If Apple just asked for the current Apple ID password instead of just needing the iPhone passcode to change passwords none of this would have happened.
yes, but they do this because 1000x more people complain that they forgot their AppleID pw and then have trouble resetting it (especially if the iPhone is their only Apple device). Then WSJ would be doing a video about how awful apple is for making it so hard for people to reset their passwords and locking people out of their accounts. Security policy is always about making tough calls about where to draw the line between convenience and security. Far more people are affected by forgetting their passwords, than the relatively rare instances described in this video, which require not one but a whole cascade of failures to occur.
On the other issue, Apple should also allow ppl to reset their phone passcode if they can login to Apple ID and verify their biometrics(on another device). This will enable ppl to reset their phone passcode once their device has been lost. This will also help ppl unlock their phones if they genuinely forget their phone passcode.
Everyone needs to do these 3 steps: 1. Turn on Screen Time, set a distinct screen time passcode. 2. Enable Content & Privacy Restrictions 3. Within Content & Privacy Restrictions, set both Account Changes and Passcode Changes to Don’t Allow This prevents an attacker from changing your Apple ID password or making changes to Face ID/Touch ID. It can’t block everything, though, but it limits the damage that can be done. Edit: I've since discovered that this is not foolproof. There are ways to bypass this and still get to the screen to reset Apple ID Password. There is no real solution until Apple fixes the flaws.
I feel so bad for her. You can tell it's more than the money. For most people, everything is stored digitally. It's the stress and mourning of losing your memories. Terrible.
I agree, poor lady 😔 It's an important lesson for her and everyone else to take digital security more seriously. This video is a great example to show friends and family who don't. It might open their minds a bit when it comes to these things.
I must've jinxed myself because a few days later my phone got the black screen of death. Thankfully I back up family photos onto drive pretty regularly, but I hope I don't lose all my other photos, memos, messages😭
@@frankfeng6199 But how can they steal money from her bank account? In my country, it's a two step verification. One with OTP message code, and your bank pin number. Is it different in the USA??
@ghost mall But how can they steal money from her bank account? In my country, it's a two step verification. One with OTP message code, and your bank pin number. Is it different in the USA??
Also look what happened to Jennifer Lawrence and other Celebs. (altough some people say they leaked the photos to gain popularity*) *not gonna lean towards one or the other side, I simply don't know
I consider myself tech savvy. Everything connected, everything cloud, everything 2FA, complex 10 digit passcode, etc etc. And I honestly thought, I wasn’t going to learn anything from this video. I was wrong. Thanks for making this. Some bubbles have burst for me.
It’s absolutely crazy that there isn’t an additional layer of security when resetting your Apple password. Thank you for reporting it, this is what good, useful journalism looks like.
I don’t believe this one bit no one can change your iPhone to change the passcode to lock you out of it unless you didn’t have a passcode to behind with then at that point they can make a passcode to lock the person out then they can use that new passcode to to change their password this is BS 😂
Joanna, this is great reporting, but you failed to report on the built in way that iOS in fact does provides its users to be protected against this attack, and has been available since iOS 12 (2018). All you need to do is go into iOS's Screen Time settings (turn it on if necessary, set a password different than the device's password), then go to '"Content & Privacy Restrictions", then down to "Passcode Changes" and "Account Changes", then set "Don't Allow" to both. This makes it necessary to enter this second password in order to not only change the iCloud PW but also to make any changes to your account.
Did this and it prompted me to enter my Apple ID and password so I can use that to reset screen time passcode. I suggest skipping that (hitting cancel and accepting the skip on the next pop up)
I feel horrible for that woman. She deserves better than that. It's kind of disgusting how low some parts of society have gotten. Some banks can be pretty good about reacting to unauthorized transactions. And making attempts to prevent things like this from happening in the future. She deserves her memory's back and her peace of mind back.
@Toboe Key It is not her fault for using a cloud system... everyone does it. It's easier to work with than carrying hard drives that can get the tiniest bit of liquid in them and they're gone forever. All and every method has its disadvantages
Honestly, my financial institutions simply block most transactions that seem the least bit suspicious, often making me need to explain to them yes... it really is me doing a purchase.
It’s not enough to change your Apple ID buy it’s enough to get into the password manager of the iPhone and then you can get the access of all profiles. It is not only an iPhone problem, it’s a problem of all digital devices
1) Meta data was expose. 2) Stored password hash databases were stolen. Correct, unless you had a garbage password and a very low iteration count. Your passwords are 'reasonably' secured. Password databases if done right. Are hashed. Research hashing and iterations. That is the entire point. Every other major organization and industry has gotten breached. Last Pass got breached? So what? 3) She was too lazy to buy a few hard drives. To backup all the pictures and files she had on the cloud. That is completely on her. I am going to take a shot in the dark. That she makes at least $20,000 than me gross. I barely qualify as middle class. I do not blame people for getting hacked. Most Apple Users I have known. Are lazy and or ignorant of their own technology. There is one person in particular. Who did everything wrong. After me explaining in detail for years. What to do and how to do it. I am not an expert. I did not finish college. O and I am bleeding money right now. So following the basic 3 2 1 Rule. Too lazy to go to any other store online and offline. To take $1,000 to $2,000 max and buy a bunch of drives. I buy Apple stock. Simply because I have done enough research on whom Apple targets. For the most part. The rich & ignorant lazy people. Apple puts a lot of its security on easy mode. And people still do not do everything Apple allows you to do to secure the account. 4) My password managers are open source. So any zero day exploit can pown me. At least everybody sees the code. How secure do you 'think' you are? FYI, I respect Apple not screwing over the entire human race. That being said, you do not see the source code. I am not a programmer. At least I could if I wanted to. Learn coding or failing that. Pay a bunch of people at random to review it under penalty of law. To tell me if it is solid or not. 5) Another lazy Apple user. Again, sucks she got hacked. They do have App Blocking Applications. The best I have seen are tied to Antivirus programs. 6) PINs? Most users use PINs for all their mobile access. Horrible idea.
In Brazil it’s common to have 2 smartphones, one stay at home with the bank and financial apps while the other one to be used outside. Another security layer lies on the screen time passcode. If it’s set with a different passcode it can be useful to block account changes, passcode changes and cellular data changes
One thing I recommend is that you should use your face ID or fingerprint (if the iPhone your using has it) whilst in public or instead of using your regular screen protector, get a privacy screen protector instead. This will reduce the amount of people that will be able to see your phone. Also, just be aware of your surroundings in public, you never know what could happen.
I’m a bit confused. I have Face ID to get into my iPhone. I suppose that a thief could steal my iPhone when I am logged in play with my iCloud account. But my bank apps here in Australia require a separate login or face Identification. I’m assuming that a thief’s access to my iCloud account will not give them access to my bank accounts unless Apple somehow allows this.
Seems like the easiest fix for Apple to implement is to have a separate passcode for unlocking the device ONLY. And/or give a warning before using the other passcode like: WARNING: this passcode is linked to your iCloud, passwords, and other sensitive information. Use extreme caution when entering it in public places.
Well nobody would remember the passcode you never type in , they just should use Multi-factor authentication. So if you want change your apple id password with your passcode you have to allow it with a second apple device.
@@BENJB220 I see what you are saying, but that is pretty bad in justifying apple monopolizing your devices, further not everyone can afford or want to buy into the walled garden.
This is no longer true. With the 17.3 update, you can now enable the need of your biometric (face ID or touch ID) to be able to change the password. This options is under Settings / FaceID and password/ protection in case of theft.
A possible solution: Face ID or Touch ID must be required from your device to change any Apple ID passcode. Also, a secondary passcode should be enabled for users to regain control.
@@fanban2926 You've not thought it through. You can have up to 5 ways to have double authentication. PIn + FaceID Pin + Fingerprint Pin + Physical security key, either a usb key, or touching an airtag for example Pin + Being in proximity of a device you set as trusted at home Pin + Account password Pin + additional Pin 😆kinda like you needing to enter an additional Pin to open your Bank account on the phone.
Lesson for this video: while in public, use biometrics authentication so that you don't leak your passcode. While interacting with authorities, use passcode because they can use biometric to unlock your phone but not your passcode because biometrics is "who you are" and not "what you know" so the 5th don't apply and the pigs can unlock your phone that way.
The biometrics will prevent this specific attack, but they are not superior to passcodes. They have different vulnerabilities, and most importantly, once compromised, cannot be changed.
Everything about here is so stupid on Apple's part. But I also don't get why the woman doesn't have Face ID enabled. Can we confirm if this vulnerability exists if you have Face ID enabled too?
Shoulder surfing is exactly why I think people entering their phone passcodes in public is insane. Yes, biometrics are static, but getting a useable copy of them is harder than watching someone enter a PIN. And there's a limited number of attempts the thief gets at trying to trick the biometric scanner before the device disallows biometric access.
@@Sartfla Those are also dangerous. You have to confirm no one has attached a skimmer and then you need to be sure you’re blocking the view of the keypad when entering your PIN (though they are designed to already cover parts of the keypad so your body tends to be enough to block the rest of the view)
Or not tie yourself to the Apple ecosystem. Use 3rd party password managers. Preferably open source. Get an App Blocking application. Commonly referred to App Lockers. Encrypt your files.
@@jamesedwards3923 I did not. I thought paying for the premium storage tier at a Fortune 3 company would protect my data just fine. It was a conscious decision to stop backing up locally but obviously not the right choice.
Thank you! I’ve been telling this for years and it’s mind boggling that a company like Apple, who spends millions of dollars in security every year, have not seen this simple and easy to fix issue with their devices.
@@brandonw1604 Many have mentioned FaceID and TouchID, but it won't be a full solution: Thieves will just point the phone to your face for Face ID or rip your finger off for Touch ID and then change your passwords, and you have the exact same problem as before!
its not simple and easy to fix, as literally more than a million to one ratio of people have problems with forgetting their AppleID password and having trouble resetting it (especially if they only use one apple device) compared to this extremely rare crime outlined here. They would be solving one problem but in turn creating a million new ones. There are a lot more articles/pieces about evil Apple “locking people out” of their account because they forgot their password than there are about this problem.
@basicallyhuman Mostly false. FaceID works in pitch black darkness as it uses the infrared flood illuminator, rather than using the camera like many paltry imitations on other devices. So bad lighting has no affect. FaceID also now works even with a mask, and before that you could also use your apple watch to unlock it with a mask. The time out period for lack of use is 24 hours. I find it hard to believe that anyone using their phone in a bar at the end of the day would have not have unlocked their phone once in the past 24 hours.
That already happens for a while in Brazil. It’s honestly good to know that WSJ is bringing attention to this lack of security, so that Apple finally do something about it 😪
Storing your SSN in photos is just outright stupid. But the sad fact is that when you tell it to your friends and family they reject it immediately saying you’re being paranoid. Then here you go - stories like this happen.
Dude, the ignorance of technology. From people younger than I. Is amazing. I once asked a 18 to 20 year old. Woman, did you store the data in .pdf? She looked so confused. Keep in mind. I am casual user who grew up between Windows 95 and Windows XP. Apple Users are amongst the worst offenders. You can store an image in an encrypted state in so many ways. It is laughable, when I explain it to people half my age. They have absolutely no clue. In my experience most users 'understand' why they should secure their data. They just do not want to learn how on even a basic level.
Storing critical information in a unencrypted state? Horrible. People do this nonsense all the time. There so many ways to encrypt data and files independently. In my professional and personal experience. Most users are lazy.
@@jamesedwards3923 You said: "Apple Users are amongst the worst offenders." That's because most Apple users think Apple devices can not be hacked or get malware. It is exactly what Apple marketing has been pitching and it works. Their fans blindly believe it.
I've just recently been a victim of this crime and I can tell you its horrible. Besides the thousands of dollars I've had stollen, my photos, contacts, and personal items have been put out of reach and Apple has done nothing to try and fix this. When I call them, it's clear that these security protections were not considered in a scenario where a user no longer has access to any of their trusted devices. I have a Macbook and an iPad and could not verify my identity on either of those devices. My hope is that reporting like this and calls from hundreds of other people as unlucky as I will get them to come up with some solution.
Next time, turn on your recovery key. Then call Apple and provide these 28 digits and Apple can help you further. Without this key, Apple cannot do anything for you.
I would highly recommend iPhone users to change the Account Changes in Screen Time to Don’t Allow - this will disable access to your Apple ID. Also, changing the Passcode Changes to Don’t Allow will hide the Face ID & Passcode option in settings. If I remember correctly you will be asked to create a new pin, which will used to gain access to these settings - this will be a different pin from the passcode to enter your phone.
Looks like the only protection against this type of attack is to have advanced data protection on with a hardware key set-up. Just make sure you hold your recovery key in a secure offline location. Inconvenient but a must do if this attack grows in popularity.
I think the lesson learned is to be more careful when using your phone in public, maybe a 6-digit passcode is not long enough especially if they can use a 6 digit passcode to basically ruin your life.
@@hansolowe19 I‘lol bet most of this started during c0vid when everyone was wearing a mask. iPhones couldn’t recognize people’s faces so they were forced to enter their passcode every time.
Apple definitely needs to change the password change process. That would literally nail this on the head. Additionally, for other people, cloud backup IS NOT A BACKUP SOLUTION! You should also have an additional physical copy of your data at the very least if you really truly care about your data. You can't rely on convenience to save you.
I realized this years ago and only use Biometric Face ID in public. If I have to use the passcode I go to a private spot away from others or make sure no one is looking over my shoulder. Now you have Stolen Device Protection which makes you wait an hour to enter your passcode, giving people time to get into their Apple ID on the Cloud and block whoever stole the phone. But I’ll bet most won’t use it.
I think this is the best idea yet, stops changes to accounts and passcodes. It seems there are ways to reset the Screen Time passcode, however most of these methods mean the reset of the whole phone or requires an encrypted backup of the phone which if you set the encrypted backup password that cannot be changed. Not sure if there are other options, but a good idea.
I've been thinking about this issue lately; how I have everything in my life on my Apple and Google accounts, and knowing that if either were compromised I would lose everything.
if you are that worried about it, it would be relatively trivial to make a physical backup of your most important and precious data to something like an external HD, and store it somewhere such as a safe deposit box or trusted relative’s home. For critical data, it’s always fundamental to have multiple redundant backups, if you want your data to be preserved even in the face of catastrophic failures. You should look up the 3-2-1 Backup strategy and implement it if you are concerned. This will also protect against things like ransomware attacks.
It's why I'm still paying by credit cards, credit cards companies have loss prevention department 24/7 to lock the account after they verified you. Customers are not responsible for the charges from thieves
@@___beyondhorizon4664 what are you talking about? A CC company can’t help you get back your lost baby photos or all of your business contacts and appointments. They don’t even offer financial restitution.
@@AndrewCortesi I meant what I said. Didn’t know it was so easy to change password with just a passcode. Always thought you needed to put your old password, but all it takes is just your passcode.
@@koolkat214 i am supprised that you didnt know that, that is the reason why biometrical is so important. When you use bio insted of a pin nobody can see how to get into your device
@@MrJudgi I have Face ID on, but even with that on, I’ve just now learned that it is useless if someone knows your passcode. I always thought you needed more than just a pass code to change your Apple ID, but this video was eye opening for me.
This has happened to me. My advice is 1. To have your 2 factor verification sim, in another separate phone. The thief’s wont be able to get your OTP in order to change your bank passwords etc. 2. Do not store passwords on your phone. 3. Remain logged out of all financial websites and apps.
Wait, there are people that don't treat their phone's passcode like an ATM pin? I'm blown away by this! I use fingerprint in public or check over my shoulder before inputting a passcode.
Other apps should implement their own passcode mechanisms and not rely on the iPhones password. Also I was really shocked when I found out I could change my iCloud password with just my iPhone passcode. When you have the passcode you can essentially access everything on someone else’s phone since most of the authentication mechanisms fallback on that.
Other apps already do that. You have to manually change them to use Touch ID/Face ID, and regardless of what password you use to sign into them, if you let the phone save that password into its own password manager, then that’s still a user choice, not something it does automatically.
@@babybirdhome a lot of apps where you can protect with Face ID / Touch ID can still be unlocked using the phone's Passcode. In other words, they don't allow you to create a specific PIN code.
A good solve for this would be the ability to use a second passcode (different from the unlock code) for stuff like accessing keychain and changing appleID password. Basically everything except unlocking the phone should have a separate password/passcode since unlocking is something we do a lot in public and sometimes the device forces to enter passcode instead of using faceID.
There's probably multiple ways to do this. The user could maybe choose between one of the options or select all of them and only need 2 out of 5 to get into the settings: 1. A second authentication device, like a USB security key that has to be physically set into the phone - OR - registered Airtag has to touch the phone. 2. Face ID in addition 3. Touch ID in addition 4. AppleID Password in addition 5. Set a home device as secure device, like Macbook, which can easily access settings, while the Phone needs two of the listed methods.
This is already possible and a feature of the iPhone and has been in its current incarnation since 2018, and before that since before 2010. You can use Screentime (before that, “Restrictions”) to set a separate passcode, and require this passcode to make certain changes on the device, such as to accounts, the saved password list, and the password reset. Joanna was either not knowledgeable enough to know this, or negelected to mention it. The fact that this has been available for over a decade, and hardly any users use it (and was not even mentioned in this coverage) shows how rare this instance actually is and that few if any users would actually bother to go through all this trouble, as the loss of convenience is worse than the relatively low risk of an attack like this.
@@spacecadet2172 WRONG. The screen time passcode can be reset by clicking "forgot passcode" putting in Apple ID (which can be easily guessed or obtained by looking at emails, app store, itunes store, apple music, apple tv, find my, etc), and then resetting the screen time passcode with either the phone passcode or a simple SMS to the phone itself. This is dangerous advice to assume that it is secure when it is not.
This isn't really different from any kind of purloined password situation. The problem is that it's easy to see people entering the iPhone passkey in public. Wearing masks made this worse, since even with Apple's hacks to allow face id with the mask on, sometimes you need to use the passkey. If it were available, a combination of fingerprint OR face id would help a lot: use face id but if it doesn't work, use the fingerprint sensor, with the passkey only if both fail. The best cultural change would be to get into the habit of always ensuring privacy before entering the passkey.
Its absolutely irrsponsible that Apple and its policy with that recovery code is that they can't reset based on some other verification method. When a phone is reported stolen and an apple i.d reported as hijacked, Apple should be able to respond.
In Sweden we have "Bank ID", its an additional layer of security that protects all your bank apps, goverment apps, mail apps, stock brokage ETC. Its installed on your device and when apps need to verify your identity they just send you to the app and you have to type your unique passcode. You also use it to get in to all these accounts on other devices, then you just scan a QR on the computer screen from the app and then type the passcode on your phone, you also use it for every card transaction online. Ive never understood why all countries dont have this.
One important solution is missing in the video: using Screen Time with a different passcode to prevent account modifications. 🔐 Go to Settings > Screen Time: - Hit “Use Screen Time Passcode” and pick a PIN that is different from any subset of your main passcode. - Go to Content & Privacy Restrictions > Account Changes and set to Don’t Allow. When you go back to the main Settings screen you’ll see that the account badge is grayed out and settings there are not accessible.
My advice is to have situational awareness and don’t have your face buried in your phone in public. I know it’s hard but remember when cell phones weren’t a thing and you didn’t have the option to stare at the screen while waiting outside a bar etc?
Saving your bank app's password in the Apple password manager isn't a smart idea. In Turkish and Norwegian banks, it's actually not even possible. Those apps won't allow passcodes to be stored.
The option should be there regardless. However when it comes to bank activities one should have the credentials etched inside their own minds. Or even on physical paper and stashed somewhere in the house such as a notebook. The notes app also lets you make up a password for the app itself with letters and numbers as options. Meaning you can have certain notes locked and only accessed via said password specific to that app. If anyone has other sensitive data on there, that data has a diff password from the main one used to unlock the phone thus preventing data leaks. This is why its a bad idea to screenshot passcodes and what not. It's also important to keep the OS updated for security patches. Touch ID and Face ID would also really come in handy. The fact she has a Mac is also an issue itself vs if she had a Windows PC with iTunes on it she could have manually backed up ALL her Data on it. Meaning she didn't have to upload to the iCloud unless shes constantly running out of space. Strange tho, if i recall correctly; to change the apple id they need a separate password vs the main 4 digit code that unlocks the phone. My guess is she had that info either in the notes app (with no password specific to notes app) or she had screenshots out in the open on her photos app. Furthermore having bank passwords saved on your phone is a bad idea. She could have called her bank to freeze her accounts too... Just makes me angry for them. In this case filing fraud reports with the banks seems like a dreading task but more than likely they can get their life savings back. As for the priceless picture memories on the wiped iCloud id, big rips.
@@Sparkyh lol ya'll people saying physically writing down a pw on a piece of paper in 2023 is a good idea rather than using an encrypted pw manager that requires multiple layers of authentication to get through are wrong for that
Try this: 1. Enable Screen Time by setting a separate passcode 2. In ScreenTime -> Content & Privacy Restrictions->Account Changes -> Don't allow 3. Change other restrictions [ optionally ]
Use face ID or fingerprint ID only. It's important to NOT use the passcode except when the iPhone forces you to, and to cover up the keypad with your other hand when you type it in, and look around you to make sure no one is watching you type it in. If someone is watching you, move to where no one is watching you before typing it in.
You can't change your password by having the passcode on Android, you need to enter the old one, besides android users usually use patterns and not passcode to secure the phone and they are way more difficult to memorize.
1. Thieves don't need to change your password. They just need to sign you out from all other trusted devices so that you will not change it. 2. I need a citation on the pattern-is-difficult-to-memorize-than-passcode thing.
@@sexyscientist You need the account password to remove trusted devices, the phone pin code is not enough to remove trusted devices. Account password and phone pin code are not the same. Additionally you need the account password to turn off find my phone, phone pin code is not enough to turn off find my phone :)
@@PrincePawn No, you don't need anything... no pin code, no password to sign-out from a device. I just signed out one of my device using my phone. Same goes for "find my device". Tried and tested.
Blackberry used to have two separate passwords, one for the Lock Screen and one for the password vault. And it used to have picture password, where you put a chosen number on a specific part of a picture. It was basically unbreakable. Apple needs to have a picture password as a lock.
@@stolmich I think you can self host one... haven't used mine as a daily driver in years. but it still boots ( I turn it on every couple of months - Gmail still worked on it last time)
@@stolmich and I just remembered! the z10 ( and all other blackberry 10 OS) don't really need BB servers to access internet / emails / messenger. They have a limited setup but this is something i did when i got mine was cancel the 1€ per month surbscription with my carrier for that BB server.
There is a simple fix for this problem. Go to settings > screen time > set a DIFFERENT passcode > content & privacy restrictions > Turn On content & privacy restrictions > Set passcode changes and account changes to "Don't Allow". Now to be able to make changes to your Apple ID account or to change your iPhone passcode, you need to get back to the screen time menu and enter the unique different passcode that you set up. Hope this helps at least 1 person to stay safe.
Surely having Lastpass so prominent is also not very safe, as they have been recently hacked 🤔 Another advantage in keeping a Sim card as you can lock those as well
Apple needs to have mandatory security questions to change the Apple ID password or at least require a fingerprint. That would have stopped them immediately. Great news story.
Security questions are way to easy to guess and 99% of the time are either on public records or can be found online and on social media which many people do not keep private. It’s because of this reason that many companies are phasing out security questions. The 2 examples you gave (the street you grew up on) can be found through white pages, and (the name of your first dog) will most likely be on your social media. Not always but it’s a pretty good bet.
Very insightful, some obvious points that consumers are aware of but just choose to ignore these. This video will probably help everyone rethink the security which they have set up on their phone and improve it by making the suggested changes. Thank you.
I'm pretty sure on Android bank apps by default will not store a password in keychain. I'm pretty sure Samsung knox doesn't even allow this, with a requirement only to be used with biometrics
There's another thing people can do and that is to enable screen time with separate passcode and then in content & Privacy restrictions disable account changes and passcode changes that will effectively block Access to the Apple ID tab in the settings app
U can just disable it and then move on to change ur Apple ID how is that a fix ? If a thief went to the effort of stealing ur phone and passcode he would definitely be willing to take two more seconds to disable screen time and continue to lock u out of ur phone
In these three steps I already use complex passwords with numbers letters and others included. However, I use Face ID most of the time unless the device has been reset or shut down and turned on again. But like mentioned in this context it is necessary that we follow in order to reduce the risks of our digital lives.👍🏽😊
TIP: freeze your credit with the 3 credit reporting bureaus. You can unfreeze when you apply for something and then freeze it again. It's free to do so.
No wonder why apple customers have been leaving to Samsung and other phone companies because they are now creating better passcode and far greater technology to use
I thought they showed that they do require two factor authentication (at least the text type of 2fa). The problem is that they have your phone so when the text message is sent they are the ones that get it.
@@thefingerofgod69 have it sent to a different phone. What I’m considering though is using a encrypted USB key to lock my Apple ID. but tbh I don’t use my passcode in public much, so I’m not sure how much this will matter to me in the long run
If people understood that protecting their passcodes is as important as not flashing their wallet in public, or letting the neighborhood see them hide their key under that rock in the front yard, THEN none of this would have happened. A passcode to any digital device is just as important as the combination to the bank vault where your money sits. You should value that passcode and guard it with the same level of fervor
Yeah but in this case so I'm literally ripped the phone from her hand. That's just plain coercion and you can't really expect people not to use their phones at all. It's hard to think of any solution that's going to account for straight up coercion. Even biometrics can be bypassed if someone has a gun to your head or knocks you out
@@michaelcorcoran8768 yes but at that point you’re not talking about an issue with a device. The same can be accomplished without the phone. A gun to the head will make most people give any information or possession up. The issue here is that this is being made to seem like an issue with the device or company. That it’s somehow news to everyone that mugging and robbing are a thing, and that somehow having a device makes that more probable. My point is only that we should have always been treating and educating others to treat our passcodes the same way we do our keys to our home, our combinations to our safes etc. we use all those things but we protect them. For far too long people have seemingly not made the connection that they need to do the same with their digital assets.
With biometrics it’s just plain reckless not having a 20 character alphanumerical passcode. even if you ever need to unlock with passcode it’s so complex that the thieves won’t get it.
@@michaelcorcoran8768 biometrics can only be bypassed once. Someone could unlock your phone, but good luck after that accessing anything if you have other layers of protection.
This video highlights a major issue that many iPhone users may not be aware of. It's scary to think that someone can ruin your entire digital life in just a few minutes if they gain access to your phone.
The spokesperson was clear, if someone stole your phone AND figured out the passcode, you're out of luck, unfortunately. There isn't really anything Apple can change.
Of course they didn't own up to their mistakes. This is the fundamental character flaw of the company and ALL it's users. Anyone who is capable of admitting and learned from their mistakes wouldn't still use apple.
Really good piece, I’ve never saved my banking or email passwords on any device for this reason. There are some passwords that you should only save in your personal memory (aka your brain). Also, make a local backup of all your photos, even without theft if Apples cloud got compromised you could lose everything.
THIS! It’s good practice to put your photos on an SD Card. I do it every 3 months. It doesn’t take long at all! Set a reminder. It’s so worth it to not lose all your memories like this poor woman has!
Apple recently added the ability to use a security key as a form of two-factor authentication. It’s in the same menu that was shown when changing your password. The security key is a physical device that can be kept on a keychain, for example.
@@TomNook. Getting security key, passcode and phone stolen is bad luck. The threat actors can bypass multiple defenses. The strength of security keys is cryptography which addresses the shortfalls of SMS-based security codes and time-based one-time passwords (6 digit code)... not helpful when it gets stolen along with your phone and credentials. Be cautious of using security keys in public and who is around you.
This is exactly why I don't use the password manager on my phone and why my Gmail Password is different than all my other Passwords. Also, I use Android with a separate VPN to brick my phone
Ahahahahaha! That’s hilarious and on the “Face” of things, seems like a legit simple solution to the problem. Personally I’ve actually thought about this topic before even seeing this video and what I do with my iPhone is make sure my password is in before going out in public. Then from there on out til I get home I just use my face to unlock it. N unless you’re in a Nicolas Cage/John Travolta movie, your face doesn’t get stolen 😂
The pass code already is the ALTERNATIVE to face ID, and should only be used when face ID doesn't work. That's the whole point of your pass code. Only use it, if fingerprint or face ID doesn't work. The video only speaks about this in a side note 8:08
I hope things work out. And …Maybe let’s all stop storing our bank logins and personal identity info on these devices. Everything is not made for digital spaces.
This is why they should have never removed fingerprints as a security measure. At the time it was only a 5-year-old feature for all smartphones and was the most and still is the most secure way to lock a phone. Biometrics work very well imo
Simple for Apple to fix in a quick update: Don't allow a user to change their passcode with just their PIN which is used to unlock their iphone. They need both PIN AND Face ID. That would stop the user being able to change the account's password and thus the other things that follow. Also adding in the same step for unlocking the password manager would mean they can't get in the Bank accounts.
No, they are not. Not my opinion. 1) Your face can be copied. 2) Mathematically, if you had any idea how passwords work. Which requires only a few hours of casual reading. Knock yourself out and prove me wrong. Will not happen. The fact that you think they are is amusing. I am not teasing your. However, I have had this discussion with many Apple Users. Only and offline. Fingers can be chopped off. 3) Passwords can be changed. Your face can not. 4) If you live in the USA. You just gave up your right to privacy. You can be compelled what you are. Not what you know. So unless you do not care about your basic 'human' right to security and privacy. Again, go for it.
Thank you for making this video! I had never thought of how powerful and dangerous that little short code could be. I will definitely be making some changes.
Lesson is : be patient and only use face or fingerprint ID in public places. Also, stop looking at your phone so much in bars, experience reality, nothing more annoying than going out to a bar and finding phone zombies!
Maybe someone has said this before, but just for reference.... Settings>Screen time>content and privacy restrictions> scroll all the way down Disallow passcode, account and mobile data changes(esim will be helpful as they can't remove it). Toggle account changes when required. I didn't find this as a hassle as i don't access iCloud frequently. Atleast you won't be locked out of your account....
I always thought it's ridiculous how much access you get just by knowing the phone's passcode. Apple won't even let you password protect APPS, like, come on...
Well, this is a big issue that needs to be fixed, but they would be very disappointed when they got into my bank account, kinda how I feel when I see it 😢
The simple fix for this would be for Apple to require a Fido key or 2FA to change the passcode. With users not sending the 2FA to an email that’s accessible via the phone. All 3 of your steps are valid also. My family says the military made me paranoid when it comes to security but this just proves my point.
I understand the main premise on this story is that having the passcode for a phone allows a thief to reset your apple id password. However, it is still good to safeguard yourself with some of the following suggestions to prevent thieves from getting to that point of rest. Here are the ideas: 1. Always use face id or touch id in public -- personally i think this is easier than entering a code anyway. 2. Change your passcode to be longer than 6 numeric digits if you are concerned about others hacking your passcode-- apple lets you have long numeric passwords or even alphanumeric passwords (this doesn't entirely matter though if they are recording you enter your password anyway). 3. Set up 2FA 4. Use a password manager 5. Apps like Venmo allow you to enter a pin specific to that app (allows for face id access also) -- implement this with supported apps that you wouldn't want a bad actor to get into to bring havoc on your life.
Joanna, thank you so much for reporting on this. This is a HUGE issue. Especially since even if a victim were able to beat the thief to Find My iPhone, enabling Lost Mode would be pointless since the passcode can immediately disable it. This would leave only the option of trying to erase the device (again with the victim having to "beat" the thief to FMI) . There is definitely a huge hole with the security on iOS that needs to be fixed.
Lol at everyone still saying iPhone can't be "hacked". I hated having to input my code on an iPhone during COVID. Thankfully, they've since rectified it but that's why I love having a fingerprint scanner.
If Apple just asked for the current Apple ID password instead of just needing the iPhone passcode to change passwords none of this would have happened.
They do. I don’t know what these people enabled.
@9pm Till1Come Yes and that-s also wrong for apple to do. That one password should never be accessible on keychain no matter what.
@@NinjaRunningWild I just checked on mine and you only need pin to change icloud password.
yes, but they do this because 1000x more people complain that they forgot their AppleID pw and then have trouble resetting it (especially if the iPhone is their only Apple device). Then WSJ would be doing a video about how awful apple is for making it so hard for people to reset their passwords and locking people out of their accounts. Security policy is always about making tough calls about where to draw the line between convenience and security. Far more people are affected by forgetting their passwords, than the relatively rare instances described in this video, which require not one but a whole cascade of failures to occur.
On the other issue, Apple should also allow ppl to reset their phone passcode if they can login to Apple ID and verify their biometrics(on another device). This will enable ppl to reset their phone passcode once their device has been lost. This will also help ppl unlock their phones if they genuinely forget their phone passcode.
Apple should consider verifying the old AppleID password before allowing the user to reset a new one
doesnt work if people have their apple id password saved in icloud keychain...
seems like that alone woud solve half the issues
@Abhi Malik Then use 1) a second device to authenticate the user or 2) security questions.
Except the AppleID password is only used in very few instances so it is very easy to forget it.
Don't use keychain, use an alternate password vault
Everyone needs to do these 3 steps:
1. Turn on Screen Time, set a distinct screen time passcode.
2. Enable Content & Privacy Restrictions
3. Within Content & Privacy Restrictions, set both Account Changes and Passcode Changes to Don’t Allow
This prevents an attacker from changing your Apple ID password or making changes to Face ID/Touch ID. It can’t block everything, though, but it limits the damage that can be done.
Edit: I've since discovered that this is not foolproof. There are ways to bypass this and still get to the screen to reset Apple ID Password. There is no real solution until Apple fixes the flaws.
Yup. Another case of users using a device they did little research on.
Thank you!!
@@dinoscheidt if it's not the default then it's not a lack of knowledge issue
I’ve just done this now. Thank you
Thanks for the tip
I feel so bad for her. You can tell it's more than the money. For most people, everything is stored digitally. It's the stress and mourning of losing your memories. Terrible.
I agree, poor lady 😔
It's an important lesson for her and everyone else to take digital security more seriously. This video is a great example to show friends and family who don't. It might open their minds a bit when it comes to these things.
I must've jinxed myself because a few days later my phone got the black screen of death. Thankfully I back up family photos onto drive pretty regularly, but I hope I don't lose all my other photos, memos, messages😭
@@frankfeng6199 But how can they steal money from her bank account? In my country, it's a two step verification. One with OTP message code, and your bank pin number. Is it different in the USA??
@ghost mall But how can they steal money from her bank account? In my country, it's a two step verification. One with OTP message code, and your bank pin number. Is it different in the USA??
Also look what happened to Jennifer Lawrence and other Celebs. (altough some people say they leaked the photos to gain popularity*)
*not gonna lean towards one or the other side, I simply don't know
I consider myself tech savvy. Everything connected, everything cloud, everything 2FA, complex 10 digit passcode, etc etc. And I honestly thought, I wasn’t going to learn anything from this video. I was wrong. Thanks for making this. Some bubbles have burst for me.
Because you're not tech savvy.
@@prevaloir5362 no. It's because he's not theft savvy
You aren't nearly a tech savvy as you think you are. Switch to samsung knox
@@carstenb23😂😂perfect
you use Apple you are not tech savvy
It’s absolutely crazy that there isn’t an additional layer of security when resetting your Apple password. Thank you for reporting it, this is what good, useful journalism looks like.
I thought you had to authenticate with 2FA to change an iCloud password?
@@Bradley-Thomsen Yes you do, unless you go out of your way to disable it manually.
But there is an additional layer. Just tested hacking my own phone, and the methods shown here doesn't work.
@@Bradley-Thomsen🤟
I don’t believe this one bit no one can change your iPhone to change the passcode to lock you out of it unless you didn’t have a passcode to behind with then at that point they can make a passcode to lock the person out then they can use that new passcode to to change their password this is BS 😂
Joanna, this is great reporting, but you failed to report on the built in way that iOS in fact does provides its users to be protected against this attack, and has been available since iOS 12 (2018). All you need to do is go into iOS's Screen Time settings (turn it on if necessary, set a password different than the device's password), then go to '"Content & Privacy Restrictions", then down to "Passcode Changes" and "Account Changes", then set "Don't Allow" to both. This makes it necessary to enter this second password in order to not only change the iCloud PW but also to make any changes to your account.
Exactly
This 👆🏽
Thanks for this. Just did this now for my iphone ❤
Thank you for this. This was not known and it’s been a great find for me. I had this enabled immediately.
Did this and it prompted me to enter my Apple ID and password so I can use that to reset screen time passcode. I suggest skipping that (hitting cancel and accepting the skip on the next pop up)
I feel horrible for that woman. She deserves better than that. It's kind of disgusting how low some parts of society have gotten.
Some banks can be pretty good about reacting to unauthorized transactions. And making attempts to prevent things like this from happening in the future. She deserves her memory's back and her peace of mind back.
@Toboe Key It is not her fault for using a cloud system... everyone does it. It's easier to work with than carrying hard drives that can get the tiniest bit of liquid in them and they're gone forever. All and every method has its disadvantages
Honestly, my financial institutions simply block most transactions that seem the least bit suspicious, often making me need to explain to them yes... it really is me doing a purchase.
why is a 6 digit phone passcode enough to change your apple id password, this is mental. who came up with that
Iphone
Yeah I thought you needed the Apple ID’s password
@@MasterKey2004 same
It’s not enough to change your Apple ID buy it’s enough to get into the password manager of the iPhone and then you can get the access of all profiles. It is not only an iPhone problem, it’s a problem of all digital devices
This is the dumbest thing Apple has ever done.
FYI Lastpass shown in the video has recently had a massive security breach as well, so storing data in there is also questionable.
Yup, I just deleted my account with them. Bitwarden has worked well for me.
Thank you, I was about to say the same.
Yup
1) Meta data was expose.
2) Stored password hash databases were stolen. Correct, unless you had a garbage password and a very low iteration count. Your passwords are 'reasonably' secured.
Password databases if done right. Are hashed. Research hashing and iterations. That is the entire point. Every other major organization and industry has gotten breached.
Last Pass got breached? So what?
3) She was too lazy to buy a few hard drives. To backup all the pictures and files she had on the cloud. That is completely on her. I am going to take a shot in the dark. That she makes at least $20,000 than me gross. I barely qualify as middle class.
I do not blame people for getting hacked. Most Apple Users I have known. Are lazy and or ignorant of their own technology.
There is one person in particular. Who did everything wrong. After me explaining in detail for years. What to do and how to do it.
I am not an expert. I did not finish college. O and I am bleeding money right now.
So following the basic 3 2 1 Rule.
Too lazy to go to any other store online and offline. To take $1,000 to $2,000 max and buy a bunch of drives.
I buy Apple stock. Simply because I have done enough research on whom Apple targets. For the most part. The rich & ignorant lazy people. Apple puts a lot of its security on easy mode. And people still do not do everything Apple allows you to do to secure the account.
4) My password managers are open source. So any zero day exploit can pown me. At least everybody sees the code. How secure do you 'think' you are? FYI, I respect Apple not screwing over the entire human race. That being said, you do not see the source code. I am not a programmer. At least I could if I wanted to. Learn coding or failing that. Pay a bunch of people at random to review it under penalty of law. To tell me if it is solid or not.
5) Another lazy Apple user. Again, sucks she got hacked. They do have App Blocking Applications. The best I have seen are tied to Antivirus programs.
6) PINs? Most users use PINs for all their mobile access. Horrible idea.
KeePass
en.wikipedia.org/wiki/KeePass
Password Safe
en.wikipedia.org/wiki/Password_Safe
Bitwarden
en.wikipedia.org/wiki/Bitwarden
Open source.
In Brazil it’s common to have 2 smartphones, one stay at home with the bank and financial apps while the other one to be used outside. Another security layer lies on the screen time passcode. If it’s set with a different passcode it can be useful to block account changes, passcode changes and cellular data changes
i have a second phone too, i live in europe and i mainly use it on travels.
Good to know!!!
great advice. the accompanying WSJ article mentions the Screen Time protection
Good tips! Thanks
Yep, I have 2 phones for travel!
One thing the judicial system can do to help is to make sure these thieves serve hard time instead of just getting a slap on the wrist.
That doesn’t help and never has . Yall think cages are the answer and it AINT . Stop
@@CadiKaneit is the answer!
@@CadiKaneactions have consequences behind them so if you don't learn life will teach you.
These thieves should get longer prison sentences than child rapists.
One thing I recommend is that you should use your face ID or fingerprint (if the iPhone your using has it) whilst in public or instead of using your regular screen protector, get a privacy screen protector instead. This will reduce the amount of people that will be able to see your phone. Also, just be aware of your surroundings in public, you never know what could happen.
Iphone has ffingerprint?
@@Difracil The iPhone 5s - 8 and SE models do (Touch ID).
@@LOTR_BTTF well that's an old model. Do you think robber will bother to steal that?
@@LOTR_BTTF , I prefer Touch-ID over Face-ID at any time.
I’m a bit confused. I have Face ID to get into my iPhone. I suppose that a thief could steal my iPhone when I am logged in play with my iCloud account. But my bank apps here in Australia require a separate login or face Identification. I’m assuming that a thief’s access to my iCloud account will not give them access to my bank accounts unless Apple somehow allows this.
Seems like the easiest fix for Apple to implement is to have a separate passcode for unlocking the device ONLY. And/or give a warning before using the other passcode like: WARNING: this passcode is linked to your iCloud, passwords, and other sensitive information. Use extreme caution when entering it in public places.
Or just implement touch id..
Well nobody would remember the passcode you never type in , they just should use Multi-factor authentication.
So if you want change your apple id password with your passcode you have to allow it with a second apple device.
@@BENJB220 I see what you are saying, but that is pretty bad in justifying apple monopolizing your devices, further not everyone can afford or want to buy into the walled garden.
@@BENJB220 "you have to allow it with a second device.*"
Don't give them ideas on how to further lock people in to Apple ecosystem
@@Nicholas_Steel haha true. But unfortunately they already do it if you sign in your Apple ID to a new device.
This is no longer true. With the 17.3 update, you can now enable the need of your biometric (face ID or touch ID) to be able to change the password. This options is under Settings / FaceID and password/ protection in case of theft.
That option should be on by default, it would save so many accounts!!! And your comment should be first so people could see it.
A possible solution: Face ID or Touch ID must be required from your device to change any Apple ID passcode. Also, a secondary passcode should be enabled for users to regain control.
I know some people with iPhones where their Face ID doesn’t work on the phone. I think they dropped their phone and then it stopped working.
It would be enough to just ask for the old password. Also, what do you do if you've had face surgery and lost both arms at the same time?
Bad idea, not everyone wants to use biometrics and it's also not surefire to work.
@@fanban2926 You've not thought it through.
You can have up to 5 ways to have double authentication.
PIn + FaceID
Pin + Fingerprint
Pin + Physical security key, either a usb key, or touching an airtag for example
Pin + Being in proximity of a device you set as trusted at home
Pin + Account password
Pin + additional Pin 😆kinda like you needing to enter an additional Pin to open your Bank account on the phone.
A secondary “passcode” already exists, it’s called Recovery Key. Which is way longer than a passcode.
Lesson for this video: while in public, use biometrics authentication so that you don't leak your passcode. While interacting with authorities, use passcode because they can use biometric to unlock your phone but not your passcode because biometrics is "who you are" and not "what you know" so the 5th don't apply and the pigs can unlock your phone that way.
Yes but they don’t offer Touch ID on newer phone for some reason
@@organizedchaos4559 they offer touch id on the SE. And anyways just use FaceId
The biometrics will prevent this specific attack, but they are not superior to passcodes. They have different vulnerabilities, and most importantly, once compromised, cannot be changed.
Everything about here is so stupid on Apple's part. But I also don't get why the woman doesn't have Face ID enabled.
Can we confirm if this vulnerability exists if you have Face ID enabled too?
@@organizedchaos4559 Face ID works the same way. That why I use the term biometrics and not touchID
Shoulder surfing is exactly why I think people entering their phone passcodes in public is insane. Yes, biometrics are static, but getting a useable copy of them is harder than watching someone enter a PIN. And there's a limited number of attempts the thief gets at trying to trick the biometric scanner before the device disallows biometric access.
This is why I will continue to use my physical credit cards. This is scary.
Saying people entering their phone passcodes in public is insane is like saying people using ATM machines is insane because those are in public.
@@Sartfla Those are also dangerous. You have to confirm no one has attached a skimmer and then you need to be sure you’re blocking the view of the keypad when entering your PIN (though they are designed to already cover parts of the keypad so your body tends to be enough to block the rest of the view)
Biometrics are not secure. Not legally. Not logically. Not pragmatically.
Having lived through exactly this, I'm so grateful that Joanna and the WSJ are bring attention to it.
Or not tie yourself to the Apple ecosystem.
Use 3rd party password managers. Preferably open source.
Get an App Blocking application. Commonly referred to App Lockers.
Encrypt your files.
Did you have your 'memories' backed up on separate hard drives?
Remember, the cloud is just someone else's hard drive.
@@jamesedwards3923 I did not. I thought paying for the premium storage tier at a Fortune 3 company would protect my data just fine. It was a conscious decision to stop backing up locally but obviously not the right choice.
@@lucabrasix Never go with showmanship. Go with what it is and what the potential is. Never anything else.
Thank you! I’ve been telling this for years and it’s mind boggling that a company like Apple, who spends millions of dollars in security every year, have not seen this simple and easy to fix issue with their devices.
FaceID stops shoulder surfing.
@@brandonw1604 Many have mentioned FaceID and TouchID, but it won't be a full solution: Thieves will just point the phone to your face for Face ID or rip your finger off for Touch ID and then change your passwords, and you have the exact same problem as before!
its not simple and easy to fix, as literally more than a million to one ratio of people have problems with forgetting their AppleID password and having trouble resetting it (especially if they only use one apple device) compared to this extremely rare crime outlined here. They would be solving one problem but in turn creating a million new ones. There are a lot more articles/pieces about evil Apple “locking people out” of their account because they forgot their password than there are about this problem.
@basicallyhuman Mostly false. FaceID works in pitch black darkness as it uses the infrared flood illuminator, rather than using the camera like many paltry imitations on other devices. So bad lighting has no affect. FaceID also now works even with a mask, and before that you could also use your apple watch to unlock it with a mask. The time out period for lack of use is 24 hours. I find it hard to believe that anyone using their phone in a bar at the end of the day would have not have unlocked their phone once in the past 24 hours.
@@wotube6387 make you look after they steal your phone or take your finger? This isn’t happening in Kabul it is NYC.
That already happens for a while in Brazil. It’s honestly good to know that WSJ is bringing attention to this lack of security, so that Apple finally do something about it 😪
Whenever I travel abroad I use a burner phone... it only took me one time to get my phone stolen to learn that.
7-1
@@TainoblazedYou bring a phone good enough for the job. That does not look expensive. Even the case.
I don’t get it. This whole thing can be avoided with using Touch ID or Face ID.
Lies again? Fail Security
Storing your SSN in photos is just outright stupid. But the sad fact is that when you tell it to your friends and family they reject it immediately saying you’re being paranoid. Then here you go - stories like this happen.
There’s nothing paranoid about it
What’s SSN
Dude, the ignorance of technology. From people younger than I. Is amazing.
I once asked a 18 to 20 year old. Woman, did you store the data in .pdf? She looked so confused. Keep in mind. I am casual user who grew up between Windows 95 and Windows XP.
Apple Users are amongst the worst offenders.
You can store an image in an encrypted state in so many ways. It is laughable, when I explain it to people half my age. They have absolutely no clue.
In my experience most users 'understand' why they should secure their data. They just do not want to learn how on even a basic level.
Storing critical information in a unencrypted state? Horrible.
People do this nonsense all the time.
There so many ways to encrypt data and files independently.
In my professional and personal experience. Most users are lazy.
@@jamesedwards3923 You said: "Apple Users are amongst the worst offenders."
That's because most Apple users think Apple devices can not be hacked or get malware. It is exactly what Apple marketing has been pitching and it works. Their fans blindly believe it.
I've just recently been a victim of this crime and I can tell you its horrible. Besides the thousands of dollars I've had stollen, my photos, contacts, and personal items have been put out of reach and Apple has done nothing to try and fix this. When I call them, it's clear that these security protections were not considered in a scenario where a user no longer has access to any of their trusted devices. I have a Macbook and an iPad and could not verify my identity on either of those devices. My hope is that reporting like this and calls from hundreds of other people as unlucky as I will get them to come up with some solution.
Next time, turn on your recovery key. Then call Apple and provide these 28 digits and Apple can help you further. Without this key, Apple cannot do anything for you.
I would highly recommend iPhone users to change the Account Changes in Screen Time to Don’t Allow - this will disable access to your Apple ID. Also, changing the Passcode Changes to Don’t Allow will hide the Face ID & Passcode option in settings. If I remember correctly you will be asked to create a new pin, which will used to gain access to these settings - this will be a different pin from the passcode to enter your phone.
Just make sure you don’t allow Apple ID reset on your screen time PIN
Just tested this, I have still been able to hack myself, it just took longer.
Looks like the only protection against this type of attack is to have advanced data protection on with a hardware key set-up. Just make sure you hold your recovery key in a secure offline location. Inconvenient but a must do if this attack grows in popularity.
@@pingping7594 how were you able to hack yourself?
I think the lesson learned is to be more careful when using your phone in public, maybe a 6-digit passcode is not long enough especially if they can use a 6 digit passcode to basically ruin your life.
😔
Maybe we need a better system? But what would that be? 🤔
@@hansolowe19a separate passcode for settings.
@@bngr_bngr that would certainly help.
@@hansolowe19 I‘lol bet most of this started during c0vid when everyone was wearing a mask. iPhones couldn’t recognize people’s faces so they were forced to enter their passcode every time.
me seeing this with 4 digit passcode xd
Apple definitely needs to change the password change process. That would literally nail this on the head. Additionally, for other people, cloud backup IS NOT A BACKUP SOLUTION! You should also have an additional physical copy of your data at the very least if you really truly care about your data. You can't rely on convenience to save you.
I still do itunes backup on my computer which is also backed up somewhere else
I realized this years ago and only use Biometric Face ID in public. If I have to use the passcode I go to a private spot away from others or make sure no one is looking over my shoulder. Now you have Stolen Device Protection which makes you wait an hour to enter your passcode, giving people time to get into their Apple ID on the Cloud and block whoever stole the phone. But I’ll bet most won’t use it.
You can also configure Screen Time to block changes to the Apple ID, using a different passcode
I think this is the best idea yet, stops changes to accounts and passcodes. It seems there are ways to reset the Screen Time passcode, however most of these methods mean the reset of the whole phone or requires an encrypted backup of the phone which if you set the encrypted backup password that cannot be changed. Not sure if there are other options, but a good idea.
@@miketech79 I'm surprised this wasn't mentioned in the video
How can I do that?
@@Nicx8 settings, screen time, content privacy restrictions, account changes, don’t allow.
Then just set a different passcode for screen time
@@cesarkuroiwa thanks for the heads up
I've been thinking about this issue lately; how I have everything in my life on my Apple and Google accounts, and knowing that if either were compromised I would lose everything.
if you are that worried about it, it would be relatively trivial to make a physical backup of your most important and precious data to something like an external HD, and store it somewhere such as a safe deposit box or trusted relative’s home. For critical data, it’s always fundamental to have multiple redundant backups, if you want your data to be preserved even in the face of catastrophic failures. You should look up the 3-2-1 Backup strategy and implement it if you are concerned. This will also protect against things like ransomware attacks.
Just use memory cards. It’s better that way anyway.
It's why I'm still paying by credit cards, credit cards companies have loss prevention department 24/7 to lock the account after they verified you. Customers are not responsible for the charges from thieves
@@___beyondhorizon4664 what are you talking about? A CC company can’t help you get back your lost baby photos or all of your business contacts and appointments. They don’t even offer financial restitution.
Woah! I didn’t realize what could be done just by knowing your passcode. Great job reporting as always!
I can't tell if this is sarcasm.
@@AndrewCortesi I meant what I said. Didn’t know it was so easy to change password with just a passcode. Always thought you needed to put your old password, but all it takes is just your passcode.
@@koolkat214 i am supprised that you didnt know that, that is the reason why biometrical is so important. When you use bio insted of a pin nobody can see how to get into your device
@@MrJudgi I have Face ID on, but even with that on, I’ve just now learned that it is useless if someone knows your passcode. I always thought you needed more than just a pass code to change your Apple ID, but this video was eye opening for me.
yeah i'm glad i use safe Samsung
This has happened to me. My advice is
1. To have your 2 factor verification sim, in another separate phone. The thief’s wont be able to get your OTP in order to change your bank passwords etc.
2. Do not store passwords on your phone.
3. Remain logged out of all financial websites and apps.
Wait, there are people that don't treat their phone's passcode like an ATM pin? I'm blown away by this! I use fingerprint in public or check over my shoulder before inputting a passcode.
There are people who don't even lock their phones. Super sheltered people who have never lived as victims until sometime in their future.
Biometrics is the easiest to hack hehe 🧑🏫
What about using "Screentime Restrictions" to block "Account Changes" with a screentime PIN different from your main passcode?
Other apps should implement their own passcode mechanisms and not rely on the iPhones password. Also I was really shocked when I found out I could change my iCloud password with just my iPhone passcode. When you have the passcode you can essentially access everything on someone else’s phone since most of the authentication mechanisms fallback on that.
Other apps already do that. You have to manually change them to use Touch ID/Face ID, and regardless of what password you use to sign into them, if you let the phone save that password into its own password manager, then that’s still a user choice, not something it does automatically.
@@babybirdhome a lot of apps where you can protect with Face ID / Touch ID can still be unlocked using the phone's Passcode. In other words, they don't allow you to create a specific PIN code.
When I go to access my banking apps on my android it forces me to use my fingerprint and doesn't allow my pass
Does iPhone give you the option to put in a letter password? My Samsung has an option to use passwords with letters than numbers.
Thanks for making this! Went through and updated all my security because I live in a high crime area, and this is my biggest fear
Then ditch apple and use real computers and phones.
A good solve for this would be the ability to use a second passcode (different from the unlock code) for stuff like accessing keychain and changing appleID password. Basically everything except unlocking the phone should have a separate password/passcode since unlocking is something we do a lot in public and sometimes the device forces to enter passcode instead of using faceID.
There's probably multiple ways to do this.
The user could maybe choose between one of the options or select all of them and only need 2 out of 5 to get into the settings:
1. A second authentication device, like a USB security key that has to be physically set into the phone - OR - registered Airtag has to touch the phone.
2. Face ID in addition
3. Touch ID in addition
4. AppleID Password in addition
5. Set a home device as secure device, like Macbook, which can easily access settings, while the Phone needs two of the listed methods.
This is already possible and a feature of the iPhone and has been in its current incarnation since 2018, and before that since before 2010. You can use Screentime (before that, “Restrictions”) to set a separate passcode, and require this passcode to make certain changes on the device, such as to accounts, the saved password list, and the password reset. Joanna was either not knowledgeable enough to know this, or negelected to mention it. The fact that this has been available for over a decade, and hardly any users use it (and was not even mentioned in this coverage) shows how rare this instance actually is and that few if any users would actually bother to go through all this trouble, as the loss of convenience is worse than the relatively low risk of an attack like this.
@@spacecadet2172 WRONG. The screen time passcode can be reset by clicking "forgot passcode" putting in Apple ID (which can be easily guessed or obtained by looking at emails, app store, itunes store, apple music, apple tv, find my, etc), and then resetting the screen time passcode with either the phone passcode or a simple SMS to the phone itself. This is dangerous advice to assume that it is secure when it is not.
So basically more like the windows hello system. I kind of like that idea.
This isn't really different from any kind of purloined password situation. The problem is that it's easy to see people entering the iPhone passkey in public. Wearing masks made this worse, since even with Apple's hacks to allow face id with the mask on, sometimes you need to use the passkey. If it were available, a combination of fingerprint OR face id would help a lot: use face id but if it doesn't work, use the fingerprint sensor, with the passkey only if both fail. The best cultural change would be to get into the habit of always ensuring privacy before entering the passkey.
Its absolutely irrsponsible that Apple and its policy with that recovery code is that they can't reset based on some other verification method. When a phone is reported stolen and an apple i.d reported as hijacked, Apple should be able to respond.
In Sweden we have "Bank ID", its an additional layer of security that protects all your bank apps, goverment apps, mail apps, stock brokage ETC. Its installed on your device and when apps need to verify your identity they just send you to the app and you have to type your unique passcode. You also use it to get in to all these accounts on other devices, then you just scan a QR on the computer screen from the app and then type the passcode on your phone, you also use it for every card transaction online. Ive never understood why all countries dont have this.
it’s an easy way to track people
This video just prompted me to switch to an alphanumerical passcode for my phone. Good topic to cover!
I always though I was a little paranoid for using seperate codes for all of my apps. Great video.
At 6:33 they say it works the same way on android. But that doesn’t generate as many clicks and views.
One important solution is missing in the video: using Screen Time with a different passcode to prevent account modifications. 🔐
Go to Settings > Screen Time:
- Hit “Use Screen Time Passcode” and pick a PIN that is different from any subset of your main passcode.
- Go to Content & Privacy Restrictions > Account Changes and set to Don’t Allow.
When you go back to the main Settings screen you’ll see that the account badge is grayed out and settings there are not accessible.
My advice is to have situational awareness and don’t have your face buried in your phone in public. I know it’s hard but remember when cell phones weren’t a thing and you didn’t have the option to stare at the screen while waiting outside a bar etc?
Saving your bank app's password in the Apple password manager isn't a smart idea. In Turkish and Norwegian banks, it's actually not even possible. Those apps won't allow passcodes to be stored.
In my country too. It’s not possible.
The option should be there regardless. However when it comes to bank activities one should have the credentials etched inside their own minds. Or even on physical paper and stashed somewhere in the house such as a notebook. The notes app also lets you make up a password for the app itself with letters and numbers as options. Meaning you can have certain notes locked and only accessed via said password specific to that app. If anyone has other sensitive data on there, that data has a diff password from the main one used to unlock the phone thus preventing data leaks. This is why its a bad idea to screenshot passcodes and what not. It's also important to keep the OS updated for security patches. Touch ID and Face ID would also really come in handy. The fact she has a Mac is also an issue itself vs if she had a Windows PC with iTunes on it she could have manually backed up ALL her Data on it. Meaning she didn't have to upload to the iCloud unless shes constantly running out of space. Strange tho, if i recall correctly; to change the apple id they need a separate password vs the main 4 digit code that unlocks the phone. My guess is she had that info either in the notes app (with no password specific to notes app) or she had screenshots out in the open on her photos app. Furthermore having bank passwords saved on your phone is a bad idea. She could have called her bank to freeze her accounts too... Just makes me angry for them. In this case filing fraud reports with the banks seems like a dreading task but more than likely they can get their life savings back. As for the priceless picture memories on the wiped iCloud id, big rips.
@@Sparkyh lol ya'll people saying physically writing down a pw on a piece of paper in 2023 is a good idea rather than using an encrypted pw manager that requires multiple layers of authentication to get through are wrong for that
Try this:
1. Enable Screen Time by setting a separate passcode
2. In ScreenTime -> Content & Privacy Restrictions->Account Changes -> Don't allow
3. Change other restrictions [ optionally ]
Use face ID or fingerprint ID only. It's important to NOT use the passcode except when the iPhone forces you to, and to cover up the keypad with your other hand when you type it in, and look around you to make sure no one is watching you type it in. If someone is watching you, move to where no one is watching you before typing it in.
Not a real solution: Thieves will just point the phone to your face or rip your finger off for touch ID
@@wotube6387 Fingerprint is the best bet here. Nobody will rip your finger that too be in a public place like pub to unlock your phone.
Joanna's excellent advice: treat it like an ATM PIN
You can't change your password by having the passcode on Android, you need to enter the old one, besides android users usually use patterns and not passcode to secure the phone and they are way more difficult to memorize.
1. Thieves don't need to change your password. They just need to sign you out from all other trusted devices so that you will not change it.
2. I need a citation on the pattern-is-difficult-to-memorize-than-passcode thing.
You can take a video of the person entering their pattern.
@@sexyscientist You need the account password to remove trusted devices, the phone pin code is not enough to remove trusted devices. Account password and phone pin code are not the same. Additionally you need the account password to turn off find my phone, phone pin code is not enough to turn off find my phone :)
@@PrincePawn No, you don't need anything... no pin code, no password to sign-out from a device. I just signed out one of my device using my phone. Same goes for "find my device". Tried and tested.
@@sexyscientist I just tested, you need account password to change password, not just PIN of mobile.
It has been happening in Brazil for a while too. I would recommend also locking the SIM Card.
Yep I lock my SIM card but only works when I have my phone off and they turn it back on again they have enter a password
Why not enable (face ID together with pin code)? If you have the phone with you the thieves cannot take anything. Am I wrong?
The fact that you can't physically show up somewhere with your government issued photo ID and get your account recovered is strange.
I do not want that.
If you do. Your choice.
Blackberry used to have two separate passwords, one for the Lock Screen and one for the password vault. And it used to have picture password, where you put a chosen number on a specific part of a picture. It was basically unbreakable. Apple needs to have a picture password as a lock.
I still have my Z10 - yeah I do miss that password unlock !!
@@serggc, I thought, Blackberrys are dead by now, because the servers were shut down.
@@stolmich I think you can self host one... haven't used mine as a daily driver in years. but it still boots ( I turn it on every couple of months - Gmail still worked on it last time)
@@stolmich and I just remembered! the z10 ( and all other blackberry 10 OS) don't really need BB servers to access internet / emails / messenger. They have a limited setup but this is something i did when i got mine was cancel the 1€ per month surbscription with my carrier for that BB server.
There is a simple fix for this problem. Go to settings > screen time > set a DIFFERENT passcode > content & privacy restrictions > Turn On content & privacy restrictions > Set passcode changes and account changes to "Don't Allow". Now to be able to make changes to your Apple ID account or to change your iPhone passcode, you need to get back to the screen time menu and enter the unique different passcode that you set up. Hope this helps at least 1 person to stay safe.
Surely having Lastpass so prominent is also not very safe, as they have been recently hacked 🤔 Another advantage in keeping a Sim card as you can lock those as well
Apple needs to have mandatory security questions to change the Apple ID password or at least require a fingerprint. That would have stopped them immediately. Great news story.
Anyone have device passcode can add his/her fingerprint to touch ID, that's still cause the problem
great idea
Do you know how many people forget the answers to their security questions???
@@lauragonz34 if you forget the name of your first pet or the street on which you grew up, you deserve to lose your phone.
Security questions are way to easy to guess and 99% of the time are either on public records or can be found online and on social media which many people do not keep private. It’s because of this reason that many companies are phasing out security questions. The 2 examples you gave (the street you grew up on) can be found through white pages, and (the name of your first dog) will most likely be on your social media. Not always but it’s a pretty good bet.
Very insightful, some obvious points that consumers are aware of but just choose to ignore these. This video will probably help everyone rethink the security which they have set up on their phone and improve it by making the suggested changes. Thank you.
I'm pretty sure on Android bank apps by default will not store a password in keychain. I'm pretty sure Samsung knox doesn't even allow this, with a requirement only to be used with biometrics
There's another thing people can do and that is to enable screen time with separate passcode and then in content & Privacy restrictions disable account changes and passcode changes that will effectively block Access to the Apple ID tab in the settings app
Really good advice! I’ve used it for many years. Gives you a second layer of protection.
U can just disable it and then move on to change ur Apple ID how is that a fix ? If a thief went to the effort of stealing ur phone and passcode he would definitely be willing to take two more seconds to disable screen time and continue to lock u out of ur phone
In these three steps I already use complex passwords with numbers letters and others included. However, I use Face ID most of the time unless the device has been reset or shut down and turned on again. But like mentioned in this context it is necessary that we follow in order to reduce the risks of our digital lives.👍🏽😊
TIP: freeze your credit with the 3 credit reporting bureaus. You can unfreeze when you apply for something and then freeze it again. It's free to do so.
No wonder why apple customers have been leaving to Samsung and other phone companies because they are now creating better passcode and far greater technology to use
Thanks for reporting on this. I never realized Apple doesn’t require 2FA or old password verification when setting a new password.
I thought they showed that they do require two factor authentication (at least the text type of 2fa). The problem is that they have your phone so when the text message is sent they are the ones that get it.
@@thefingerofgod69 have it sent to a different phone. What I’m considering though is using a encrypted USB key to lock my Apple ID. but tbh I don’t use my passcode in public much, so I’m not sure how much this will matter to me in the long run
jesus christ not something else requiring two factor authentication.
@@Ferrichrome Yea. I rarely use my passcode in public either. But my luck is that I WOULD use it one day and get caught like this... 😔
2FA is useless when they have your phone lol
As a software engineer I didn’t even realize this. Thank you for this outstanding journalism
If people understood that protecting their passcodes is as important as not flashing their wallet in public, or letting the neighborhood see them hide their key under that rock in the front yard, THEN none of this would have happened. A passcode to any digital device is just as important as the combination to the bank vault where your money sits. You should value that passcode and guard it with the same level of fervor
True, but if someone physically takes it from you while it is unlocked and logged in, they become you. Kinda like waving around $1000 bills in public.
Yeah but in this case so I'm literally ripped the phone from her hand. That's just plain coercion and you can't really expect people not to use their phones at all.
It's hard to think of any solution that's going to account for straight up coercion. Even biometrics can be bypassed if someone has a gun to your head or knocks you out
@@michaelcorcoran8768 yes but at that point you’re not talking about an issue with a device. The same can be accomplished without the phone. A gun to the head will make most people give any information or possession up. The issue here is that this is being made to seem like an issue with the device or company. That it’s somehow news to everyone that mugging and robbing are a thing, and that somehow having a device makes that more probable. My point is only that we should have always been treating and educating others to treat our passcodes the same way we do our keys to our home, our combinations to our safes etc. we use all those things but we protect them. For far too long people have seemingly not made the connection that they need to do the same with their digital assets.
With biometrics it’s just plain reckless not having a 20 character alphanumerical passcode. even if you ever need to unlock with passcode it’s so complex that the thieves won’t get it.
@@michaelcorcoran8768 biometrics can only be bypassed once. Someone could unlock your phone, but good luck after that accessing anything if you have other layers of protection.
Password change should ask for OLD password, then NEW password. CONFIRM new password.
6:58 She says she's been using iCloud for 15 years even though it's only been around since Oct. 12, 2011.
Using an alternative password manager was the first mitigation I thought of. Terrifying problem, great advice!
This video highlights a major issue that many iPhone users may not be aware of. It's scary to think that someone can ruin your entire digital life in just a few minutes if they gain access to your phone.
That's why I do not save passwords onto one rectangle. The value of that iPhone then multiplies far beyond what you purchased it for.
Thanks for giving every criminal a step by step guide on how to do this
Now more people will be aware of this and hopefully take measures to protect themselves.
Having your password changed so easily with only the passcode is just wrong. Apple should fix this with 2 factor authentication.
You have to configure it, and encrypt your phone. I am willing to say that they haven’t done this.
@@Stopinvadingmyhardware why was this not recommended at the end of the video?
requiring an email confirmation before password change is pretty easy
The problem of 2 factor authentication is that it becomes useless when you have access to the main key which is the iPhone.
@@krishp1104 if you have access to the iPhone, it is easy to get through emails
The spokesperson was clear, if someone stole your phone AND figured out the passcode, you're out of luck, unfortunately. There isn't really anything Apple can change.
Right. It’s not 🍎 fault
Not anymore! Apple released iOS 17.3 today which patches the passcode security hole.
This video is the best example of why Apple needs to implement in display touch ID for better security purposes 👍🏼
That’s not going to do anything since what if your finger can’t unlock the phone? Back to using the passcode.
This happened to me in London. Apple refused to believe it was possible. Their response in this video is telling.
Did you have biometrics on and the phone happened to ask for the PIN code, which then was picked by an outsider?
@@terohann sometimes the iphone just ask your passcode because it didn’t recognised your face or for no reason, just for fun.
@@terohann yes exactly this. And then the thieves were able to bypass Face ID to use my wallet and access my banking apps
You can also be robbed at knifepoint and forced to give them your passcode 😢
Of course they didn't own up to their mistakes. This is the fundamental character flaw of the company and ALL it's users.
Anyone who is capable of admitting and learned from their mistakes wouldn't still use apple.
Really good piece, I’ve never saved my banking or email passwords on any device for this reason. There are some passwords that you should only save in your personal memory (aka your brain). Also, make a local backup of all your photos, even without theft if Apples cloud got compromised you could lose everything.
THIS! It’s good practice to put your photos on an SD Card. I do it every 3 months. It doesn’t take long at all! Set a reminder. It’s so worth it to not lose all your memories like this poor woman has!
Same I never use Apple Pay and people are like sheep they think it’s cool until someone gets ahold of stuff they can use
you know that passwords are biometric and pin protected?
@@bradyhunsberger An SD Card can get stolen if it remains inside the phone.
Apple recently added the ability to use a security key as a form of two-factor authentication. It’s in the same menu that was shown when changing your password. The security key is a physical device that can be kept on a keychain, for example.
so if they steal your phone and keychain, then what?
@@TomNook. Getting security key, passcode and phone stolen is bad luck. The threat actors can bypass multiple defenses. The strength of security keys is cryptography which addresses the shortfalls of SMS-based security codes and time-based one-time passwords (6 digit code)... not helpful when it gets stolen along with your phone and credentials. Be cautious of using security keys in public and who is around you.
This is exactly why I don't use the password manager on my phone and why my Gmail Password is different than all my other Passwords. Also, I use Android with a separate VPN to brick my phone
Excellent story. I’ll be making changes where needed… and avoid bars😛
Fingerprint sensor... Wait 🤭
Wouldn’t having FaceID as an additional verification requirement fix majority of the concerns? After all it is unlikely we will lose/forget our face.
Exactly!!!
Ahahahahaha! That’s hilarious and on the “Face” of things, seems like a legit simple solution to the problem.
Personally I’ve actually thought about this topic before even seeing this video and what I do with my iPhone is make sure my password is in before going out in public. Then from there on out til I get home I just use my face to unlock it. N unless you’re in a Nicolas Cage/John Travolta movie, your face doesn’t get stolen 😂
The pass code already is the ALTERNATIVE to face ID, and should only be used when face ID doesn't work. That's the whole point of your pass code. Only use it, if fingerprint or face ID doesn't work. The video only speaks about this in a side note 8:08
I turned it off because I got sick of my phone unlocking itself when I didn’t want it to.
I’m sorry but I had to laugh 😆 😂😂😂
I only use my smartphone as a phone! Banking online is for my desktop, only. Desktop computer is only ON when in used otherwise, OFF.
I hope things work out. And …Maybe let’s all stop storing our bank logins and personal identity info on these devices. Everything is not made for digital spaces.
This is why they should have never removed fingerprints as a security measure. At the time it was only a 5-year-old feature for all smartphones and was the most and still is the most secure way to lock a phone. Biometrics work very well imo
Android still has fingerprints as a security measure. Stop buying iphones.
Simple for Apple to fix in a quick update:
Don't allow a user to change their passcode with just their PIN which is used to unlock their iphone. They need both PIN AND Face ID. That would stop the user being able to change the account's password and thus the other things that follow.
Also adding in the same step for unlocking the password manager would mean they can't get in the Bank accounts.
To change the Face ID you just need the PIN.
@@thiagotsn LOL, change that to need your passcode
@@nathanabo8297 hahahaha
Apple has an update that does not allow you to change the apple ID without facial recognition that is available in the most recent update. IOS 7-3
This just shows that fingerprints and Face Scanning is much more secure than Passcodes
No, they are not. Not my opinion.
1) Your face can be copied.
2) Mathematically, if you had any idea how passwords work. Which requires only a few hours of casual reading. Knock yourself out and prove me wrong. Will not happen. The fact that you think they are is amusing. I am not teasing your. However, I have had this discussion with many Apple Users. Only and offline.
Fingers can be chopped off.
3) Passwords can be changed. Your face can not.
4) If you live in the USA. You just gave up your right to privacy. You can be compelled what you are. Not what you know. So unless you do not care about your basic 'human' right to security and privacy. Again, go for it.
Thank you for making this video! I had never thought of how powerful and dangerous that little short code could be. I will definitely be making some changes.
Lesson is : be patient and only use face or fingerprint ID in public places. Also, stop looking at your phone so much in bars, experience reality, nothing more annoying than going out to a bar and finding phone zombies!
True 🤣🤣
Maybe someone has said this before, but just for reference....
Settings>Screen time>content and privacy restrictions> scroll all the way down
Disallow passcode, account and mobile data changes(esim will be helpful as they can't remove it).
Toggle account changes when required. I didn't find this as a hassle as i don't access iCloud frequently.
Atleast you won't be locked out of your account....
I always thought it's ridiculous how much access you get just by knowing the phone's passcode. Apple won't even let you password protect APPS, like, come on...
Well, this is a big issue that needs to be fixed, but they would be very disappointed when they got into my bank account, kinda how I feel when I see it 😢
The simple fix for this would be for Apple to require a Fido key or 2FA to change the passcode. With users not sending the 2FA to an email that’s accessible via the phone. All 3 of your steps are valid also. My family says the military made me paranoid when it comes to security but this just proves my point.
That's interesting. Why has the Military made you paranoid? Specifically when it comes to cyber security?
The majority of users are too inept to figure out Authy or Yubikeys
We all suffer for it
I tried it myself. You really can change iCloud password using the 6 digit screen lock passwords. So scary!
Thank you for this story- now I know how to use my phone in a more secure manner while in public. Hopefully Apple views this video as well!
I understand the main premise on this story is that having the passcode for a phone allows a thief to reset your apple id password. However, it is still good to safeguard yourself with some of the following suggestions to prevent thieves from getting to that point of rest.
Here are the ideas:
1. Always use face id or touch id in public -- personally i think this is easier than entering a code anyway.
2. Change your passcode to be longer than 6 numeric digits if you are concerned about others hacking your passcode-- apple lets you have long numeric passwords or even alphanumeric passwords (this doesn't entirely matter though if they are recording you enter your password anyway).
3. Set up 2FA
4. Use a password manager
5. Apps like Venmo allow you to enter a pin specific to that app (allows for face id access also) -- implement this with supported apps that you wouldn't want a bad actor to get into to bring havoc on your life.
Joanna, thank you so much for reporting on this. This is a HUGE issue. Especially since even if a victim were able to beat the thief to Find My iPhone, enabling Lost Mode would be pointless since the passcode can immediately disable it. This would leave only the option of trying to erase the device (again with the victim having to "beat" the thief to FMI) . There is definitely a huge hole with the security on iOS that needs to be fixed.
LOL, I do agree with you. It is just. I try to point this out to Apple Users. Most look at me in complete confusion.
Lol at everyone still saying iPhone can't be "hacked". I hated having to input my code on an iPhone during COVID. Thankfully, they've since rectified it but that's why I love having a fingerprint scanner.
Apple would argue that that’s what Touch ID and Face ID is for, so no one can see your password. This is so freaky! Thanks for the info.