Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Status
Not open for further replies.

Gator5000e

macrumors 6502a
Original poster
Jan 27, 2018
970
877
I read a couple f articles this morning about iPhone security if a thief gets a hold of your phone. In brief, the article I am linking here takes info from a Wall Street Journal investigation that discuss what a thief might do if they get your phone. Here is a summary of the problem:

There’s a scary new trend you should be aware of that iPhone thieves are using. Intrepid criminals have found a way to bypass Apple’s protections that should prevent most thieves from getting into your iPhone. A series of Wall Street Journal reports showed that thieves will steal iPhones after seeing someone use the Lock Screen password to unlock the phone in a public place like a bar. The attackers quickly use the password to take over the Apple ID by setting up an impenetrable new security key. This essentially locks the victim out of their own Apple account. After that, the attackers can use the device to rack up purchases using the victim’s cards until they get canceled. And they can wipe the phone completely and sell it, since your Apple ID no longer prevents the handset’s reactivation.

The two mentioned solutions are set a strong alphanumeric passcode for Face ID and the second option is to set a Screen Time password for your Apple ID and then turn off Allow Account Changes.

The article spells it out in detail. The WSJ article that I did not post here has the story of a guy who had his phone stolen and the thieves locked hm out of his phone and now he's lost all his data including photos and documents. He says Apple will not help him at all even if he can prove who he is with a passport, birth certificate, etc.

I would be curious what everyone thinks of all this and if it's necessary, a good idea, or just over-kill.
 
  • Like
Reactions: max2

chrfr

macrumors G5
Jul 11, 2009
13,644
7,189
I read a couple f articles this morning about iPhone security if a thief gets a hold of your phone. In brief, the article I am linking here takes info from a Wall Street Journal investigation that discuss what a thief might do if they get your phone. Here is a summary of the problem:

There’s a scary new trend you should be aware of that iPhone thieves are using. Intrepid criminals have found a way to bypass Apple’s protections that should prevent most thieves from getting into your iPhone. A series of Wall Street Journal reports showed that thieves will steal iPhones after seeing someone use the Lock Screen password to unlock the phone in a public place like a bar. The attackers quickly use the password to take over the Apple ID by setting up an impenetrable new security key. This essentially locks the victim out of their own Apple account. After that, the attackers can use the device to rack up purchases using the victim’s cards until they get canceled. And they can wipe the phone completely and sell it, since your Apple ID no longer prevents the handset’s reactivation.

The two mentioned solutions are set a strong alphanumeric passcode for Face ID and the second option is to set a Screen Time password for your Apple ID and then turn off Allow Account Changes.

The article spells it out in detail. The WSJ article that I did not post here has the story of a guy who had his phone stolen and the thieves locked hm out of his phone and now he's lost all his data including photos and documents. He says Apple will not help him at all even if he can prove who he is with a passport, birth certificate, etc.

I would be curious what everyone thinks of all this and if it's necessary, a good idea, or just over-kill.
The Screen Time password is no protection against losing access to your Apple ID as it too can be reset with the phone's passcode.
 
  • Like
Reactions: max2

Gator5000e

macrumors 6502a
Original poster
Jan 27, 2018
970
877
Well, the article says:

Once this setting is enabled, you can no longer access your Apple ID on your iPhone unless you repeat the steps above to allow changes to your account. That’s a hassle that might pay off in the long run.

And its true. I just tried to access my account on my phone under Settings wher eis has my name and under it says Apple ID, and it's grayed out. I cannot access it. I guess I would have to go back into Screen Time and changethe settings to allow access to my Apple ID. So from that stand point, it would seem to work.
 
  • Like
Reactions: max2

addamas

macrumors 65816
Apr 20, 2016
1,259
1,306
Well, the article says:

Once this setting is enabled, you can no longer access your Apple ID on your iPhone unless you repeat the steps above to allow changes to your account. That’s a hassle that might pay off in the long run.

And it’s true. I just tried to access my account on my phone under Settings wher eis has my name and under it says Apple ID, and it's grayed out. I cannot access it. I guess I would have to go back into Screen Time and changethe settings to allow access to my Apple ID. So from that stand point, it would seem to work.
But also option to change Screen Time password leads in the end to possibility to erase iCloud password

It does not matter if Screen Time password is set up with or without skip (see video). I reproduced it yesterday.
Small details are in thread. In short all data “securing” reset are on iPhone already. Go to Wallet & Apple Pay > Transation Defaults and most likely there will be suggested your phone number and iCloud related email. But it’s possible someone is not using main email as iCloud email.

Post in thread 'Apple Responds to Report About Thieves Permanently Locking Out iPhone Users'
https://forums.macrumors.com/thread...ocking-out-iphone-users.2387229/post-32111526

I have reported both issues to Apple via security.apple.com

 
Last edited:

I7guy

macrumors Nehalem
Nov 30, 2013
34,808
24,792
Gotta be in it to win it
There are two articles on the main page with a dearth of information. Bottom line set a screen time password and lock out: location changes, password changes and account changes and sharing changes. Set an alphanumeric device passcode and don't let your password get phished. If your phone gets taken while unlocked the damage can be mitigated although PII in apps like mail; you can use outlook and set face-id up.
 

chrfr

macrumors G5
Jul 11, 2009
13,644
7,189
There are two articles on the main page with a dearth of information. Bottom line set a screen time password and lock out: location changes, password changes and account changes and sharing changes. Set an alphanumeric device passcode and don't let your password get phished. If your phone gets taken while unlocked the damage can be mitigated although PII in apps like mail; you can use outlook and set face-id up.
Again, setting a Screen Time restriction is no mitigation for Apple ID password resets. The Apple ID password can be reset by going into Settings/Privacy & Security/Safety Check and initiating the Emergency Reset process. This requires having only the phone's passcode.
 

Unregistered 4U

macrumors G4
Jul 22, 2002
10,441
8,469
A series of Wall Street Journal reports showed that thieves will steal iPhones after seeing someone use the Lock Screen password to unlock the phone in a public place like a bar.
I can’t help but think that, in SOME cases, someone just asked “Can I use your phone? I need to make a call.” The person handed them their unlocked phone and >yoink!<
 

I7guy

macrumors Nehalem
Nov 30, 2013
34,808
24,792
Gotta be in it to win it
Again, setting a Screen Time restriction is no mitigation for Apple ID password resets. The Apple ID password can be reset by going into Settings/Privacy & Security/Safety Check and initiating the Emergency Reset process. This requires having only the phone's passcode.
Yes. I did say above don’t let your device passcode get phished. If the thief doesn’t have the device passcode far less can be done with physical possession of the phone.

So yeah, if the device passcode is secure doing what was suggested, in multiple places, can protect you.
 
  • Like
Reactions: max2

antiprotest

macrumors 601
Apr 19, 2010
4,233
15,312
The Screen Time password is no protection against losing access to your Apple ID as it too can be reset with the phone's passcode.
This is false. The screen time passcode cannot be reset with the phone passcode. It can be reset with the Apple ID password, but only if you choose that option when the screen time passcode is set.

Remember, one purpose of the screen time passcode is to function as parental control, and of course the child user would have the passcode to the phone, but not necessarily the screen time passcode.

The upshot is that the screen time passcode can indeed protect the Apple ID and related items.
 

chrfr

macrumors G5
Jul 11, 2009
13,644
7,189
This is false. The screen time passcode cannot be reset with the phone passcode. It can be reset with the Apple ID password, but only if you choose that option when the screen time passcode is set.
You misunderstood what I wrote. Even with a Screen Time passcode set to prevent changes to the account, the Apple ID password can still be reset via the Emergency Reset process, and the Emergency Reset is only secured behind the phone passcode.
 
  • Like
Reactions: addamas and dk001
Status
Not open for further replies.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.