Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

h.gilbert

Suspended
Original poster
Nov 17, 2022
745
1,306
Bordeaux
Once again I'm am thinking of jumping back to iPhone after a long stint with Android.

I saw some news a few days ago about thieves targeting iPhone users, figuring out their unlock codes, stealing their phones and then somehow having access to pretty much everything including banking. I assume they had keychain remember their banking app passcodes? Although I read some comments saying this was more along the lines of social engineering, it seems like remembering what someone typed into their phone and then stealing it isn't exactly hard. So I'm understandably concerned.

Thinking about how this works on Android, if someone had my phone and knew my unlock code then the it would be a lot harder to drain my bank accounts. Each banking app requires it's own passcode or to use the fingerprint sensor (which can't be bypassed to use the phone's unlock code). Furthermore I don't even recall Google ever asking if I wanted to save any of my banking app passcodes, I guess Google doesn't allow itself to remember banking app passwords?

Just to make sure, in the case of iOS, I CAN choose for keychain not to remember the passwords to my banking apps, is that correct? And would that mean I wouldn't suffer the same fate as some of those unfortunate ones I saw in the news?

Thanks.
 
1. The same thing is done to Android phones. News tend to focus on iPhones because they get more clicks, probably. Perhaps more people want to steal iPhones. But if their aim is the information on your phone and not the hardware itself, then I would imagine an Android ought to be just as attractive.

2. Do not enter your passcode where people can see the code (or even when there is a camera overhead, as in a store or mall). So even if someone grabs the phone while it is unlocked, they cannot get in those important areas with FaceID, and they cannot get around FaceID with your passcode. This is perhaps the most important thing. Use FaceID, especially in public. If someone is trying to determine if you are a target, he might stalk you from very far away at first. If he sees that you use FaceID and don't need to enter a passcode, you have become a less attractive target. If you think this kind of caution is extreme, well, it is far more extreme to grab some stranger's phone to steal all the information in it. FaceID is more convenient anyway.

3. For extra security, make a code for Screen Time, then change "Account Changes" to "Don't Allow". Now if someone grabs your phone, even if he knows your passcode, he cannot get in certain important areas, especially those that he needs to adjust to lock you out.
 
Last edited:
1. The same thing is done to Android phones. News tend to focus on iPhones because they get more clicks, probably. Perhaps more people want to steal iPhones. But if their aim is the information on your phone and not the hardware itself, then I would imagine an Android ought to be just as attractive.

2. Do not enter your passcode where people can see the code (or even when there is a camera overhead, as in a store or mall). This is perhaps the most important thing. Use FaceID, especially in public. If someone is trying to determine if you are a target, he might stalk you from very far away at first. If he sees that you use FaceID and don't need to enter a passcode, you have become a less attractive target. If you think this kind of caution is extreme, well, it is far more extreme to grab some stranger's phone to steal all the information in it. So even if someone grabs the phone while it is unlocked, they cannot get in those important areas with FaceID, and they cannot get around FaceID with your passcode.

3. For extra security, make a code for Screen Time, then change "Account Changes" to "Don't Allow". Now if someone grabs your phone, even if he knows your passcode, he cannot get in certain important areas, especially those that he needs to adjust to lock you out.

Thanks, yes Android is probably just the same TBH. My main question was about banking apps and keychain however, can you ask keychain to not remember your banking app passcodes?
 
Thanks, yes Android is probably just the same TBH. My main question was about banking apps and keychain however, can you ask keychain to not remember your banking app passcodes?
Yes. Keychain gives you a choice, and you can delete anything it has saved.

You can also toggle on FaceID for autofill, so that iPhone will check that it is you who is using the phone before filling in passwords. Of course, this would work better with deselecting "keep me signed in" on important sites and apps.
 
Yes. Keychain gives you a choice, and you can delete anything it has saved.

You can also toggle on FaceID for autofill, so that iPhone will check that it is you who is using the phone before filling in passwords. Of course, this would work better with deselecting "keep me signed in" on important sites and apps.

Thanks 👍
 
Once again I'm am thinking of jumping back to iPhone after a long stint with Android.

I saw some news a few days ago about thieves targeting iPhone users, figuring out their unlock codes, stealing their phones and then somehow having access to pretty much everything including banking. I assume they had keychain remember their banking app passcodes? Although I read some comments saying this was more along the lines of social engineering, it seems like remembering what someone typed into their phone and then stealing it isn't exactly hard. So I'm understandably concerned.

Thinking about how this works on Android, if someone had my phone and knew my unlock code then the it would be a lot harder to drain my bank accounts. Each banking app requires it's own passcode or to use the fingerprint sensor (which can't be bypassed to use the phone's unlock code). Furthermore I don't even recall Google ever asking if I wanted to save any of my banking app passcodes, I guess Google doesn't allow itself to remember banking app passwords?

Just to make sure, in the case of iOS, I CAN choose for keychain not to remember the passwords to my banking apps, is that correct? And would that mean I wouldn't suffer the same fate as some of those unfortunate ones I saw in the news?

Thanks.
Just use Face ID.

Oh wait I forgot, iPhones use your passcode as a backup plan if you make too many bad attempts.

Well, don't worry. Theoretically, people could do this just as easily to your Android, if not even easier due to the usual easy to memorize visual pattern system vs. numerical passcode system.
 
Once again I'm am thinking of jumping back to iPhone after a long stint with Android.

I saw some news a few days ago about thieves targeting iPhone users, figuring out their unlock codes, stealing their phones and then somehow having access to pretty much everything including banking. I assume they had keychain remember their banking app passcodes? Although I read some comments saying this was more along the lines of social engineering, it seems like remembering what someone typed into their phone and then stealing it isn't exactly hard. So I'm understandably concerned.

Thinking about how this works on Android, if someone had my phone and knew my unlock code then the it would be a lot harder to drain my bank accounts. Each banking app requires it's own passcode or to use the fingerprint sensor (which can't be bypassed to use the phone's unlock code). Furthermore I don't even recall Google ever asking if I wanted to save any of my banking app passcodes, I guess Google doesn't allow itself to remember banking app passwords?

Just to make sure, in the case of iOS, I CAN choose for keychain not to remember the passwords to my banking apps, is that correct? And would that mean I wouldn't suffer the same fate as some of those unfortunate ones I saw in the news?

Thanks.

Thieves are targeting iPhones because they have better resale value, if you have a decent alphanumeric passcode, then no one is going to be able to shoulder surf your passcode unless they've got a photographic memory!

For both of the banking apps that I have installed, if Face ID fails, one wants the specific PIN code for that app that I set, and the other wants some memorable information related to my account. Neither asks for my iPhone passcode. Any banking app that does is failing to secure your account. Also, neither app has ever asked to save info in the keychain.

Just be smart, and you'll be fine.
 
  • Like
Reactions: addamas
i cant remember the last time i used my passcode. Facial ID every time. my banking app uses Face ID, it's pin is a different number to my iphone lockscreen but again faceid works so i dont have to use it. any payments will (i thnk randomly) mix between using my faceid, asking for some of my multichannel code (different from the pin) or sending me a text.
 
How often does Google remove dozens of free apps because they contain malware? Seems like every other week there is a story or announcement about exactly this. Android is a malware cesspool. When I'm using my Pixel 5 I only have the basic apps from major developers like Google themselves.
 
Yeah I guess those people who had everything taken away when their iPhone was stolen had everything linked to their Apple ID, including banking, so it's really user error rather than Apple.
 
I would argue that if your passcode is shorter than 15 digits then you're doing it wrong. Its quite difficult for a thief to memorise a long string of numbers whereas you (being smart) used the phone number of a childhood friend you have lodged in your subconscious.
 
I know people mention a lot about just using Face ID and it does work majority of the time, but I know I have ran into it not working every now and then and being in a public area. Whenever Face ID doesn't work for me and I have to type my pin (which is longer than the default 4 numbers) I am pretty accustomed to type it quickly and will get it purposefully wrong a couple of times then right without really pausing without pausing and I use both thumbs to do this making it a little harder even if someone is recording to further block the screen.

For any financial apps I just don't use Face ID or have the financial apps passwords saved, is it ever so slightly inconvenient to type them in manually when needed..sure, but it is more annoying to deal with calling companies to report stolen property and get new cards and whatnot. I also ensure I am alone when entering this information in my phone heck even if it is just running to the bathroom and going in a stall to check your banking app real quick. I just check my bank (if I feel I need to) at home before leaving and I have only my credit card tied to Apple Pay so that just in case... credit card companies (at least in the U.S.) are generally pretty quick and painless with issues I rather deal with the credit card company than a thief getting access to my bank account or funds from my bank account.
 
  • Like
Reactions: h.gilbert
While it’s an added cost using a password manager like 1password can be an added layer of security. If you set a master password that’s independent of your iPhone or iCloud credentials then even if your phone is compromised the thieves wouldn’t have open access to iCloud Keychain and related accounts.
 
Yeah I guess those people who had everything taken away when their iPhone was stolen had everything linked to their Apple ID, including banking, so it's really user error rather than Apple.
If you leave your key fob in the car with the engine running and your car gets stolen, is it Fords fault?

Part of mitigating the risks of digital devices remaining secure are good security practices combined with situational awareness.
 
If you leave your key fob in the car with the engine running and your car gets stolen, is it Fords fault?

Part of mitigating the risks of digital devices remaining secure are good security practices combined with situational awareness.

Yes exactly my point
 
  • Like
Reactions: I7guy
I would argue that if your passcode is shorter than 15 digits then you're doing it wrong. Its quite difficult for a thief to memorise a long string of numbers whereas you (being smart) used the phone number of a childhood friend you have lodged in your subconscious.
So you don't think thieves have phones of their own that they may be recording you with? You think they're working strictly off their memory?
 
This is a social problem, not the fault of the device, imo.
There are scads of people in any public place, and a handful of them get themselves targeted.
They got picked out because they drew attention to themselves, got "analysed", then selected.
I don't think the software of the phone is to blame.
 
For the people who have had their iPhones stolen and their iCloud accounts hijacked, I have a question: Did any of you have more than one Apple product? (AirPods and Apple Watches don't count) Was the iPhone your only Apple device or did you also have iPads and Macs logged into the same iCloud account? I'm trying to figure out if Apple's iCloud Two-Factor Authentication which sends a six-digit code to your other logged in devices would prevent your iCloud account from getting hijacked.
 
Apple means buzz, that's why you saw these news.
As someone wrote, if you’re concerned about security, you'd go for Apple, period.
FaceID and common sense should do the trick too...
 
Once again I'm am thinking of jumping back to iPhone after a long stint with Android.

I saw some news a few days ago about thieves targeting iPhone users, figuring out their unlock codes, stealing their phones and then somehow having access to pretty much everything including banking. I assume they had keychain remember their banking app passcodes? Although I read some comments saying this was more along the lines of social engineering, it seems like remembering what someone typed into their phone and then stealing it isn't exactly hard. So I'm understandably concerned.

Thinking about how this works on Android, if someone had my phone and knew my unlock code then the it would be a lot harder to drain my bank accounts. Each banking app requires it's own passcode or to use the fingerprint sensor (which can't be bypassed to use the phone's unlock code). Furthermore I don't even recall Google ever asking if I wanted to save any of my banking app passcodes, I guess Google doesn't allow itself to remember banking app passwords?

Just to make sure, in the case of iOS, I CAN choose for keychain not to remember the passwords to my banking apps, is that correct? And would that mean I wouldn't suffer the same fate as some of those unfortunate ones I saw in the news?

Thanks.


must be down to individual bank app. my bank app on my iphone uses facial recognition, but if that fails, it needs its pin which is different to either my iphone unlock code or my bank card pin. so someone stealing my phone and knowing my pin would not get into my bank app.
 
  • Like
Reactions: Puonti
I'm trying to figure out if Apple's iCloud Two-Factor Authentication which sends a six-digit code to your other logged in devices would prevent your iCloud account from getting hijacked.

The problem is that you can reset your Apple ID password using the device password as long as you have a trusted device.

It is quite clear why this is allowed, people getting themselves locked out of their Apple ID is a much, much bigger issue than a few people getting their Apple ID hijacked.

Personally, I wish there was an option to turn this "feature" off.

(I am concerned enough about it myself that I have chosen to use hardware security keys, but this isn't the solution for everyone, obviously.)

EDIT: I just tried changing my Apple ID password, and it looks like I can potentially do this, and remove the hardware keys, using just my device password. This is absurd!
 
  • Like
Reactions: jdb8167
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.