How to protect yourself when your iPhone and passcode are stolen
Apple believes that needing both the iPhone and its passcode makes it harder for thieves to steal users' information, but having both stolen is common enough, that you need to know how to protect yourself.
iPhone passcode
It has always been the case that the weakest part of security on iPhones is the passcode, but the Wall Street Journal is again highlighting the problem. The publication has accounts from users who had their iPhone snatched after thieves watched them enter a code, and ones who were forced or even drugged into sharing the code.
In some of these reports, the situation was greatly exacerbated because of a feature Apple intended would give extra protection. Apple's Recovery Key is a randomly-generated 28-character code that you can set up in order to later regain access to your Apple ID.
"While it's not required, using a recovery key improves the security of your account by putting you in control of resetting your password," says Apple in a support document. "Creating a recovery key turns off account recovery... a process that would otherwise help you get back into your Apple ID account when you don't have enough information to reset your password."
The problem is that if users have not set up a Recovery Key like this, the thieves can. They can set up the Recovery Key for themselves and effectively lock the user out forever.
The easiest and most obvious first step for prevention of the issue for any user is to always be careful about entering a passcode when it might be seen. Biometrics like Touch ID or Face ID are nearly always better to use when in public.
A thief could snatch the iPhone, hold it in front of the owner's face to unlock with Face ID. But, of course, this takes time and the user would be aware of the theft immediately.
That can be made harder for a thief to pull off, though. Users can go to Settings, Face ID & Passcode on their iPhone and turn on Attention Detection for Face ID. This means the user has to be very specifically looking at the iPhone for it to unlock.
It's possible that a user could still be coerced into unlocking with Face ID, either by threat or manipulation. It's also possible that a user could be drugged first.
Then there is the Apple ID Recovery Key, though this must be set up and protected before.
Screen Time can be configured to prevent account changes as well. Amongst other options, changes to the account can be prevented with another passcode, similar to how you'd stop a child from changing settings on an iPhone.
This isn't a theoretical problem, but it is rare with the inclusion of biometrics. Of course, that doesn't help the users it happens to.
We all keep so much information on our iPhone that losing it is a boon for thieves but potentially a tragedy for us, so everyone should take extra care to protect themselves and their phone.
Read on AppleInsider
iPhone passcode
It has always been the case that the weakest part of security on iPhones is the passcode, but the Wall Street Journal is again highlighting the problem. The publication has accounts from users who had their iPhone snatched after thieves watched them enter a code, and ones who were forced or even drugged into sharing the code.
In some of these reports, the situation was greatly exacerbated because of a feature Apple intended would give extra protection. Apple's Recovery Key is a randomly-generated 28-character code that you can set up in order to later regain access to your Apple ID.
"While it's not required, using a recovery key improves the security of your account by putting you in control of resetting your password," says Apple in a support document. "Creating a recovery key turns off account recovery... a process that would otherwise help you get back into your Apple ID account when you don't have enough information to reset your password."
The problem is that if users have not set up a Recovery Key like this, the thieves can. They can set up the Recovery Key for themselves and effectively lock the user out forever.
How to protect yourself
Nearly everything you need to do to protect yourself from this, needs to happen in advance of the theft.The easiest and most obvious first step for prevention of the issue for any user is to always be careful about entering a passcode when it might be seen. Biometrics like Touch ID or Face ID are nearly always better to use when in public.
A thief could snatch the iPhone, hold it in front of the owner's face to unlock with Face ID. But, of course, this takes time and the user would be aware of the theft immediately.
That can be made harder for a thief to pull off, though. Users can go to Settings, Face ID & Passcode on their iPhone and turn on Attention Detection for Face ID. This means the user has to be very specifically looking at the iPhone for it to unlock.
It's possible that a user could still be coerced into unlocking with Face ID, either by threat or manipulation. It's also possible that a user could be drugged first.
Then there is the Apple ID Recovery Key, though this must be set up and protected before.
Screen Time can be configured to prevent account changes as well. Amongst other options, changes to the account can be prevented with another passcode, similar to how you'd stop a child from changing settings on an iPhone.
How to set up the Apple ID Recovery Key
- On an iPhone or Mac, go to Settings > Your Name > Password & Security.
- Tap Recovery Key, then slide to enable it. On a Mac, click Manage next to Account Recovery.
- Tap Use Recovery Key and enter the device passcode.
- Write it down and store it in a safe place, then confirm it on the next screen.
This isn't a theoretical problem, but it is rare with the inclusion of biometrics. Of course, that doesn't help the users it happens to.
We all keep so much information on our iPhone that losing it is a boon for thieves but potentially a tragedy for us, so everyone should take extra care to protect themselves and their phone.
Read on AppleInsider
Comments
And we think we are free? What a joke. We are prisoners in this clown show and carnival mirror maze. And our right to defend ourselves is being eroded by every left wing politician. Oh, you can’t use deadly force unless the perp is actually in your house and is actually attacking your wife or daughter. Otherwise you’ll be charged with assault or murder. The same politicians want ‘stand your ground’ and ‘castle’ laws diluted or even banned because, hey, that teenager breaking into your house with a gun or knife might have a family too.
If you are worried you cannot secure your phone, don't put things on it that others could abuse. You can just go down to the bank and cash a check still. Scammers are a real thing and elder abuse has been happening since the dawn of time. It is likely you are going to lose some money when you can't afford to, but don't blame the phone, blame the horrible human beings that live on the planet with us.
Oh, and I didn't see mentioned, if you wanna secure your phone for fear that someone will force you to open it just hold down the buttons on the side for 5 seconds. It'll call emergency services but then your phone will require your pin to unlock, and even the courts can't force you to unlock it.
First off, use biometrics to unlock your devices in public. Nobody can see your passcode if you’re never entering it in public, now can they?
Is this all flawless? No, but it’s not hard to be as secure as possible if you’ll just stop FIGHTING the simple systems Apple has set up for you. Even 2FA is not really a pain, since the code websites send you to authenticate show up automatically to be filled in IF the come in via text messages.
PS. Before I get a reply about how Touch ID “doesn’t work” for you, the trick is to STOP PRESSING DOWN on the sensor. Touch ID needs you to LAY your finger on the sensor, not press. Then it works fine, 100 percent of the time.
The WSJ videos mentions this:
The problem is a single device passcode and phone number gives access to so much control over an account. A mobile device will typically be the two-factor device used for calls, text and emails.
If someone with a stolen device knows the passcode, they can add biometrics and access all secure apps. They can reset the account password and reset/disable recovery keys. In doing so, they can lock people out of their other devices like Macs where people would likely save their recovery keys.
The only viable protection seems to be the screen time option that prevents resetting the account passwords. This doesn't prevent access to financial apps but at least if there are transfer restrictions, it can limit the damage as the person could block the stolen device.
As the WSJ video mentions, the default policies could easily be improved like not allowing disabling or resetting the recovery key from the device. At the very least put a time restriction on it of a week to give someone time to block the stolen device.
You shouldn't be able to change an Apple account password without entering the old password. If the password is forgotten, it can be reset via other methods but again, put a time restriction on it to allow people time to flag stolen devices.
Another option that would be useful is the ability to prevent people adding/removing biometric id unless the existing biometrics are authenticated. This would block people from accessing financial apps, which use biometrics.