Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

fromgophonetoiphone said:
It's a term frequently used when you deal with issues like security, quality / process compliance, etc. This is exactly what we're talking about.

We're not talking in a circle of Hollywood actors and about film/TV.
Click to expand...
I know exactly what it means. It's a "joke", or play on words or whatever you want to call it. At the end of the day they are thieves, or digital thieves that can make your life a living hell if they get access to your data. Bad actor is too polite a term.
 
golfnut1982 said:
I know exactly what it means. It's a "joke", or play on words or whatever you want to call it. At the end of the day they are thieves, or digital thieves that can make your life a living hell if they get access to your data. Bad actor is too polite a term.
Click to expand...
Of course it’s too polite. But if we used the terms we would like to we would get “moderated”.
 
  • Like
Reactions: dk001 and golfnut1982
Abazigal said:
The problem is basically reason 2, which basically makes it a user issue.

I am not sure what you expect Apple to say in response to this, and I am not convinced it’s a serious issue that even warrants intervention by Apple.
Click to expand...
I expect Apple to say they will fix the security flaws in their system. They could start by not allowing 6 digit pins and requiring alphanumeric passwords.
 
  • Disagree
Reactions: bobcomer
golfnut1982 said:
I know exactly what it means. It's a "joke", or play on words or whatever you want to call it. At the end of the day they are thieves, or digital thieves that can make your life a living hell if they get access to your data. Bad actor is too polite a term.
Click to expand...
No it is not a joke or play on words. The word Actor has two different meanings. The IMDB one and the one being used with the adjective bad. An actor is simply someone who acts. A bad actor is someone whose actions are bad.

The term 'Bad Actor' is standard term used by security professionals. We should continue to use it.
 
  • Like
Reactions: dk001
ADGrant said:
No it is not a joke or play on words. The word Actor has two different meanings. The IMDB one and the one being used with the adjective bad. An actor is simply someone who acts. A bad actor is someone whose actions are bad.

The term 'Bad Actor' is standard term used by security professionals. We should continue to use it.
Click to expand...
I completely understand what the word means, and continue to use it. "Bad Actor" is just too generic for the damage that can be done. That was the point to my original post.

The damage these bad actors or thieves can do by destroying ones life, digital or otherwise, by wiping them out financially and locking them out of their account thru something as easy as a passcode is the real issue here.
 
sk1ski1 said:
The big hole in this solution is that Apple foolishly lets you turn-off/change the screen time password by using the device password.

Here’s the flaw. Go to screen time. Then go to “change screen time passcode”. Then go to “turn off screen time passcode”. Then select “forget passcode”. You now have to enter your Apple ID. Which can be easily found by searching your email. Then select ‘forgot password’ for the Apple ID. After it asks for the device passcode, it will then let you enter a new Apple ID password from this screen.
Click to expand...

I have tried both 'change screen time passcode' and 'turn off screen time passcode' but all it prompted me to do was enter the screen time passcode. There was no 'forgot password' option to select or enter my Apple ID.
 
ADrunkenMarcus said:
I have tried both 'change screen time passcode' and 'turn off screen time passcode' but all it prompted me to do was enter the screen time passcode. There was no 'forgot password' option to select or enter my Apple ID.
Click to expand...

Do this steps:
  1. change screen time passcode
  2. turn off screen time passcode
  3. on the bottom on the screen on top of the keyboard, there is a Forgot Passcode button
  4. type your email
  5. Press OK
  6. Press Forgot ID or Password
  7. Then it ask your passcode BUT if you wait 5-10 seconds a popup ask for your iPhone passcode (not the screen time passcode)
  8. it ask the new iCloud password

Or even simpler, just go to Privacy & Security > Safety check and go through the procedure until you have the choice to change iCloud password.
Even with a time passcode set (and warning saying I could not do some actions because of the screen time passcode), I was able to disconnect all my devices and reset my iCloud password...
 
  • Like
  • Sad
  • Wow
Reactions: FJB, bevsb2, gusmula and 2 others
auxine said:
Do this steps:
  1. change screen time passcode
  2. turn off screen time passcode
  3. on the bottom on the screen on top of the keyboard, there is a Forgot Passcode button
  4. type your email
  5. Press OK
  6. Press Forgot ID or Password
  7. Then it ask your passcode BUT if you wait 5-10 seconds a popup ask for your iPhone passcode (not the screen time passcode)
  8. it ask the new iCloud password

Or even simpler, just go to Privacy & Security > Safety check and go through the procedure until you have the choice to change iCloud password.
Even with a time passcode set (and warning saying I could not do some actions because of the screen time passcode), I was able to disconnect all my devices and reset my iCloud password...
Click to expand...
Thank you.

Presumably this explains how some children have been getting around screen time, also? One for them to fix. :( When do we get the next update and what are the odds on them doing something?
 
  • Like
Reactions: dk001
Abazigal said:
Which is a terrible suggestion.
Click to expand...
The main issue here IMHO is that someone could gain access to the Apple ID, reset everything and lock the legitimate owner of the account out entirely.

It is one thing to have access to the phone via the device's passcode but I think resetting the Apple ID should require something such as confirming the existing password first OR a time period in which the ability to make significant changes is limited (maybe 24 hours?). I'm not an expert but would advocate an additional layer of security in there somewhere for fundamental account / Apple ID changes.
 
  • Like
Reactions: Chris_Tex, doobydoooby and bobcomer
ADrunkenMarcus said:
Presumably this explains how some children have been getting around screen time, also? One for them to fix. :( When do we get the next update and what are the odds on them doing something?
Click to expand...
OTOH you would still be protected if someone had grabbed your iPhone off you when it was unlocked and they did not know the passcode.
 
auxine said:
Do this steps:
  1. change screen time passcode
  2. turn off screen time passcode
  3. on the bottom on the screen on top of the keyboard, there is a Forgot Passcode button
  4. type your email
  5. Press OK
  6. Press Forgot ID or Password
  7. Then it ask your passcode BUT if you wait 5-10 seconds a popup ask for your iPhone passcode (not the screen time passcode)
  8. it ask the new iCloud password

Or even simpler, just go to Privacy & Security > Safety check and go through the procedure until you have the choice to change iCloud password.
Even with a time passcode set (and warning saying I could not do some actions because of the screen time passcode), I was able to disconnect all my devices and reset my iCloud password...
Click to expand...

On reflection, the worst one is the Privacy & Security > Safety check option because it allows the iCloud password to be changed using the iPhone passcode. (It's some comfort that this would require the iPhone passcode, so if someone snatched the phone off you when it was unlocked - without knowing the passcode - then they would still be stuck.)

Re.: screen time they would need to know the email address (step 4). If they don't have that then presumably Forgot ID or Password would not be relevant and you could not proceed to step 7.

There may be some ways around this too but at least it goes some way to provide a bit of extra protection.
 
Is it also possible that they do have access to your iCloud Mails, or is it protected in some other way?

So it wouldn't be access to the iCloud Account with all it's apps, photos, messages and (maybe) iCloud Keychain - it would also be full access to iCloud Mails (and maybe also own mail domains)?

Or am I wrong?
 
bsmr said:
Is it also possible that they do have access to your iCloud Mails, or is it protected in some other way?

So it wouldn't be access to the iCloud Account with all it's apps, photos, messages and (maybe) iCloud Keychain - it would also be full access to iCloud Mails (and maybe also own mail domains)?

Or am I wrong?
Click to expand...
I believe you could follow the screen time trick which effectively means you’d need Face ID to keep open the Mail app after 1 second. I’ve done that do various apps like Files and Folders require Face ID.

However, this would not help if they could bypass screen time (as above).

I do have an iCloud email account but it isn’t the primary email used to set up my Apple ID.

I’m still amazed screen time can be bypassed using the iPhone passcode. No wonder kids just get round it!
 
  • Like
Reactions: dk001
So it's better 'not' to use Apple's iCloud Mail at the moment as it could also been compromised.... Nearly you're whole online identity if you do have every service within Apple?!
 
bsmr said:
Nearly you're whole online identity if you do have every service within Apple?!
Click to expand...
That has always been the case if you put all your online services eggs into one basket, whether it's Apple, Google or Microsoft. People have gotten their accounts permanently blocked for no good reason at all, sometimes even in violation of the law. Then you'll lose your cloud data, software you paid for, perhaps an entire device turns into a brick, e-mail, and good luck if your phone number is connected to that service as well (google fi).

There's good reasons to keep crucial services separate, even if you aren't at risk of a thief stealing your iPhone and passcode.
 
  • Like
Reactions: dk001 and ADrunkenMarcus
I have two email addresses (as well as the iCloud one) not saved in the keychain. One is used as my primary for Apple ID.

If a thief knew the iPhone passcode: There would be an issue even if the Mail app required Face ID, because they could reset Face ID I believe?
 
ADrunkenMarcus said:
I have two email addresses (as well as the iCloud one) not saved in the keychain. One is used as my primary for Apple ID.

If a thief knew the iPhone passcode: There would be an issue even if the Mail app required Face ID, because they could reset Face ID I believe?
Click to expand...

If you want to protect your email against the sort of theft where a thief has your iPhone and it's passcode, and you want that email accessible on the phone, my feeling is you need to do the following....

* Use an independent email provider (i.e. not iCloud email)
* Use an independent email client where you can set a passcode which is independent of your device passcode (i.e. not the built in mail app)
* Don't use another email address accessible on the phone as your recovery email address for the primary email

Regarding using an independent email provider - even Google and Microsoft may not be good choices due to credential sharing across their suite of iOS apps. For example when I download Outlook from app store I was not asked to enter my Microsoft password in Outlook to access my Microsoft email account. It presumably just automatically logs in using the credentials stored for OneDrive (which I already had on my device).
 
  • Like
Reactions: ADrunkenMarcus and dk001
ozaz said:
Regarding using an independent email provider - even Google and Microsoft may not be good choices due to credential sharing across their suite of iOS apps. For example when I download Outlook from app store I was not asked to enter my Microsoft password in Outlook to access my Microsoft email account. It presumably just automatically logs in using the credentials stored for OneDrive (which I already had on my device).
Click to expand...
This is because of SSO.

But you also have to think of all the other providers/apps. Most of them are also falling back to simple iOS PIN Code if Touch ID/Face ID does not work/accept.

So it's quite hard concerning mails.
 
  • Like
Reactions: dk001
Apple_Robert said:
What is so painful about the process? It is no different than signing in and out the account at any time. Granted, it isn't a super fast process but, there isn't anything hard about it. It take me no more than 1 minute to sign out and in to a different ID. I will take that 1 minute that affords me better security until Apple comes up with something more seamless.
Click to expand...
Another very painful thing happened with a 2nd appleid -- it totally messed up my apple watch. First I'd get a prompt on my watch(!) to sign into my appleid every morning. Next I had watch lockups every 2 or three days. (not full lockups, but some functions didn't work, like reading notifications.)

When you change apple id's, it also changes your watch, and with auto download of apps, that's where it's getting stuck, and there's no way to cancel a download, so it keeps trying and slamming into the 2nd apple id not being signed in. A TOTAL PITA!! The only thing I think that can be done now is unpairing and setting it up as a new watch, which I'm doing right now. If you turn off auto download to your watch before you change id's, it may go okay, but I'm done with this experiment for now and hope Apple eventually gives us something better on apple id security.

Looks like the unpair, pair worked, no prompt on the watch for the appleid.
 
  • Like
Reactions: dk001
A good video with some useful recommendations. I was doing most of them already, but people who weren’t (and who adopt them) will be significantly better protected. 👍
 
  • Like
Reactions: dk001
lindros2 said:
i just have one - don't go to a hookup bar and get drunk.
Sorted.
Click to expand...
Or anyplace where people sit behind you like a game stadium or theater I guess also? Just last week I watched people's passcodes being typed in or swiped (android I guess?) over and over and over in front of me when I was on a series of flights. Swiping is no different than a numerical passcode.
 
  • Like
Reactions: dk001
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back