r/technology
•
u/AndyJack86
•
Feb 26 '23
•
1
1
A woman who got locked out of her Apple account minutes after her iPhone was stolen and had $10,000 taken from her bank account says Apple was 'not helpful at all' Business
https://www.businessinsider.com/apple-not-helpful-woman-locked-out-apple-account-lost-10k-2023-24.3k
u/NaiveAbbreviations5 Feb 26 '23
Reminder: keep your credit info frozen. The major credit bureaus offer this service for free.
1.4k
u/SSSS_car_go Feb 26 '23
And it’s now so easy to thaw them if you’re applying for an apartment or for credit. We used to have to call at least one of them, but we can now thaw for any period (a day, a week) all online in about 10 minutes for all 3.
809
u/revutap Feb 27 '23
How does freezing your credit keep someone who's gained access to your credit card information (iPhone and I assume Apple Pay) from spending your money. Maybe I missed it, but the article didn't mention that the thieves opened new credit lines or account fraudulently using her personal information.
In short, how would freezing hercredit help in this situation?
21
u/clownpenisdotfarts Feb 27 '23
I think you might have missed it. The thief opened an Apple credit card in her name while she was on the phone with Apple support.
→ More replies560
u/Pickled_Sloth Feb 27 '23
It wouldn’t. I think it’s just a friendly psa to everyone that it’s a smart thing to do. Probably along with not allowing access to bank accounts to anything except your bank. No Apple Pay. No google pay. None of that. Don’t allow anything direct access to your bank accounts. You can use credit cards, you at least can challenge fraud with a credit card.
157
u/BroadwayBully Feb 27 '23
You can challenge fraud with banks too, in my experience they were helpful.
→ More replies153
u/Justlose_w8 Feb 27 '23
Yes but the major difference is the bank has your money and the credit cards don’t, so it’s not your money missing while things are investigated it’s the banks
→ More replies157
u/CurrentResident23 Feb 27 '23
In my experience the banks aren't super motivated to recover your money because it's your money, not their's. They'll look into the matter and get the money back into your account eventually, probably. The credit card company, on the other hand, gets right to business. That account is locked, charges are reversed, and a new card is ordered in 10 minutes or less.
102
u/jello1388 Feb 27 '23
The one time I was ever the victim of fraud, the bank had all my money back in like an hour or two, so this isn't my experience at all. My paypal got hacked a few years ago. It was tied to my bank account. Whoever got access to it did over 80+ charges of random amounts in a very short period of time to a bunch of different accounts and slammed me for around 8 grand. My bank froze the account and called, emailed, and texted me about potential fraud. I called their fraud department, and they set me up with a new account, a new card, and "temporarily" gave me all the funds back pending the investigation.
Paypal, on the other hand, saw no red flags about the whole thing. Haven't used them since.
30
→ More replies18
u/hypergore Feb 27 '23
just curious, which bank was this? was it a US-based bank? I just like knowing which banks actually bother to give a damn in the event I ever need to switch over to a different one.
→ More replies34
Feb 27 '23
Im gonna go on a limb here and say it definitely wasn’t Bank of America or Wells Fargo. They both are very adamant that your bank account is your own problem and if you don’t agree then go fuck yourself.
→ More replies6
u/blueblood0 Feb 27 '23
I know someone who had their bank accts drained from a debit card skimmer. Took 2 YEARS of constantly hassling the bank to do something and it was a nightmare proving what charges were fraudulent and what weren't. In those 2 yrs, they didn't have my money and had to live off cc's and also couldn't get any loans approved. I never owned or used a debit card since. Fuck that headache.
10
u/ConcernedKip Feb 27 '23
I've also had CC's disinterested in contesting charges as well. They want copious amounts of info related to the purchase and contact methods like fax only to disincentivise you from completing it.
→ More replies→ More replies5
u/RadiantZote Feb 27 '23
This is why I bank at a credit union, so much better than a bank
→ More replies→ More replies91
u/the__runner Feb 27 '23
This x1000. Also, make sure Venmo, cash app, etc are password protected or not actually installed (just use the website instead) and that it's different from your phone password.
Debit card is for ATMs only, and spending and withdrawal limits should be as low as possible without being inconvenient too. Even if your bank will reimburse for debit card fraud, your still out "real" money until they do.
44
u/PaintDrinkingPete Feb 27 '23
Venmo can be setup to require a PIN or biometrics (and possibly other MFA?)…I’d say I’d you do prefer to have the apps installed, at least enable the higher security options so that a random person with your phone can easily access it.
You hear stories such as guys being tricked into handing their unlocked phone off to a woman at a bar to allow them to enter their phone number, but instead they go straight to Venmo and transfer money to themselves. That can’t happen if Venmo is behind an additional PIN.
→ More replies11
u/dc22zombie Feb 27 '23
Everyone forgets, the thief has the phone and possibly the unlock code. Meaning it's trivial to just reset the passwords cause the email or SMS verification goes to that phone.
→ More replies→ More replies76
u/pabst_jew_ribbon Feb 27 '23
Best advice I've been told is to just not use a debit card. Credit card only. Builds your credit (if you're smart about paying on time consistently) and they're better protected. As a bartender I get a lot of cash so I just deposit it and never use my debit card. Being a bartender does make it hard to close on a house though ha.
→ More replies197
Feb 27 '23
[deleted]
111
u/Blade4u22 Feb 27 '23
From the article:
Over the next 24 hours, $10,000 was taken from Ayas' bank account, according to a bank statement viewed by Insider. She was advised to open a new account and transfer all her funds to it. While visiting an Apple Store in search of support, Ayas said she received an email from Credit Karma showing an application for an Apple credit card.
They did both. Stole her money and opened a credit card. Freezing her credit wouldn't have prevent the theft of the money.
→ More replies→ More replies22
7
u/willzyx01 Feb 27 '23
The article states that they opened an Apple Card in her name. If she had a freeze, they wouldn’t be able to open it.
→ More replies→ More replies4
u/FormerlyUserLFC Feb 27 '23
Credit bureaus won’t tell a lender your creditworthiness if they don’t get contacted with a secret password or pin.
Without being able to verify your credit, no one will loan you money.
68
u/lilusherwumbo42 Feb 27 '23
Exactly. My friend was closing on a house and went to one of the Wynn timeshare spiels for free concert tickets, and froze his credit right there after telling them not to run his credit and being assured that they wouldn’t. They got pretty mad when they ran it anyway and it was frozen. Fuck Wynn
39
u/roastedbagel Feb 27 '23
I'm betting they only do soft pulls so technically they're not lying when they say "it won't affect your credit", meanwhile freezing will of course block those soft pull as well so yea good move regardless I'd never trust those sleezebags
63
u/upvoatsforall Feb 27 '23
That’s news to me. Can you please share the website and your login info so I can see how it works?
Obviously you should PM the info to me to keep your info safe.
47
→ More replies15
u/ItWorkedLastTime Feb 27 '23
Just google "equifax credit freeze", "Experian credit freeze" and "Transunion credit freeze". That's what I do all the time I apply for new credit cards.
→ More replies17
8
u/shogunreaper Feb 27 '23
I don't find it easy to unfreeze my Equifax account.
The other two it's no effort at all, but I couldn't even log back into my Equifax account after locking it.
→ More replies→ More replies4
u/WhyLisaWhy Feb 27 '23
Is it more convenient now? It was such a pain in the ass for me to turn off that I just got rid of it. I was subject to a background check for a job I was taking and it delayed everything because my credit was frozen and I had to get them on the phone to turn it off.
It was kind of weird to find out the employer was running a credit check on me, but their explanation was they want to make sure employees aren't in massive amounts of debt and could be tempted to steal proprietary information. they might have access to.
→ More replies31
u/technonerd Feb 27 '23
Yes it's called planting your flag. And it's more than just credit freezing.
https://krebsonsecurity.com/2020/08/why-where-you-should-you-plant-your-flag/
→ More replies33
u/0_0_0 Feb 27 '23
So basically the various institutions have made the consumer responsible for their weak identification processes.
→ More replies300
u/AbortedBaconFetus Feb 27 '23 edited Feb 27 '23
The major credit bureaus offer this service for free.
Let me correct one tiny detail about that........ they did not 'offer' that for free. They used to charge about $10 EACH for over 12 years up until the Equifax fuckup. It's simply that this one incident is what the government used to shove a boiling shit rod up the credit fuckers asses which FORCED them to make it available for free in lieu of the dismantling of the credit system.
Everyone needs to understand that the "Credit Score" was invented in 1996 by these same companies who then sold you the freeze as a $10 'protection' SERVICE.
Fun fact: You know who also sold a 'protection'? THE FUCKING MAFIA.............: "Say..... that's some good credit score you got there...
IT'D BE A SHAME IF SOMETHING BAD HAPPENED TO IT"
→ More replies103
u/Hexoglyphics Feb 27 '23
An example of how regulations keep our fragile society functional at all.
Should have just dismantled them though.
39
u/NGGJamie Feb 27 '23
And created a better system that doesn't allow someone to ruin your life because they got your name and a 9 digit number that isn't even random or secure in any way.
Seriously, if identities were protected by a physical security key that had to be plugged in, and accompanied with a password to authenticate, identity theft would stop existing. And even then, that's probably overkill compared to simpler solutions that would also do the job fine.
→ More replies14
u/mcanallys-pub Feb 27 '23
The main issues with a SSN as a secure identifier are:
- It's predictable.
- It's unchangeable.
The other identifiers often used in conjunction with it (name, date of birth) are similarly unchangeable. The date of birth (and location) helps predict the SSN.
It's like if your password for every website had to be your birthday and a random three digit number and you were never allowed to use a different password. You'd be fucked five minutes after getting on the internet.
Never mind some sort of physical security token (and all the problems that would bring)--this situation is so bad that just issuing people a fucking random 9 digit number alone would be a huge improvement. Doing that and having it expire maybe every 5 years would take almost nothing above the current solution and significantly improve security.
→ More replies4
u/toadofsteel Feb 27 '23
It was never meant to be used for this purpose too... only reason it is, is because it's the only unique identifier on a national level.
If we didn't have so many "government trying to spy on me" folks around, we could have a much better national ID system in place.
7
u/unsinkabletwo Feb 27 '23
Freezing your credit report for free was the best thing that happened from the Equifax hack.
Prior to that, each freezing & unfreezing cost $10.00 each, for each agency.
(it might have only been $10 per unfreeze/freeze)
→ More replies59
u/ImaCulpA Feb 26 '23
Please elaborate. Thanks.
109
u/NaiveAbbreviations5 Feb 26 '23
→ More replies51
u/gmanz33 Feb 26 '23 •
Oh yeah this works wonders! I've had my credit below freezing for years. In Fahrenheit at least...
→ More replies29
u/PlacentaOnOnionGravy Feb 26 '23
Go to the major sites, create accounts and click the freeze button.
13
u/CaptainCAAAVEMAAAAAN Feb 27 '23
Yup. You can even temporarily unfreeze your accounts if you plan on opening another line of credit. I have my credit frozen from all 3 of the major credit bureaus thanks to TMobile's data leakes.
→ More replies→ More replies9
u/theblueadept93 Feb 27 '23
By the way sites like Experian are a bit sneaky. Freezing your credit is supposed to be free, but they also offer something called credit lock. Its not simple finding where you can freeze your account...but creditlocking it is easy except guess what, it costs you money to do that.So you have to search around the website before you can find the actual place on their site where you can freeze it for free.I was confused today because I know I froze it months ago but then on their site when I logged in it says "credit lock" is unlocked. I thought what the heck why is it unlocked? Then I realize they don't mean my account is unlocked, just that paid for feature called "credit lock". I really can't stand these sites trying to trick people like that.
8
u/slapFIVE Feb 27 '23
Yeah Experian is a scumbag company. Not only do they purposely blur the lines between their credit lock (paid product) and credit freeze (free and offered by all bureaus), they constantly pressure you to upgrade to their paid membership.
As soon as I logged on today, I was prompted with a gigantic “upgrade your membership and get these features”. At first glance, it almost looks required to use their website, but they have a small greyed out link at the bottom that says “no thanks, keep my free membership”.
230
u/winespring Feb 26 '23
I think the real story is that if someone got unfettered access to to most of our phones, at best we would really have to sit down and think about all of the different accounts we would have to lock down, and if they already knew what they were doing they could probably compromise at least some of our accounts before we could do anything about it. If they were able to reset our email passwords, most of us would be fucked, because we would struggle to reset our other passwords without access to our email.
53
u/dbadnanuk Feb 26 '23
one way is to have a privacy email that you do that with that is not used or accessed by that phone by having to use another device away that it is not linked to anything and only you know the email and to do a 2fa with. TRUST NO ONE.
→ More replies→ More replies37
u/patrickbabyboyy Feb 27 '23
was her phone not locked? all my sensitive apps still require biometric unlock even if the phone is unlocked. what was this person's phone situation?
→ More replies26
u/EnterPlayerTwo Feb 27 '23
The mostly likely thing that's been suggested is that they shoulder surfed the PIN before stealing the phone.
→ More replies9
u/PejHod Feb 27 '23
This is a strong reminder to everyone, consider setting an alphanumeric password for your phone.
10.5k
u/Sanity_LARP Feb 26 '23
That's why you call the bank not apple.
7.4k
Feb 26 '23 •
[removed] — view removed comment
4.1k
Feb 26 '23
[deleted]
→ More replies1.3k
u/ResilientBiscuit Feb 26 '23
Why does apple have a phone number for card support if they don't issue cards?
1.5k
u/theoriginaloats Feb 26 '23
The same reason Cash App has customer support even though they’re not the issuing bank.
→ More replies1.3k
u/Lieutenant_Joe Feb 26 '23 edited Feb 26 '23
So this is a non-story, then.
I fucking hate Business Insider.
482
u/cptnpiccard Feb 26 '23 •
Sokath, his eyes uncovered!
175
u/subaru5555rallymax Feb 26 '23
Temba, his arms wide
→ More replies137
→ More replies37
18
→ More replies76
u/DarkSkyKnight Feb 26 '23
Maybe read the story up to the conclusion... It's not just about the credit card. These Reddit comments are more embarrassing than the clickbait articles.
→ More replies34
u/torro947 Feb 26 '23
You’re not getting an Apple employee when you call that support number. It goes to Goldman Sachs.
→ More replies235
u/dew22 Feb 26 '23
Why does Best Buy have a phone number for sard support when they don’t issue cards? Oh right, the number is actually to Citibank who actually issues to card. It’s almost like every store that has a card has a number to the bank to help with issues
→ More replies→ More replies54
u/vezwyx Feb 26 '23
Probably for tech support issues relating to using the card on an Apple device, as opposed to actual finance, billing, or fraud problems that should be handled by the issuing bank
→ More replies→ More replies137
u/LiamStyler Feb 26 '23
My Apple card “application” literally took me 30 seconds to get approved for a $2000 limit. Literally like 30 seconds.
28
u/Potential-Jaguar1831 Feb 26 '23
Amex, citi, chase, etc. All of my CC applications take 30 seconds. Why should they take more? It’s an automated process.
→ More replies135
u/Toastburrito Feb 26 '23
You would be surprised how many people accidentally applied for and were approved for an apple card that didn't even realize it. They would think they're setting up their mobile wallet but no, they're applying for a credit card. I used to work in the call center that handled these calls. It's odd seeing your old job pop up like this.
→ More replies20
→ More replies3
→ More replies440
u/MacAdminInTraning Feb 26 '23 edited Feb 26 '23
The article says she called Apple for help getting back in to her Apple account which had all of her passwords saved as the thief somehow locked her out. It shows that you should not store mission critical data like your passwords with Apple.
76
u/distinctgore Feb 26 '23
But how did the thief access her passwords, I don’t get it. Were they not protected behind face ID or a complex master password? I use a password manager (bitwarden) and if someone stole my phone they would need face ID or my master password to access bitwarden…
35
u/MacAdminInTraning Feb 26 '23
If you know the phones pin you can override touch/Face ID. She may have had a simple pin.
→ More replies48
u/phormix Feb 27 '23
Or somebody shoulder-surfed the pin before stealing the device
→ More replies9
u/PejHod Feb 27 '23
This is why I did away with using a standard pin. My iPad and iPhone have 12+ alphanumeric passwords instead of passcodes. Does it suck to type in a pinch, yes, but our phones store so much!
43
u/NotRexGrossman Feb 26 '23
Most people on iOS use the built in Keychain password manager which only requires your phones pin to access.
25
Feb 27 '23 edited Feb 27 '23
Exactly - if somebody nicked your phone, they would need Face ID to access your bank account. Banking apps won’t accept a phone PIN.
Edit: I’ve just seen that apparently she was using Keychain, so one single point of failure
→ More replies6
u/OfficialZwayMusic Feb 27 '23
My bank app will let you use your pin if face unlock will not work
4
u/BennyInThe18thArea Feb 27 '23
My bank app (Barclays) uses a specific pin for their app if Face ID isn’t working not the iPhone one.
→ More replies→ More replies13
u/Flat_Cod_747 Feb 27 '23 edited Feb 27 '23
Apple have a password manager.
You can access it simply by passing touchID/faceID or, if this fail, the passcode that protects your Lock Screen can unlock it.
The woman unlocked her phone while someone was looking over her shoulder.
He stole the phone. At this point he already could access her password manager.
He issued a password reset on her iCloud account with her phone, while the phone itself acted as a 2FA device for him to set a new one.
Lesson for her:
Cover your phone when unlocking it or use biometric.
Use a passcode and not a pin.
Lesson for Apple:
The protection for the password manager was always insufficient. It should be biometric only with a strong master password for an alternative.
They should have a more secured system to reset a password. Even google ask me questions to confirm my identity but Apple just send a pin on your stolen phone to reset it lmao.
3
u/distinctgore Feb 27 '23
Then why does apple even use an icloud account password if you can just reset with a pin? Feels like a huge security flaw if the pin can be used for everything. Why even have biometrics if the pin can override them?
→ More replies248
u/itwasquiteawhileago Feb 26 '23
The number of people that link literally everything in their digital world to Apple, Google, or whoever is scary. Yeah, it's convenient, but then shit like this happens and you're fucked. Alternatively, these tech companies can find any reason to just dump you for TOS violations (justified or not) and you're boned.
Firewall/compartmentalize your shit, people. Make redundant backups and recovery options. Don't leave all your digital keys in one place, especially a place that you frequently take out of your home and can leave or have stolen easily enough.
All that said, there needs to be some laws about this shit. Apple, Google, Amazon, FB, etc, have our digital lives in their hands. There need to be actual people to help when shit goes wrong. For example, getting your Gmail locked out can completely fuck you if you linked everything to it, and good luck getting any help getting it back. Google don't care. No one cares.
94
u/richalex2010 Feb 26 '23
Alternatively, these tech companies can find any reason to just dump you for TOS violations (justified or not) and you're boned.
Reminder that someone lost their phone service when their Google account was banned for child pornography.
It was a father, who took a picture of an infection to send to his child's physician (at the doctor's request) during COVID when in-person doctor's visits were severely limited. Google reported him to the police for child pornography, he was investigated and cleared. Google doesn't care; his account (including all of his email and all accounts tied to that email address) is gone and he's banned from using anything Google-related for life.
https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html
→ More replies45
u/itwasquiteawhileago Feb 26 '23
Yup. I also remember a tale of some dude who would goof on his buddy using his private Gmail. He'd basically download his friend's new app from Play, then extract the APK and ask for a refund. He got cut off because I'm sure it set off some kind of fraud detection from Google, doing that over and over. But IIRC, it was also linked to his work email, which was a custom domain. Everyone linked to that custom domain was locked out of their accounts, too. Some of his colleagues were straight up not only locked out of work, but personally linked shit, too, because it rippled through everything. His company was fucked. Many of his colleagues were fucked on a personal level. All through no fault of their own.
I don't know if they ever got through to anyone or if I remembered all the details correctly, but it shows just how vulnerable everyone really is and how little we can do about it. Google, et. al. can ruin your life in a blink and there's nothing you can do. That needs to change. Yes, people should be careful and not knowingly poke the bear. But even if someone undoubtedly/knowingly violates TOS, there needs to be a way to recover your data so you can move on (assuming your data isn't illegal to possess). I recommend everyone get their own domain and use that to forward to whatever. It's like $15/year for a domain and you can, at a minimum, forward emails anywhere you want via the registrar settings. So setup a Gmail, Outlook, Yahoo, whatever account, and just point it to that, so any other accounts you use that email with can be recovered, if needed.
Right now my domain email is hosted through Google (got free GSuite for life, now Workspace, when it was being offered). When they attempted to fuck everyone last January by forcing (what were now called) legacy GSuite free users to paid Workspace accounts (lest they lose email and a bunch of other shit over the course of a decade or more), shit got real for a lot of people. The bottom line: I could, and did for a while, point my email to an Outlook account and was ready to decouple from Google entirely. But I didn't have to worry about losing access to anything else, because I still controlled my domain and where my emails went. Archiving the data on my account would have been a bit of a pain, but doable with various tools out there (plus I have local backups of most stuff anyway). Thankfully Google relented (for now), but that was a huge wake up call. If I had a regular Gmail account, I'd be straight fucked if anything happened to it.
34
u/MultiGeometry Feb 27 '23
I think it’s crazy that if you actually commit a crime on your gmail, the cops will come after you, and if they need to, issue a search warrant with Google to retrieve evidence. In this sense, the data is yours. If Google locks you out, there’s no way to access the data anymore. All of a sudden ‘Google owns it’ and is not required to work with you at all.
They really get the best of all worlds and us plebes really need a way to fight against it.
→ More replies14
u/cat_prophecy Feb 26 '23
For someone who works in technology this is easy. But try explaining this to someone, literally anyone whose not a programmer, developer, or IT professional and you might as well be talking gibberish.
→ More replies→ More replies3
u/FriendToPredators Feb 27 '23
Friend of mine used a second email account of his on a mailing list and google decided it was spam. Froze that accounts google drive AND any other file owned by anyone who had shared that file with that account.
There were no recent backups because a bunch of people around the globe were working on a deadline. It was nearly a disaster of missed expensive deadlines.
Do not use google apps for anything critical without paying another cloud service to auto backup.
151
u/catwiesel Feb 26 '23
thats too hard for almost all people. which is why you gotta respect grandmas password book and not ridicule it.
67
u/dave5124 Feb 26 '23
I told my wife recently to start using a password book. I would rather have a book physically secured at my house with complex passwords, then simple or repeated passwords.
→ More replies22
u/jacksheerin Feb 26 '23
Consider a password manager. I like Keepass, it's free/open source. You need to remember one good password to open the database and then you can generate a different password for every service you use.
14
u/cynerji Feb 27 '23
And/or/also consider passphrases. They're much more computationally difficult to break (as long as the words are unrelated/not a common sentence), but much easier to remember.
10
u/jeremydurden Feb 27 '23
https://www.useapassphrase.com/
This website is a pretty solid tool. It will generate pass phrases for you and also explains their purpose and importance. They even acknowledge that if you really want to be safe about it that you "probably" shouldn't be getting your pass phrase from a tool on the internet.
→ More replies9
u/thisoneagain Feb 27 '23
I use passphrases for some purposes, but way, way too many websites reject them for being too long. Once, I even had a site accept my too-long password as original input, truncate it, and then tell me my password was wrong on login when I failed to truncate it where they did
→ More replies→ More replies7
u/amusemuffy Feb 26 '23
I tried a password manager and wrote the manager password in a notebook. Notebook got accidentally thrown away haha! I do use a pin number to unlock my phone. At least no one would have access to my various accounts if lost.
→ More replies19
→ More replies66
u/kitchen_clinton Feb 26 '23
Remember when Equifax’s incompetence allowed the leaking of customer financial profiles and they got a slap on the wrist, a small fine and are still in business.
143 million accounts
It appears this info didn’t make it to the dark web because Chinese espionage agents took it looking for trade secrets.
→ More replies
18
u/GMPWack Feb 27 '23
I had this happen to me one time. I dropped my phone in a cab in Lima Peru. I lock the phone but somehow they unlocked it and a week later I found $4500 missing out of my bank account. I was able to recover it through my bank but it still hurt to know that they could hack my phone. I was also locked out of my iCloud for 30 days.
12
u/Reelix Feb 27 '23
If your bank is allowing $5,000 transactions to a foreign account using your phone without question, you should change banks.
→ More replies
1.2k
u/JustALurker110 Feb 26 '23
Everyone is quick to call this a bullshit article. But it isn't.
In the typical case when a phone is stolen (and they have the iPhone passcode), they attempt to disable find my iPhone, but that requires the Apple ID Password. Instead, you can reset the Apple ID Password (WITHOUT HAVING THE APPLE ID PASSWORD) and from there do anything you want. The user will not be able to sign into their Apple ID anymore to report the phone as stolen, and the thief will have your Apple Id, Device, and Phone #, which unlocks most of your world even if you have 2FA turned on.
You can try it yourself, go to Settings > Click your iCloud Account > Password & Security > Change Password.
Even with 2FA enabled for your Apple ID, you can reset the password from here. And for everyone saying just don't type in your passcode in public, there are plenty of times that FaceID and TouchID fail a few times and you have no choice but to enter the passcode.
231
u/PabloEdvardo Feb 26 '23
apple lets you disable their ability to recover your lost password by generating recovery keys that you print out and store safely, at which point they lose the ability to recover your account
213
u/post_break Feb 27 '23 •
It just came out recently. And plebs probably shouldn't use it. It's like a litmus test of technology if you ask someone what their iCloud password is, "oh the iphone one?" 9/10 people don't have a clue what it is. Then if you tell them what recovery keys are? They are going to be very upset when they are told to pound rocks and the 10,000 pictures of their kids or grandkids are gone because they lost the recovery key.
Apple could fix this so easily, by hiding the full iCloud ID email in settings, and forcing you to type it in before resetting the password. That could buy enough time to get to another device and reset it before the attacker.
21
u/Shutterstormphoto Feb 27 '23
I don’t think that helps. Most people have 1 email account, and their email is logged in on their phone. It’s pretty easy to see what account that is. I guess they could hide it across the phone, but you could just send a dummy account an email, or check the sent folder.
→ More replies14
u/Xxlivefastdieyoungxx Feb 27 '23
That wouldn't be an easy fix. People call in all the time and don't even know that their Apple ID is an email... -_- more than half the time you have to guide them to seeing to see what it is because they will try to guess 4 different emails with none of them being that email or remotely even close... it's not convenient. Apple is always coming out with new ways to protect ur self, (recovery key, FiDo etc.) many people just don't care for it or prioritize it till they are in a pickle!
→ More replies5
Feb 27 '23
I have a recovery key set up and it still lets me go through the process, at least far enough to ask me to confirm a new apple account password twice. I didn’t actually click “submit” because I don’t want to change it, but I assume there are no hurdles after that.
Recovery keys can be disabled if you have the device and the passcode.
→ More replies→ More replies68
u/AwesomeWhiteDude Feb 27 '23
You can still reset the Apple ID password with only the phone's passcode, having a recovery key in place doesn't help at all. Even if you have a recovery key a new one can be generated without having to enter the Apple ID password.
→ More replies85
u/Gilthoniel_Elbereth Feb 26 '23
I can’t read the article because it’s paywalled for me, but that would give the thief access to her phone and apple account, but not necessarily bank accounts. Did she have additional security set up on her bank’s app? It’s pretty standard from what I’ve see on my finance apps to require your bank account credentials before they let you see anything
149
u/ThumbWarHero Feb 26 '23
She used iCloud Keychain for passwords. So they are able to access it once they changed her Apple ID password
→ More replies99
u/Gilthoniel_Elbereth Feb 26 '23
Ah, RIP then. A single point of failure will get you every time. Trusted third party password managers should be the norm
43
Feb 27 '23
[deleted]
→ More replies20
u/GamingChairModel Feb 27 '23
The biggest issue IMO is that practically every company uses a text as 2FA.
The problem isn't texting as 2FA in addition to your password, it's texting as a password reset as a replacement for your password. That's just one factor authentication at that point, and a fairly insecure factor at that.
SMS as a true second factor is fine, and the easiest way to improve some security over just having passwords. But companies should think twice about SMS as a password reset function.
→ More replies→ More replies73
49
u/DylanHate Feb 26 '23
Did she have additional security set up on her bank’s app?
Are you talking about the security measure that sends a text code to your cell phone to verify your identity? That's the whole problem lol. If they have your cell phone unlocked they can pretty much get into anything.
→ More replies17
u/Gilthoniel_Elbereth Feb 26 '23
I’m talking about having to input your bank’s password or use Touch/Face ID to get into the app, but plenty of other people have pointed out that she was likely using Keychain which is accessible with only your local Passcode. Bad security practice tbh
→ More replies8
u/dultas Feb 26 '23
If she had 2FA with Google Auth or Authy or something else that's not going to be much better since they have her phone.
→ More replies→ More replies8
u/mikedt Feb 26 '23
most people have all their id/pws stored in apple keychain. If you know the phone passcode you have complete access to every id/pw of the owner. and in most cases, even if the banks use 2FA, they're using a text message to that same phone for verification.
27
u/GeneralZaroff1 Feb 26 '23
This is why I always cover my phone when I'm entering my password or passcode in public. Or if I can at least tilt it down so it's not so openly seen.
>She believes he had seen her enter her passcode at some point and had waited for the chance to steal her device.
This is just unfortunate.
→ More replies→ More replies28
u/Captain_Alaska Feb 26 '23
Instead, you can reset the Apple ID Password (WITHOUT HAVING THE APPLE ID PASSWORD) and from there do anything you want.
Password resets never truly require a passcode, normally resetting your passcode sends an email to the associated account and you can set up a new one through the link.
If you're one of the probably literal millions of people who are signed into their primary email accounts and don't sign out between sessions, someone with access to your phone and it's passcode can get access to any pretty much any account they want.
→ More replies
1.4k
u/Grim-Reality
Feb 26 '23
•
You guys have 10k?
416
240
u/TheFriendlyArtificer Feb 26 '23
I picked up good habits when I was young and now have 40k!
I'd be more invested but those damn figurines take forever to paint.
→ More replies39
u/LucidLethargy Feb 26 '23
This is a great investment! I've got beanie babies myself. Some day those are going to pay for my retirement.
→ More replies8
→ More replies39
u/TradeMasterYellow Feb 26 '23
I got 9,999 problems but $10k stolen from my Apple Pay ain't one of them
→ More replies
92
u/RetroDreaming Feb 26 '23 edited Feb 26 '23
Lock all 3 of your credit reports AT ALL TIMES unless you know that you need to apply for some specific credit or loan
→ More replies14
u/Comprehensive-Fun47 Feb 26 '23
How easy is it to do this? Simple as a phone call?
24
u/RetroDreaming Feb 26 '23
All 3 have a website you can use to lock or unlock instantly, for free, as many times as you like, just Google “Experian/Equifax/TransUnion credit freeze”
8
9
u/MooseBoys Feb 26 '23
Most of modern consumer security tech is designed to prevent opportunistic attacks - password reuse, viruses, etc. If someone has singled you out as a target, most “best practices” will fail to stop an attacker. If you’re concerned about this kind of attack, use a separate device from your phone for MFA, like a YubiKey.
84
u/Goodtimesinlife Feb 27 '23 edited Feb 27 '23
4 years ago I was taken by a ‘taxi driver’ in Nairobi to a sketchy tenement style building for a 7 hour shakedown of everything possible to drum up money during that time. Wire transfers, calling family/friends with fake stories about losing my credit card and needing money, requesting atm limits be waived from my bank, etc. They took my phone and laptop, of course. Fast forward a day and I’m on the phone with Apple begging them to deactivate my phone and all they kept saying was I needed to login to my account and do it myself. I reminded them repeatedly that my devices were stolen and the criminals had all of my info — passwords etc. They wouldn’t help. At some point they said they were sorry for my ‘circumstances’ but they didn’t make exceptions for kidnappings. Good to know.
They were so utterly useless and unhelpful as I tried to stop the financial bleeding during the ensuing emotional mess.
20
u/kagethemage Feb 27 '23
Having done apple phone support, there is literally no mechanism they have to do it. There is no button that can be pressed that disables a phone other than the one that you get from Find My iPhone.
→ More replies→ More replies17
270
u/Yuri_Ligotme
Feb 26 '23
•
Apple could add an “under duress” passcode which would wipe out the iPhone and call the police
208
u/RetractableBadge Feb 26 '23
You mean in a case where someone is forcing you to login to your phone? Okay.
In this case it appears the thief shoulder surfed her PIN and stole the phone.
→ More replies→ More replies37
u/Boba0514 Feb 26 '23
Don't wipe, just show them a dummy user profile while turning on tracking and calling police, etc
→ More replies
1.3k
u/_2f
Feb 26 '23
edited Feb 27 '23
•
People here blaming the woman, have not been following up on the latest news or the WSJ video. Here are the facts:
It kind of is apple's fault. It is a bad security design. This was known in some smaller communities before the WSJ article, but now everyone knows.
Here are the facts, with JUST the 4 or 6 digit passcode (the default length), there is a way you can change your iCloud password, encrypt it, lock others out, sign out of all other Apple Devices if you have any, initiate Apple Pay card transactions and view ALL passwords stored on keychain including bank passwords.
→ More replies308
u/ehhthing Feb 26 '23 edited Feb 26 '23
There isn't a feasible alternative design that exists here. The reason this is the case is because "reset your password by email" is a thing, and obviously you're signed into your email account on your phone. So unless you don't want password resets to be a thing, you can't make another system that somehow prevents this.
EDIT: This comment is being misinterpreted as me saying that there aren't any ways to fix the problem of "your phone = full access". There definitely are, and apple has them available. The problem here is you can't expect "reset password via email" and also "people stealing your phone shouldn't be able to reset your password" to both be true. You either lose convenience or you get pwned.
166
u/bilowik Feb 26 '23 edited Feb 27 '23
The solution is not doing the bare minimum for your phones lock screen passcode. Especially with faster alternatives like Face ID or fingerprint readers, there’s even less of an excuse to not have a more complex password or passcode beyond 4 or 6 digits since you don’t have to enter it every time you unlock the device, while a malicious actor still needs the full password.
Edit: let me explain this a little more:
A malicious actor who doesn’t cut off your thumb or peel off your face will have to get your PIN code or password to get into your phone (barring some unknown vulnerability obviously)
It used to be for convenience to have a short 4 digit pin code for your phone bc you have to use it to unlock it many times a day and it would be tedious to type a complex password over and over again. But biometrics allow you to avoid that, so there’s less of a reason to have a very insecure pin over a complex password.
Will it be annoying if biometrics fail and you have to type out that long annoying ass password? Yup. Is it magnitudes safer than a 4-6 digit pin? Absolutely. Worth it.
7
u/Tritianiam Feb 26 '23
A 4-6 digit code is fine though of course 6 is better.
you only have 10 attempts before the phone factory resets itself if you don't imput it correctly, and it is time gated after the first five attempts.
10
u/Gilthoniel_Elbereth Feb 26 '23
iPhones only factory reset after 10 failures if you opt into it in the Settings. Otherwise it just temporarily locks you out
→ More replies16
Feb 27 '23
The point of the wsj article is it’s organized criminal groups that are targeting people in bars, video recording people entering the passcode, and then stealing the phones.
A longer password doesn’t help against that.
→ More replies115
u/tehherb Feb 26 '23
Biometrics fall back to pin code when they fail, is it any safer?
27
u/Vaynnie Feb 26 '23
Read the comment again. He said you should have a more complex passcode (for example mine is 8 characters, not the default 4), because FaceID means you don’t have to put your passcode in every time so a longer one doesn’t inconvenience you.
→ More replies13
u/tehherb Feb 26 '23
You're right and it's shocking how up voted I am lol
8
u/shortround10 Feb 27 '23
This was my first thought and it’s refreshing that you called it out yourself lol
→ More replies74
u/Shakespeare257 Feb 26 '23
Not only that, biometrics routinely default to the pin if they fail too many times, or just because.
I have devices that never leave the house that I have to enter the passcode for way too often. All of them are iDevices tho, Androids with fingerprint scanners only need the pin after a restart and... rarely after that.
35
u/20nuggetsharebox Feb 26 '23
Not sure about the last bit. My Samsung wants a pin code 3-4 times a day, randomly.
Used to think it was failed fingerprint attempts from my pocket, but it does it even when left on a desk, sometimes only after seconds of being locked.
→ More replies4
u/earnestlywilde Feb 27 '23
My Samsung has a little message that says something like "after 3 hours without phone use, pin is required" on top of the pin entry
→ More replies12
u/PabloEdvardo Feb 26 '23
if you open the emergency contact screen on an iphone (power + volume up on new models) it immediately locks it and requires pin to activate again
can be used it you get detained by police and want to prevent them from using biometrics to unlock your phone
→ More replies99
u/round-earth-theory Feb 26 '23
Yes there is. The passcode should not grant you access to these sensitive areas. Windows allows me to login with a short passcode but that doesn't give me access to the actual Microsoft account. I'd have to enter the proper full length password for that.
The passcode should unlock your phone and grant basic access such as contacts, apps, etc. Anything security related should require you to re-auth before granting view/edit access.
9
u/weenus Feb 26 '23
If I go to the passwords section in my browser settings and click for it to "show" the saved passwords, the verification step is actually that Windows passcode you're referencing.
→ More replies→ More replies9
u/darexinfinity Feb 27 '23
The article says that the thief saw her put the passcode in, reinserting the passcode would be meaningless here.
I hate to blame the woman but if someone has your trusted device and authenticity information (passcode). I'm not sure if there's a way to design a fix for this.
→ More replies50
u/WickedDemiurge Feb 26 '23
Of course there is, and it has existed for decades: use one additional piece of verificiation for password resets, like security questions. If someone wants the keys to the kingdom, they need to know the name of a first pet, etc. as well.
30
u/Lessthanzerofucks Feb 26 '23
Apple no longer allows security questions, only 2FA with phone number. That’s part of the issue here. If someone has your iPhone and your passcode, they have your 2FA as well.
→ More replies→ More replies15
→ More replies9
u/The_Elemental_Master Feb 26 '23
With proper security, you'll have to provide a PIN, biometric or password to access your email.
→ More replies8
u/megagram Feb 26 '23
You really want to provide a PIN, Biometric or password every time you check your inbox for new messages?
→ More replies
276
u/Thefifthmentlegem Feb 26 '23
How about 2FA with both password and face-biometric when changing settings.
93
u/Assfuck-McGriddle Feb 26 '23
All 2FA in every device and with every company is voluntary, and all sensitive setting changes require either passcode or facial recognition.
Source: Apple customer for over a decade now
→ More replies→ More replies63
u/RunAwayWithCRJ Feb 26 '23
Did you even read the fucking article?
That's the whole problem. If they see you entering your passcode, they can change your password after stealing your phone and 2FA is literally on your iPhone anyway.
That's the whole fucking problem.
→ More replies
58
Feb 26 '23
[deleted]
→ More replies10
Feb 27 '23
[deleted]
→ More replies9
u/Peuned Feb 27 '23
Why would length matter if this attack vector is just someone watching you Input the code
7
u/slodojo Feb 27 '23
It’s easy to remember a 4 digit passcode but not as easy to remember 10 and it’s a lot harder to see someone type in a bunch of letters
→ More replies4
75
u/mikedt Feb 26 '23
until I saw this report I had no idea one could change the iCloud password on any unlocked iPhone. Seems like a big security hole.
32
u/z3r0f14m3 Feb 27 '23
They also need to enter the passcode, so not just unlocked but know the passcode too.
→ More replies4
u/max1001 Feb 27 '23
Chances she had 2nd factor tie to her phone number or another email like gamil like 99 percent of the ppl out there.
→ More replies4
389
u/catharsis23 Feb 26 '23
This thread is just redditors getting mad at a random lady who had 10k stolen for her... like it's hella weird how mad you all are at her
→ More replies
7
21
u/boforbojack Feb 26 '23
Yeah why would they be? They are incredibly strict on phone security.
What would you say to a conversation that goes, "Hi, i don't have access to my phone and I don't know the password to my Apple account, can you please block access to the person currently using the phone that managed to log into the phone using the correct verification/code/method because i super duper promise that they aren't the original owner?"
→ More replies
20
u/Ironmike11B Feb 27 '23
This is what I call the danger of convenience. Nowadays, people tend to have their whole lives in their phone. If, as in this case, someone steals it, they get instant access to just about everything. I have nothing linked to mine. Maybe it's because I'm old, but I don't like having my whole life online.
→ More replies
4
u/chaosawaits Feb 26 '23
It says $10,000 was taken over 24 hours, but does anyone know how long it took before they started taking out money?
The first thing I would do is call the bank and have the account frozen. Then transfer all the money to a new account. Forget the phone. You’ll never see it again.
→ More replies
4
u/Phastic Feb 27 '23
The passcode on its own is a very powerful tool. If you save passwords on device, you can bypass faceid with the passcode, not to mention that they’d already have access to the mail apps which can easily be used to reset many passwords for accounts if the passwords are unknown/not saved on device, and not to mention the fact that they’d already have your phone number which means any 2FA that gets sent to your number is in their hands. And if whether or not you have your bank app installed, they can easily bypass that as well.
The only way I can think of that apple can solve this can also be a heavy concern for users in terms of how much control they actually have.
6
u/Alukrad Feb 27 '23
I'm envious that people could keep more than 500 bucks in their bank account.
→ More replies
4
u/bolteon593 Feb 27 '23
I must say, that as a hard Apple believer… it is a really bad choice to allow resetting the recovery keys by passcode alone.
If you have those enabled, they need to be resettable only with the iCloud password used to create them. That would solve all the issues here.
5
u/Comprehensive-Range3 Feb 27 '23
Remember, when you put every single piece of your private life on a device you carry around you have what is known as a:
SINGLE POINT OF FAILURE
17
u/Komlz Feb 27 '23
I'm losing brain cells reading these comments. I worked for Apple and their system is definitely not perfect but I honestly don't see a reasonable work around to being able to reset your apple id password other than passcode.
Recovery keys, security questions, 2FA, Trusted devices. They have tried it all. There's still people that forget everything. EVERYTHING.
Your 90 year old grandma probably uses an iPhone and iPhones are suppose to be the user friendly smart phone. You guys seriously expect them to complicate the account recovery options for better security and fuck all of those forgetful people over? And I'm seeing a bunch of people in these comments suggesting old methods that Apple use to have....like actually suggesting moving backwards.
If someone figures out your passcode or uses your biometrics and steals your phone and resets your password, that's honestly too fucking bad. Call your bank.
And i'm not saying this as an Apple shill either. I'm a tech lover, I own a galaxy, I worked for Apple, I love smart phones, I dislike Apple and Samsungs scummy practices.
→ More replies
32
u/ImaginaryEffort4409 Feb 26 '23
Many people here are blaming this lady for what happened, but this could have happened to anyone. Many services use text message or email as 2FA. Since the thief knew the passcode, there was nothing much she could have done to prevent this. They would have had access to both email and text messages with the passcode. A lot of banks don't even have any other option than to use text message 2FA. Yes, she could have used Authy with a different passcode, but most banks don't even offer that option.
→ More replies
48
60
u/fordette
Feb 26 '23
•
Lot of people on here hating on her and Apple. How about the criminal? Can we hate on that fucker for a bit instead? Amazing how we’re busy blaming a company who sold her a phone and a lady who was robbed.
→ More replies18
u/Special-Bite Feb 26 '23
This is the correct answer.
It would be great if authorities perused and persecuted grand larcenies so that people who do this can be removed from society and others will see it as a deterrent.
5
u/FullCrisisMode Feb 27 '23
Call me crazy butttttttttt why is there such thing as instant credit availability? You'd figure a credit agency would create a verification step to prevent fraud. A simple call or use the email on file.
Should be standard. In the US anyone can apply for credit and be spending thousands in minutes. It's honestly one of the craziest things allowed.
→ More replies
4
5
u/py2gb Feb 27 '23
I have a question. My iPhone has Face ID. My banks requiere Face ID to access the account. I get 2fa for any transaction above 20usd (non American here). I have a somewhat complex pin
I am very interested in the events that lead to everything being accessible.
→ More replies
43
u/darkstar1031 Feb 26 '23
If you're card or apple pay/Google pay/ Samsung pay device is stolen:
IMMEDIATELY CALL THE ISSUING BANK
The issuing bank will have a fraud department which WILL help you.
→ More replies
21
u/StephJ___ Feb 26 '23
Well they shut down most branches during Covid. I still managed to trade in my old MacBook for a brand new one with a discount.
In cases of theft though, head to the bank first.
→ More replies
23
u/TimeAndOrSpace Feb 27 '23
Everyone shitting on /just/ Apple in this thread not realising Google has the exact same problem (resetting account password with only phone pin) on Android
https://www.androidpolice.com/google-account-device-passcode-forgot-password/
→ More replies
29
u/BobertMcGee Feb 26 '23
Do: use FaceID or TouchID.
Don’t: type your passcode into a phone in a crowded bar where anyone can see what you type.
→ More replies
1.0k
u/Anomander8 Feb 26 '23
1st order of business when you lose your bank card, credit card, phone, whatever, is to phone (from your friends phone) your bank and tell them access to your bank accounts and credit cards might be compromised. Always. Then you’re covered and nobody can yoink money from your accounts without the bank having notice. It’s a hassle but not $10k worth.