wan WSJ: Apple’s iPhone Passcode Problem: Thieves Can Ruin Your Entire Digital Life in Minutes

[nordicman]

@Linus WAN Show story idea

 

Summary

In a story posted this week by the Wall Street Journal, thieves have figured out that if they see someone enter a passcode on an iPhone, all they need to do is rip the iPhone out of the person's hands and they can take over that person's digital life within minutes. Only that passcode is needed to reset the Apple ID's password (unlike most password change screens, the old password is not required) and even if 2FA is enabled, the same phone within the thief's hands is sufficient to acknowledge the 2FA request. Then the user cannot use "Find My iPhone" to get the phone back, is locked out of the entire Apple account (including backups), and if the user has connected their Mac at home to iCloud then she is permanently locked out of her Mac at home. The thieves can also drain the user's money from apps on the phone, such as Apple Pay and third party apps such as Zelle.

 

Quotes

Quote

[The featured victim's] story is similar to many others in New York and around the country, but it's 1,300 miles away from New York that they've pinned down what's happening. Investigators say thieves worked together to steal phones, then use apps to take hundreds of thousands of dollars. In Minneapolis 12 people have been charged in a phone robbery ring where nearly $300,000 had been taken from at least 40 victims. This is the arrest warrant for one of the people accused in that scheme. It says the group targeted bar goers often by befriending them and then transferred large sums of money via various financial apps on the stolen phones. So I tracked down Sergeant Robert Illestschko, the lead investigator on the case, to find out more about how these thieves got into the phones. ... Similar crimes have been reported in Austin, Denver, Boston and London and in New York. [The featured victim] is amongst hundreds of victims according to people familiar with the investigations. Some victims in those cities say they believe they were drugged before their phone was taken.  ... But can an iPhone passcode really unlock your entire financial and personal life? Let's pretend this is [the featured victim's] iPhone 13 Pro Max and the thieves observed the passcode. In every story I've heard the thieves very first step was to change the Apple ID password to lock the owners out. This way they could turn off "Find My iPhone" so the phone couldn't be located.

 

You realize your phone has been stolen. What do you what do you do next at the bar? [The featured victim says,] I log in to find my iPhone on my friend's phone right away. I wasn't able to do that because in three minutes that had passed my Apple ID password ... was changed. To change the Apple ID password on an iPhone, all someone has to do is go to settings, tap the iCloud name, then password and security and change password. Then you're prompted for, yes the iPhones passcode. Input it and you can create a new passcode for the Apple ID. And the thief can then use that to turn off "Find My iPhone" with the passcode. They can log the owner out of their other trusted devices like iPads and Macs, change the trusted phone number and add something called a recovery key. Adjusting all that can further lock you out of your account potentially forever. I've had my Macbook for way too long. I'm almost embarrassed to say it on camera honestly and it's It's locked out. I tried every avenue through Apple support. Then I realized the bank transactions and that's when it hit me that this is way beyond just a petty phone theft.

 

My thoughts

The entire problem is because Apple treats the lowest-level security feature, the phone passcode, which is routinely used and easily observable, as a way to short-circuit all other methods of security including the password on the Apple ID account and 2FA. The password on the Apple ID account should not be changeable except by knowing the old password, and any backup method of authentication should require more than having a phone and the phone's passcode. This breaks three principles of security in a very bad way.

 

First, security should be layered, and more sensitive tasks should require a more difficult credential to steal. For example, when you are engaging in certain financial transactions, the bank will ask you additional questions about where you've lived in the past and other aspects of your personal history to ensure that you are who you claim to be, and not simply someone who knows someone else's social security number. Or when you go to a bank, you might need to bring a passport or multiple forms of other identification. In this case, the most easily compromised security credential (the phone's passcode, which can be easily shoulder-surfed) is used to perform the most sensitive tasks (changing all other credentials, locking someone out of his or her account, disabling his or her other devices).

 

Two, credentials for one system should not be used to defeat the credentials of an unrelated system. The phone's passcode is to protect the phone, it should not (by itself) be enough to take over someone's Apple ID account or permanently lock someone out of her Mac. (It is true that companies will use single-sign on, but that is different, because the single-sign on is strongly protected, for example by requiring an approved device, plus a password, plus TFA, and the TFA can itself require facial recognition, and the single-sign on provides protection by preventing people from having to write down their passwords for the 20 different systems they use at work. Additionally, companies have IT personnel who can intervene when problems arise.)

 

Three, when someone has established 2FA, it should not be casually defeated. In this case, the 2FA prompt should not be posted on the same device that the user is using, because that is not actually establishing security. It is true that some people might only have one Apple device, but that already means that 2FA is meaningless for those people so nothing of value would be lost.

 

At a minimum, Apple should immediately make a change so that the old password is required in order to change the Apple ID credentials. A second good idea is to only post iCloud 2FA requests on a separate device from the device the user is currently using.

 

Speaking for myself, I have never relied on iCloud backup (I backup to AWS) and I do not have my Mac logged into iCloud for precisely the fear that someone could lock me out of my data just by breaching my iCloud security. However, I never knew that it was this easy to breach iCloud security.

 

Sources

News video from the Wall Street Journal: 

 

[jagdtigger]

Sounds about right, the security cannot be stricter because iphones and apple devices in general are intended for tech-illiterate ppl..... (Hate me all you want, wont change my opnion one bit.)

[Senzelian]

Then let's get the fire started...

AnDrOId iS bEtTeR!!1!!1!!

[Fasterthannothing]

Well I literally can't think of a worse security protocol. Leave it to Apple to run around screaming about their superior security and then leave the entire master password input visible every time you need to enter your phone. 

[Doobeedoo]

Ahahah. Yes expose everything unprotected after initial phone login, bank accounts, payments, cards etc. I just don't get these people that live like this. These people go through life.

Bruh, unlock my phone take it, you won't be able to do shit or see anything.

[Zodiark1593]

Not exactly news. Accessibility and security often require to be traded between one another. 
 

On one hand, I favor increased security. On the other hand, helping my Dad with his Apple account would become a royal pain in the ass if I had to go through hoops to reset the password. Unfortunately, this is fairly frequent. 
 

Instead of a passcode, I use a passphrase on my own iPhone (which is an option btw, you aren’t restricted to that six digit passcode), so drastically harder for a stalker to keep track of. 

[Dracarris]

On 2/25/2023 at 9:36 PM, jagdtigger said:

Sounds about right, the security cannot be stricter because iphones and apple devices in general are intended for tech-illiterate ppl..

what an utter, utter load of horsecrap.

[Commodus]

And if someone sees your fingers on the keyboard when you type your laptop's password, they can access all the websites you've signed into, as well!

 

There's some valid concern here, but the WSJ and others are hyping this up too much. As has been explained, you can make this harder by using a passcode instead of a PIN... and if you sign in through Touch ID or Face ID, it's a non-issue.

[wanderingfool2]

On 2/25/2023 at 12:36 PM, jagdtigger said:

Sounds about right, the security cannot be stricter because iphones and apple devices in general are intended for tech-illiterate ppl..... (Hate me all you want, wont change my opnion one bit.)

It has little to do with "tech-illiterate".  It's been a common practice in the industry where you put in your old password before you put in your new password....there isn't too much reason for not requiring someone to put in their old password to change your iPhone password.  Literally it's just asking to put in the old password as a prompt (and the tech-illiterate are unlikely to really be switching their password as much...instead it's the tech literate people who end up helping them through it anyways).

 

This is a company that has promoted their Apple Pay options, so security needs to be taken completely in mind.

 

With that said, it's a security measure that in this case likely wouldn't mean too much (as I'll discuss below)...but it's still a security measure that should be in place (much like how YouTube does a similar thing with 2FA where they don't require 2FA when people are switching their channel name).  Make no mistake though, it should never be as easy to switch something as important as an Apple ID password with just a passcode.

 

 

On 2/26/2023 at 6:27 AM, Doobeedoo said:

Ahahah. Yes expose everything unprotected after initial phone login, bank accounts, payments, cards etc. I just don't get these people that live like this. These people go through life.

Bruh, unlock my phone take it, you won't be able to do shit or see anything.

Do you use any password managers?  Are any of your accounts linked to your phone at all via the phone number?  Have you ever logged into your email on your phone?  [Actually I'm of the mind that I don't leave anything sensitive on my phone...but it has it's pitfalls in that I need to by on my physical computer if I wanted to pretty much do anything useful other than make calls/text/photos...and even then I'd still have issues with the amount of 2FA stuff and being able to maybe figure out accounts].

 

The people in the story were using Apple's own password manager (pitfalls of Apple's who ecosystem, one device falls and everything falls).

 

With that said, with full control of someone's iPhone and iCloud account you can do a lot.  First within the first minute of getting the iPhone resetting the iCloud password (not you have no way of getting tracked initially) and you can now lock out all their other devices.  The victim now won't have access to helpful information.  The best the victim could do is report their phone stolen with their phone carrier...but now we've hit an issue.  The victim doesn't have access to any of their devices they would have accessed before, so they don't have account numbers or access to their email.  Now if they are lucky they will have a pin setup with the phone company (that they remember), but I can tell you I've forgotten my pin for my carrier (I'd be able to guess, but after a certain amount of guesses they would likely flag the account and you would have to do things in person).

 

That gives the thieves at least a few hours before the phone itself gets disconnected (maybe even a day as the person tries working out what to do).  The likelihood is that you have email associated with your phone (or using the autopredict to find emails that are likely yours), so they can simply run a reset on your password there.  So your email(s) is compromised, your phone is compromised...with your email they can see other services that you signed up for and start doing password resets.

 

At that point, any account that uses phone numbers to verify you are you is compromised.

 

 

In general though, this also speaks to the issue of using someone's phone number to reset accounts (and how it shouldn't really be a thing without additional safeguards but still is).  If Apple did the correct thing and didn't allow the resetting of the password with just the PIN they likely could have just gone through some account recovery option...although I seem to recall having to talk with someone on the phone before when I tried doing that for a boss who forgot their password...so maybe Apple does have more measures in place if you forgot your password and didn't have an iPhone.

[Doobeedoo]

1 hour ago, wanderingfool2 said:

Do you use any password managers?  Are any of your accounts linked to your phone at all via the phone number?  Have you ever logged into your email on your phone?  [Actually I'm of the mind that I don't leave anything sensitive on my phone...but it has it's pitfalls in that I need to by on my physical computer if I wanted to pretty much do anything useful other than make calls/text/photos...and even then I'd still have issues with the amount of 2FA stuff and being able to maybe figure out accounts].

 

The people in the story were using Apple's own password manager (pitfalls of Apple's who ecosystem, one device falls and everything falls).

 

With that said, with full control of someone's iPhone and iCloud account you can do a lot.  First within the first minute of getting the iPhone resetting the iCloud password (not you have no way of getting tracked initially) and you can now lock out all their other devices.  The victim now won't have access to helpful information.  The best the victim could do is report their phone stolen with their phone carrier...but now we've hit an issue.  The victim doesn't have access to any of their devices they would have accessed before, so they don't have account numbers or access to their email.  Now if they are lucky they will have a pin setup with the phone company (that they remember), but I can tell you I've forgotten my pin for my carrier (I'd be able to guess, but after a certain amount of guesses they would likely flag the account and you would have to do things in person).

 

That gives the thieves at least a few hours before the phone itself gets disconnected (maybe even a day as the person tries working out what to do).  The likelihood is that you have email associated with your phone (or using the autopredict to find emails that are likely yours), so they can simply run a reset on your password there.  So your email(s) is compromised, your phone is compromised...with your email they can see other services that you signed up for and start doing password resets.

 

At that point, any account that uses phone numbers to verify you are you is compromised.

 

 

In general though, this also speaks to the issue of using someone's phone number to reset accounts (and how it shouldn't really be a thing without additional safeguards but still is).  If Apple did the correct thing and didn't allow the resetting of the password with just the PIN they likely could have just gone through some account recovery option...although I seem to recall having to talk with someone on the phone before when I tried doing that for a boss who forgot their password...so maybe Apple does have more measures in place if you forgot your password and didn't have an iPhone.

I don't use iPhone though on Android you can easily set-up after phone unlock per app passcode for example so really nothing can get accessed that is sensitive that you protected. So can't even reset anything.

[wanderingfool2]

6 minutes ago, Doobeedoo said:

I don't use iPhone though on Android you can easily set-up after phone unlock per app passcode for example so really nothing can get accessed that is sensitive that you protected. So can't even reset anything.

Is SMS/calling protected?  Is the web browser protected?  Do you have the autocomplete memory disabled?  It's really amazing how much 3rd parties rely on the phone as a way to identify someone.  For example, if you happen to have linked Paypal (or if it's like me where at one stage they decided to require a phone number for me to continue) to a phone number you could reliably reset the paypal account (at which point they could look up the email you registered with it) [I've done that before because I forgot my password...only really needed my phone number to reset it].  From there you use the phone number to reset your email.

[DANK_AS_gay]

Seems to be an issue with people also not using Touch ID/ Face ID, which is also kinda Apple's fault because FaceID sucks in so many ways compared to TouchID, and I would prefer the home button back. If Apple added both features, the odds of someone typing in a passcode goes down. They could also require FaceID instead of a passcode, or TouchID, but I think that both are already an option (depending on the device) AFAIK.

 

If you had both, you could use FaceID if your fingers were wet/gloved, and TouchID if you had sunglasses on, or were smiling, or had a mask on, or changed your hair, or if it's too bright.

[wanderingfool2]

21 minutes ago, DANK_AS_gay said:

Seems to be an issue with people also not using Touch ID/ Face ID, which is also kinda Apple's fault because FaceID sucks in so many ways compared to TouchID, and I would prefer the home button back. If Apple added both features, the odds of someone typing in a passcode goes down. They could also require FaceID instead of a passcode, or TouchID, but I think that both are already an option (depending on the device) AFAIK.

 

If you had both, you could use FaceID if your fingers were wet/gloved, and TouchID if you had sunglasses on, or were smiling, or had a mask on, or changed your hair, or if it's too bright.

It goes down, and I do think that it is a mitigating factor, but it really doesn't justify not having to put in your old password to change the password to the account that literally controls so many people's lives.

 

Also, finger print scanners don't work for everyone and especially in lower lit areas I find face entry (at least on my Samsung) doesn't work that well

[Doobeedoo]

54 minutes ago, wanderingfool2 said:

Is SMS/calling protected?  Is the web browser protected?  Do you have the autocomplete memory disabled?  It's really amazing how much 3rd parties rely on the phone as a way to identify someone.  For example, if you happen to have linked Paypal (or if it's like me where at one stage they decided to require a phone number for me to continue) to a phone number you could reliably reset the paypal account (at which point they could look up the email you registered with it) [I've done that before because I forgot my password...only really needed my phone number to reset it].  From there you use the phone number to reset your email.

I try to avoid as much as possible putting phone number anywhere though. So primarily email for reset for example, from there depending what it is, may require another confirmation step.

[jagdtigger]

5 hours ago, wanderingfool2 said:

t has little to do with "tech-illiterate". 

Yeah, good luck guiding through a tech-illiterate user a password reset. Its not painful at all.... /s

[wanderingfool2]

Just now, jagdtigger said:

Yeah, good luck guiding through a tech-illiterate user a password reset. Its not painful at all.... /s

There's not really much of a difference between putting a prompt "put in current password" vs "put in pin".  If a person who is incompetent enough to not be able to input in their current iCloud password when changing their password, then they are equally incapable of changing their password to begin with with the PIN.

 

If it's the case they forgot their password though, then I'd argue that the small amounts of times that that occurs is not offset by the utter lack of security having a phone pin reset a password provides.

[HenrySalayne]

3 hours ago, DANK_AS_gay said:

Seems to be an issue with people also not using Touch ID/ Face ID, which is also kinda Apple's fault because FaceID sucks in so many ways compared to TouchID, and I would prefer the home button back. If Apple added both features, the odds of someone typing in a passcode goes down. They could also require FaceID instead of a passcode, or TouchID, but I think that both are already an option (depending on the device) AFAIK.

 

If you had both, you could use FaceID if your fingers were wet/gloved, and TouchID if you had sunglasses on, or were smiling, or had a mask on, or changed your hair, or if it's too bright.

Ehh, my iPhone is constantly asking for the passcode to "unlock" the fingerprint reader. Not typing in my passcode in public is not going to happen...

[jagdtigger]

32 minutes ago, wanderingfool2 said:

changing their password

I was talking about a reset, but dont let that bother you.....

[wanderingfool2]

1 minute ago, jagdtigger said:

I was talking about a reset, but dont let that bother you.....

And the one you quoted originally was me talking about changing your password.  The comment originally I had was in regards to your topic that talk about tech illiterate being the reason this utterly silly concept of not having to put in your password...when in reality it really doesn't make a difference.

[Dracarris]

12 hours ago, jagdtigger said:

I was talking about a reset, but dont let that bother you.....

You are so far down in the delusion land, there is anyway no hope in discussing with you:

On 2/25/2023 at 9:36 PM, jagdtigger said:

(Hate me all you want, wont change my opnion one bit.)

Basically the literal definition of bigotry.

[jagdtigger]

8 minutes ago, Dracarris said:

You are so far down in the delusion land, there is anyway no hope in discussing with you:

Yeah right.  Im delusional and apple devices arent made to be stupidly simple so even a brain-dead could use it..... /s   When you taste the freedom of an android phone and realise its potential there is no going back to the "kindergarten" of devices (read: apple).

[mr moose]

17 minutes ago, Dracarris said:

You are so far down in the delusion land, there is anyway no hope in discussing with you:

Basically the literal definition of bigotry.

not everyone with a different opinion is delusional.  The fact is these devices are made so the average person can use them easily.  The number of times I've heard people tell me they would never swap to android because iphone is so simple is staggering. I hear a lot of dumb shit for moronic consumers, but some of it is not their fault, it's the big companies who constantly piss down their backs telling them it's raining, and then you come along calling people delusional  and a bigot because they see through the marketing BS.

 

Security and ease of use is always a trade off and always has been,  until technology gets to star trek levels of advanced then security is likely always going to be a problem on all devices for varying reasons, this one is just as a real as the rest .

 

 

 

[Dracarris]

2 hours ago, jagdtigger said:

Yeah right.  Im delusional and apple devices arent made to be stupidly simple so even a brain-dead could use it..... /s   When you taste the freedom of an android phone and realise its potential there is no going back to the "kindergarten" of devices (read: apple).

Only confirms my point and your childish language does its fair share as well - that includes your "funny" reactions, which btw, constitute a violation of the community standards.

 

"Freedom" = more potential problems, incompatibilities, vulnerabilities and "features" that almost no one actually requires. But, sure "mah fredum".

2 hours ago, mr moose said:

and then you come along calling people delusional  and a bigot because they see through the marketing BS.

Claiming that iphones are primarily made for stupid people is outright delusional and bigotry.

 

Just because stupid people can work with these devices, does in no way infer that they aren't as well made for and usable by more advanced users. Nothing to do with alleged marketing BS.

Just because Apple manages to provide a fluent and properly designed, consistent and optimized user experience as well as a HW/SW stack and many Android manufactures couldn't give less fucks about those and in turn sell phones s0 mUcH che4pR does not mean iphones are made for dummies only.

Don't get me started on SW/OS support/upgrade paths. Yes, some manufactures have finally come around to provide the mind-blowing amount of 2-5years of support after, what, close to two decades? Sth that Apple did since, well since basically the existence of iphones because they actually expect their users to not throw away their phone after 1-2 years, contrary to the popular bullshit belief.

"but, but, but you can install Graphene OS". Yes, great.

How some people on this forum refuse to accept this simple circumstance is staggering.

[Senzelian]

21 hours ago, jagdtigger said:

Yeah, good luck guiding through a tech-illiterate user a password reset. Its not painful at all.... /s

If you suck at guiding someone through it, then yeah I can see that being painful  

[mr moose]

21 hours ago, Dracarris said:

 

 

 

Just because stupid people can work with these devices, does in no way infer that they aren't as well made for and usable by more advanced users. Nothing to do with alleged marketing BS.

Way to totally misrepresent what was said and the context it was said in.

21 hours ago, Dracarris said:

Just because Apple manages to provide a fluent and properly designed, consistent and optimized user experience as well as a HW/SW stack and many Android manufactures couldn't give less fucks about those and in turn sell phones s0 mUcH che4pR does not mean iphones are made for dummies only.

Don't get me started on SW/OS support/upgrade paths. Yes, some manufactures have finally come around to provide the mind-blowing amount of 2-5years of support after, what, close to two decades? Sth that Apple did since, well since basically the existence of iphones because they actually expect their users to not throw away their phone after 1-2 years, contrary to the popular bullshit belief.

"but, but, but you can install Graphene OS". Yes, great.

How some people on this forum refuse to accept this simple circumstance is staggering.

I don't know what possessed you to write all that,  the simple fact remains, apple is a consumer oriented product that is designed to put the average consumers experience before everything.  It is the very reason apple were as successful as they are with phones.  This apple dick sucking article says the whole thing at least 3 times:

 

 

https://givegoodux.com/iphone-user-experience-why-apple-winning/

 

Quote

So it’s not all the cool parts – it’s that is that this is the first time anyone has ever brought together so many great ideas and processes in one device – and then designed the whole thing for normal people.

 

Quote

This is the most approachable, intuitive interface I’ve ever seen; it balances form and function equally, placing advanced features within easy reach of inexperienced users. And unlike my previous experience with the bloated cognitive overload that is Windows mobile, the majority of features are single-step processes that are smart enough to integrate with each other contextually, appearing when you need them and disappearing when you’re done.

 

Quote

 

companies are overlooking the most important part of what made the iPhone a success, the part that they are still unable to duplicate, the part that all the big players whose products I review on a daily basis seemingly pay very, very little attention attention to: the experience people have using the product.

Experience Matters

 

 

It's no secret that apple have made themselves popular by being simple to use.  No one said they were made only for dummies,  but the inference is that they are made for normal people who do not understand security, privacy, how the backend of any website functions, where their data is actually being stored or what the fuck encryption is let alone a secure enclave.  They are actually designed to hide the complexities behind a simpler UI that makes them easy to use. 

 

Arguing they are not is just being absolutely ignorant of everything apple have every advertised and any consumer survey has ever concluded.

 

Steve jobs quotes:

 

Quote

Look at the design of a lot of consumer products — they're really complicated surfaces. We tried to make something much more holistic and simple

Quote

You've got to start with the customer experience and work back toward the technology - not the other way around..

And the most important one, because you can't seem to get your head around the concept that apple are responsible for anything,

Quote

Our DNA is as a consumer company - for that individual customer who's voting thumbs up or thumbs down. That's who we think about. And we think that our job is to take responsibility for the complete user experience. And if it's not up to par, it's our fault, plain and simply.

 

There you have it, their whole design philosophy is to make it easier and better for the consumer.  Sometimes making security easier means making it less secure.  That's just a fact of life for tech right now.