Google is at least asking for it before changing your password, that is something Apple should adopt too, and it's not solely in the reasoning of copying Google but copying a basic good security practices. Password changes MUST require existing password

 

[dk001]

This is fair. I should point out the standard of asking for a password before changing it is still good, which Google does here.

The problem you pointed out is actually a universal problem. Forget password is a HUGE weakness in overall security. For instance, if I have your email address compromised (most people use the same email address for every single login item), then I can go through every major provider's login and hit forget password and get all those passwords reset. It doesn't matter that you use a 25+ character randomly generated password like

rt17J&B8@A2u68Kg$EGZ@3L4t

.

The same holds true for 2FA. Everyone talks about how SMS gets hijacked easily--ok, but unless you're personally targeted, it's not that simple to just do a SIM swap. How do I know login@apple.com corresponds to 1-800-555-1212? I don't. And given most of these credential stuffing attacks likely come from overseas, the likelihood that a US user has to worry about a hacker in the US walking into a T-Mobile store trying to SIM swap them is far lower than many think. However, whether it's SMS 2FA, TOTP 2FA, or even hardware 2FA like a Yubikey, there's always a reset mechanism that involves something like pleading to support that you lost your phone, changed your phone number lost your Yubikey that you need to change it.

To me it seems that mechanism is super weak. I even covered a similar topic where having an emergency phone # or email address in your Google account actually makes it much weaker, especially the phone number. You'd be better off not even having that with the risk being that you lose access to your account if you forget your password / lose 2FA.

I don't have a silver bullet for the forgot password weakness, but to me if Google is at least asking for it before changing your password, that is something Apple should adopt too, and it's not solely in the reasoning of copying Google but copying a basic good security practices. Password changes MUST require existing password

Email reset and passwords - it is a challenge.
I took a look and I have >2000 accounts of all types that are recorded in my password manager. Well over half are associated with an email address and (checked over a hundred so far) have the email reset forgotten password ability.
Freakin' Ouch!!

I have slowly been changing these over to non-GMail nor iCloud Mail and moving them to a 3rd party encrypted not used for any device login email. It helps but it is painful and I really don't see many doing this.

We need a fix.

 

[HDFan]

if I have your email address compromised (most people use the same email address for every single login item), then I can go through every major provider's login and hit forget password and get all those passwords reset.

Maybe I don't understand what you mean by "email address compromised". To reset the password you usually have to respond to an email to get access. The bad actor would not receive the email if they only have the address, and wouldn't have access to the email account.

 

[CharlesShaw]

Maybe I don't understand what you mean by "email address compromised". To reset the password you usually have to respond to an email to get access. The bad actor would not receive the email if they only have the address, and wouldn't have access to the email account.

Prior to this WSJ story, my iPhone’s primary Apple ID was also the iCloud email address that I use for many vendors. Someone who had my iPhone and my passcode and took control of that ID would have been able to see in my keychain which vendors were using that email address and would be able to change those passwords, receive 2FA texts, etc. And of course my iPhone was set up to receive email on my secondary Google email account associated with that Apple ID, so I realized that I needed to immediately stop doing all that and find a new setup.

 

[fromgophonetoiphone]

Maybe I don't understand what you mean by "email address compromised". To reset the password you usually have to respond to an email to get access. The bad actor would not receive the email if they only have the address, and wouldn't have access to the email account.

By compromised I mean they have access to your account, not just the address itself. So if someone gets access to your computer when it's unlocked and it has Gmail open, or if someone snatches the phone out of your hand, they basically have your email, and they can do a lot of damage with that.

You can reset iCloud passwords this way too. Email access is probably the single most important thing. which is why I think people should not only use very secure passwords, but strong 2FA as well.

 

[golfnut1982]

Can we all agree to stop saying "bad actor"? FFS, they are not on IMDB.

 

[Crowbot]

Can we all agree to stop saying "bad actor"? FFS, they are not on IMDB.

Well technically it is a correct usage.

a participant in an action or process: employers are key actors within industrial relations.

 

[fromgophonetoiphone]

Can we all agree to stop saying "bad actor"? FFS, they are not on IMDB.

It's a term frequently used when you deal with issues like security, quality / process compliance, etc. This is exactly what we're talking about.

We're not talking in a circle of Hollywood actors and about film/TV.

 

[Apple_Robert]

Can we all agree to stop saying "bad actor"? FFS, they are not on IMDB.

We could change it to “frustrated Android user.”