Apple’s iPhone Passcode Problem: Thieves Can Ruin Your Entire Digital Life in Minutes | WSJ
iPhone thieves across the country are locking people out of their Apple and iCloud accounts and gaining access to Apple Pay and bank apps, draining them of thousands of dollars-sometimes before victims even know what happened.
How do they do it and how can you protect yourself? WSJ’s Joanna Stern investigates.
Watch the next chapter in this story. Joanna digs into the setting keeping victims out of their Apple accounts: • How iPhone Thieves Loc...
Illustration: Elena Scotti/Kenny Wassus
0:00 How are iPhone thefts happening and what can you do to better protect yourself?
1:25 An iPhone theft story
3:25 Can an iPhone passcode really unlock your entire financial and personal life?
7:24 Safety measures and security tips
Tech Things With Joanna Stern
Everything is now a tech thing. In creative and humorous videos, WSJ senior personal tech columnist Joanna Stern explains and reviews the products, services and trends that are changing our world.
#iPhone #Passcode #WSJ
If Apple just asked for the current Apple ID password instead of just needing the iPhone passcode to change passwords none of this would have happened.
They do. I don’t know what these people enabled.
@@NinjaRunningWild thats what I thought
@9pm Till1Come Yes and that-s also wrong for apple to do. That one password should never be accessible on keychain no matter what.
@@NinjaRunningWild I just checked on mine and you only need pin to change icloud password.
yes, but they do this because 1000x more people complain that they forgot their AppleID pw and then have trouble resetting it (especially if the iPhone is their only Apple device). Then WSJ would be doing a video about how awful apple is for making it so hard for people to reset their passwords and locking people out of their accounts. Security policy is always about making tough calls about where to draw the line between convenience and security. Far more people are affected by forgetting their passwords, than the relatively rare instances described in this video, which require not one but a whole cascade of failures to occur.
Apple should consider verifying the old AppleID password before allowing the user to reset a new one
doesnt work if people have their apple id password saved in icloud keychain...
seems like that alone woud solve half the issues
What if you have forgotten your AppleID password and want to reset it?
@@abhimalik8437 Then use 1) a second device to authenticate the user or 2) security questions.
Except the AppleID password is only used in very few instances so it is very easy to forget it.
I feel so bad for her. You can tell it's more than the money. For most people, everything is stored digitally. It's the stress and mourning of losing your memories. Terrible.
I agree, poor lady 😔 It's an important lesson for her and everyone else to take digital security more seriously. This video is a great example to show friends and family who don't. It might open their minds a bit when it comes to these things.
I must've jinxed myself because a few days later my phone got the black screen of death. Thankfully I back up family photos onto drive pretty regularly, but I hope I don't lose all my other photos, memos, messages😭
@@frankfeng6199 But how can they steal money from her bank account? In my country, it's a two step verification. One with OTP message code, and your bank pin number. Is it different in the USA??
@ghost mall But how can they steal money from her bank account? In my country, it's a two step verification. One with OTP message code, and your bank pin number. Is it different in the USA??
Also look what happened to Jennifer Lawrence and other Celebs. (altough some people say they leaked the photos to gain popularity*) *not gonna lean towards one or the other side, I simply don't know
One thing I recommend is that you should use your face ID or fingerprint (if the iPhone your using has it) whilst in public or instead of using your regular screen protector, get a privacy screen protector instead. This will reduce the amount of people that will be able to see your phone. Also, just be aware of your surroundings in public, you never know what could happen.
Iphone has ffingerprint?
@@Difracil The iPhone 5s - 8 and SE models do (Touch ID).
@@LOTR_BTTF well that's an old model. Do you think robber will bother to steal that?
@@LOTR_BTTF , I prefer Touch-ID over Face-ID at any time.
I’m a bit confused. I have Face ID to get into my iPhone. I suppose that a thief could steal my iPhone when I am logged in play with my iCloud account. But my bank apps here in Australia require a separate login or face Identification. I’m assuming that a thief’s access to my iCloud account will not give them access to my bank accounts unless Apple somehow allows this.
It’s absolutely crazy that there isn’t an additional layer of security when resetting your Apple password. Thank you for reporting it, this is what good, useful journalism looks like.
I thought you had to authenticate with 2FA to change an iCloud password?
@@Bradley-Thomsen Yes you do, unless you go out of your way to disable it manually.
But there is an additional layer. Just tested hacking my own phone, and the methods shown here doesn't work.
@@Bradley-Thomsen🤟
I don’t believe this one bit no one can change your iPhone to change the passcode to lock you out of it unless you didn’t have a passcode to behind with then at that point they can make a passcode to lock the person out then they can use that new passcode to to change their password this is BS 😂
I consider myself tech savvy. Everything connected, everything cloud, everything 2FA, complex 10 digit passcode, etc etc. And I honestly thought, I wasn’t going to learn anything from this video. I was wrong. Thanks for making this. Some bubbles have burst for me.
Because you're not tech savvy.
@@prevaloir5362😂😂😂so true
@@prevaloir5362 no. It's because he's not theft savvy
You aren't nearly a tech savvy as you think you are. Switch to samsung knox
@@carstenb23😂😂perfect
Thanks for making this! Went through and updated all my security because I live in a high crime area, and this is my biggest fear
Then ditch apple and use real computers and phones.
Having lived through exactly this, I'm so grateful that Joanna and the WSJ are bring attention to it.
Or not tie yourself to the Apple ecosystem. Use 3rd party password managers. Preferably open source. Get an App Blocking application. Commonly referred to App Lockers. Encrypt your files.
Did you have your 'memories' backed up on separate hard drives? Remember, the cloud is just someone else's hard drive.
@@jamesedwards3923 I did not. I thought paying for the premium storage tier at a Fortune 3 company would protect my data just fine. It was a conscious decision to stop backing up locally but obviously not the right choice.
@@lucabrasix Never go with showmanship. Go with what it is and what the potential is. Never anything else.
Everyone needs to do these 3 steps: 1. Turn on Screen Time, set a distinct screen time passcode. 2. Enable Content & Privacy Restrictions 3. Within Content & Privacy Restrictions, set both Account Changes and Passcode Changes to Don’t Allow This prevents an attacker from changing your Apple ID password or making changes to Face ID/Touch ID. It can’t block everything, though, but it limits the damage that can be done. Edit: I've since discovered that this is not foolproof. There are ways to bypass this and still get to the screen to reset Apple ID Password. There is no real solution until Apple fixes the flaws.
Yup. Another case of users using a device they did little research on.
Thank you!!
@@dinoscheidt if it's not the default then it's not a lack of knowledge issue
I’ve just done this now. Thank you
Thanks for the tip
FYI Lastpass shown in the video has recently had a massive security breach as well, so storing data in there is also questionable.
Yup, I just deleted my account with them. Bitwarden has worked well for me.
Thank you, I was about to say the same.
Yup
1) Meta data was expose. 2) Stored password hash databases were stolen. Correct, unless you had a garbage password and a very low iteration count. Your passwords are 'reasonably' secured. Password databases if done right. Are hashed. Research hashing and iterations. That is the entire point. Every other major organization and industry has gotten breached. Last Pass got breached? So what? 3) She was too lazy to buy a few hard drives. To backup all the pictures and files she had on the cloud. That is completely on her. I am going to take a shot in the dark. That she makes at least $20,000 than me gross. I barely qualify as middle class. I do not blame people for getting hacked. Most Apple Users I have known. Are lazy and or ignorant of their own technology. There is one person in particular. Who did everything wrong. After me explaining in detail for years. What to do and how to do it. I am not an expert. I did not finish college. O and I am bleeding money right now. So following the basic 3 2 1 Rule. Too lazy to go to any other store online and offline. To take $1,000 to $2,000 max and buy a bunch of drives. I buy Apple stock. Simply because I have done enough research on whom Apple targets. For the most part. The rich & ignorant lazy people. Apple puts a lot of its security on easy mode. And people still do not do everything Apple allows you to do to secure the account. 4) My password managers are open source. So any zero day exploit can pown me. At least everybody sees the code. How secure do you 'think' you are? FYI, I respect Apple not screwing over the entire human race. That being said, you do not see the source code. I am not a programmer. At least I could if I wanted to. Learn coding or failing that. Pay a bunch of people at random to review it under penalty of law. To tell me if it is solid or not. 5) Another lazy Apple user. Again, sucks she got hacked. They do have App Blocking Applications. The best I have seen are tied to Antivirus programs. 6) PINs? Most users use PINs for all their mobile access. Horrible idea.
I always though I was a little paranoid for using seperate codes for all of my apps. Great video.
One thing the judicial system can do to help is to make sure these thieves serve hard time instead of just getting a slap on the wrist.
That doesn’t help and never has . Yall think cages are the answer and it AINT . Stop
@@CadiKaneit is the answer!
@@CadiKaneactions have consequences behind them so if you don't learn life will teach you.
In Brazil it’s common to have 2 smartphones, one stay at home with the bank and financial apps while the other one to be used outside. Another security layer lies on the screen time passcode. If it’s set with a different passcode it can be useful to block account changes, passcode changes and cellular data changes
i have a second phone too, i live in europe and i mainly use it on travels.
Good to know!!!
great advice. the accompanying WSJ article mentions the Screen Time protection
Good tips! Thanks
Yep, I have 2 phones for travel!
Shoulder surfing is exactly why I think people entering their phone passcodes in public is insane. Yes, biometrics are static, but getting a useable copy of them is harder than watching someone enter a PIN. And there's a limited number of attempts the thief gets at trying to trick the biometric scanner before the device disallows biometric access.
I feel horrible for that woman. She deserves better than that. It's kind of disgusting how low some parts of society have gotten. Some banks can be pretty good about reacting to unauthorized transactions. And making attempts to prevent things like this from happening in the future. She deserves her memory's back and her peace of mind back.
@Toboe Key It is not her fault for using a cloud system... everyone does it. It's easier to work with than carrying hard drives that can get the tiniest bit of liquid in them and they're gone forever. All and every method has its disadvantages
Honestly, my financial institutions simply block most transactions that seem the least bit suspicious, often making me need to explain to them yes... it really is me doing a purchase.
interesting and informative article. Wish your tips at the end mentioned something about a second backup location, though.
Joanna, this is great reporting, but you failed to report on the built in way that iOS in fact does provides its users to be protected against this attack, and has been available since iOS 12 (2018). All you need to do is go into iOS's Screen Time settings (turn it on if necessary, set a password different than the device's password), then go to '"Content & Privacy Restrictions", then down to "Passcode Changes" and "Account Changes", then set "Don't Allow" to both. This makes it necessary to enter this second password in order to not only change the iCloud PW but also to make any changes to your account.
Exactly
This 👆🏽
Thanks for this. Just did this now for my iphone ❤
Thank you for this. This was not known and it’s been a great find for me. I had this enabled immediately.
Did this and it prompted me to enter my Apple ID and password so I can use that to reset screen time passcode. I suggest skipping that (hitting cancel and accepting the skip on the next pop up)
why is a 6 digit phone passcode enough to change your apple id password, this is mental. who came up with that
Iphone
Yeah I thought you needed the Apple ID’s password
@@MasterKey2004 same
It’s not enough to change your Apple ID buy it’s enough to get into the password manager of the iPhone and then you can get the access of all profiles. It is not only an iPhone problem, it’s a problem of all digital devices
This is the dumbest thing Apple has ever done.
This has happened to me. My advice is 1. To have your 2 factor verification sim, in another separate phone. The thief’s wont be able to get your OTP in order to change your bank passwords etc. 2. Do not store passwords on your phone. 3. Remain logged out of all financial websites and apps.
Thank you for making us aware!
This happened to me in London. Apple refused to believe it was possible. Their response in this video is telling.
Did you have biometrics on and the phone happened to ask for the PIN code, which then was picked by an outsider?
@@terohann sometimes the iphone just ask your passcode because it didn’t recognised your face or for no reason, just for fun.
@@terohann yes exactly this. And then the thieves were able to bypass Face ID to use my wallet and access my banking apps
You can also be robbed at knifepoint and forced to give them your passcode 😢
Of course they didn't own up to their mistakes. This is the fundamental character flaw of the company and ALL it's users. Anyone who is capable of admitting and learned from their mistakes wouldn't still use apple.
That already happens for a while in Brazil. It’s honestly good to know that WSJ is bringing attention to this lack of security, so that Apple finally do something about it 😪
Whenever I travel abroad I use a burner phone... it only took me one time to get my phone stolen to learn that.
7-1
@@TainoblazedYou bring a phone good enough for the job. That does not look expensive. Even the case.
I don’t get it. This whole thing can be avoided with using Touch ID or Face ID.
Lies again? Fail Security
It's a good idea to keep the phone unlock code different as banking apps. Also, it's possible with android to use different methods for different things: fingerprint for screen unlock, pattern for something else etc. Is it possible to export images and videos to an external hard drive, so that you don't lose them even when locked out of your apple id?
Thank you for making this video! I had never thought of how powerful and dangerous that little short code could be. I will definitely be making some changes.
Woah! I didn’t realize what could be done just by knowing your passcode. Great job reporting as always!
I can't tell if this is sarcasm.
@@AndrewCortesi I meant what I said. Didn’t know it was so easy to change password with just a passcode. Always thought you needed to put your old password, but all it takes is just your passcode.
@@koolkat214 i am supprised that you didnt know that, that is the reason why biometrical is so important. When you use bio insted of a pin nobody can see how to get into your device
@@MrJudgi I have Face ID on, but even with that on, I’ve just now learned that it is useless if someone knows your passcode. I always thought you needed more than just a pass code to change your Apple ID, but this video was eye opening for me.
yeah i'm glad i use safe Samsung
Storing your SSN in photos is just outright stupid. But the sad fact is that when you tell it to your friends and family they reject it immediately saying you’re being paranoid. Then here you go - stories like this happen.
There’s nothing paranoid about it
What’s SSN
Dude, the ignorance of technology. From people younger than I. Is amazing. I once asked a 18 to 20 year old. Woman, did you store the data in .pdf? She looked so confused. Keep in mind. I am casual user who grew up between Windows 95 and Windows XP. Apple Users are amongst the worst offenders. You can store an image in an encrypted state in so many ways. It is laughable, when I explain it to people half my age. They have absolutely no clue. In my experience most users 'understand' why they should secure their data. They just do not want to learn how on even a basic level.
Storing critical information in a unencrypted state? Horrible. People do this nonsense all the time. There so many ways to encrypt data and files independently. In my professional and personal experience. Most users are lazy.
@@jamesedwards3923 You said: "Apple Users are amongst the worst offenders." That's because most Apple users think Apple devices can not be hacked or get malware. It is exactly what Apple marketing has been pitching and it works. Their fans blindly believe it.
I realized this years ago and only use Biometric Face ID in public. If I have to use the passcode I go to a private spot away from others or make sure no one is looking over my shoulder. Now you have Stolen Device Protection which makes you wait an hour to enter your passcode, giving people time to get into their Apple ID on the Cloud and block whoever stole the phone. But I’ll bet most won’t use it.
Thank you for this report. Chilling.
A possible solution: Face ID or Touch ID must be required from your device to change any Apple ID passcode. Also, a secondary passcode should be enabled for users to regain control.
I know some people with iPhones where their Face ID doesn’t work on the phone. I think they dropped their phone and then it stopped working.
It would be enough to just ask for the old password. Also, what do you do if you've had face surgery and lost both arms at the same time?
Bad idea, not everyone wants to use biometrics and it's also not surefire to work.
@@fanban2926 You've not thought it through. You can have up to 5 ways to have double authentication. PIn + FaceID Pin + Fingerprint Pin + Physical security key, either a usb key, or touching an airtag for example Pin + Being in proximity of a device you set as trusted at home Pin + Account password Pin + additional Pin 😆kinda like you needing to enter an additional Pin to open your Bank account on the phone.
A secondary “passcode” already exists, it’s called Recovery Key. Which is way longer than a passcode.
Seems like the easiest fix for Apple to implement is to have a separate passcode for unlocking the device ONLY. And/or give a warning before using the other passcode like: WARNING: this passcode is linked to your iCloud, passwords, and other sensitive information. Use extreme caution when entering it in public places.
Or just implement touch id..
Well nobody would remember the passcode you never type in , they just should use Multi-factor authentication. So if you want change your apple id password with your passcode you have to allow it with a second apple device.
@@BENJB220 I see what you are saying, but that is pretty bad in justifying apple monopolizing your devices, further not everyone can afford or want to buy into the walled garden.
@@BENJB220 "you have to allow it with a second device.*" Don't give them ideas on how to further lock people in to Apple ecosystem
@@Nicholas_Steel haha true. But unfortunately they already do it if you sign in your Apple ID to a new device.
Thanks for showing us what we need to do when we want to get our phone swiping ring going.
I've just recently been a victim of this crime and I can tell you its horrible. Besides the thousands of dollars I've had stollen, my photos, contacts, and personal items have been put out of reach and Apple has done nothing to try and fix this. When I call them, it's clear that these security protections were not considered in a scenario where a user no longer has access to any of their trusted devices. I have a Macbook and an iPad and could not verify my identity on either of those devices. My hope is that reporting like this and calls from hundreds of other people as unlucky as I will get them to come up with some solution.
Next time, turn on your recovery key. Then call Apple and provide these 28 digits and Apple can help you further. Without this key, Apple cannot do anything for you.
Very insightful, some obvious points that consumers are aware of but just choose to ignore these. This video will probably help everyone rethink the security which they have set up on their phone and improve it by making the suggested changes. Thank you.
Thank you! I’ve been telling this for years and it’s mind boggling that a company like Apple, who spends millions of dollars in security every year, have not seen this simple and easy to fix issue with their devices.
FaceID stops shoulder surfing.
@@brandonw1604 Many have mentioned FaceID and TouchID, but it won't be a full solution: Thieves will just point the phone to your face for Face ID or rip your finger off for Touch ID and then change your passwords, and you have the exact same problem as before!
its not simple and easy to fix, as literally more than a million to one ratio of people have problems with forgetting their AppleID password and having trouble resetting it (especially if they only use one apple device) compared to this extremely rare crime outlined here. They would be solving one problem but in turn creating a million new ones. There are a lot more articles/pieces about evil Apple “locking people out” of their account because they forgot their password than there are about this problem.
@@basicallyhuman Mostly false. FaceID works in pitch black darkness as it uses the infrared flood illuminator, rather than using the camera like many paltry imitations on other devices. So bad lighting has no affect. FaceID also now works even with a mask, and before that you could also use your apple watch to unlock it with a mask. The time out period for lack of use is 24 hours. I find it hard to believe that anyone using their phone in a bar at the end of the day would have not have unlocked their phone once in the past 24 hours.
@@wotube6387 make you look after they steal your phone or take your finger? This isn’t happening in Kabul it is NYC.
Much needed video 🎉
Even SBI uses two different password (one for login and another for accessing profile and payment) and so does reputable Android companies, few extra with extra protection layer such as knox, Titan and think shield.
Apple definitely needs to change the password change process. That would literally nail this on the head. Additionally, for other people, cloud backup IS NOT A BACKUP SOLUTION! You should also have an additional physical copy of your data at the very least if you really truly care about your data. You can't rely on convenience to save you.
I still do itunes backup on my computer which is also backed up somewhere else
In these three steps I already use complex passwords with numbers letters and others included. However, I use Face ID most of the time unless the device has been reset or shut down and turned on again. But like mentioned in this context it is necessary that we follow in order to reduce the risks of our digital lives.👍🏽😊
Solid useful information!
Apple needs to have mandatory security questions to change the Apple ID password or at least require a fingerprint. That would have stopped them immediately. Great news story.
Anyone have device passcode can add his/her fingerprint to touch ID, that's still cause the problem
great idea
Do you know how many people forget the answers to their security questions???
@@lauragonz34 if you forget the name of your first pet or the street on which you grew up, you deserve to lose your phone.
Security questions are way to easy to guess and 99% of the time are either on public records or can be found online and on social media which many people do not keep private. It’s because of this reason that many companies are phasing out security questions. The 2 examples you gave (the street you grew up on) can be found through white pages, and (the name of your first dog) will most likely be on your social media. Not always but it’s a pretty good bet.
Lesson for this video: while in public, use biometrics authentication so that you don't leak your passcode. While interacting with authorities, use passcode because they can use biometric to unlock your phone but not your passcode because biometrics is "who you are" and not "what you know" so the 5th don't apply and the pigs can unlock your phone that way.
Yes but they don’t offer Touch ID on newer phone for some reason
@@organizedchaos4559 they offer touch id on the SE. And anyways just use FaceId
The biometrics will prevent this specific attack, but they are not superior to passcodes. They have different vulnerabilities, and most importantly, once compromised, cannot be changed.
Everything about here is so stupid on Apple's part. But I also don't get why the woman doesn't have Face ID enabled. Can we confirm if this vulnerability exists if you have Face ID enabled too?
@@organizedchaos4559 Face ID works the same way. That why I use the term biometrics and not touchID
I've been thinking about this issue lately; how I have everything in my life on my Apple and Google accounts, and knowing that if either were compromised I would lose everything.
if you are that worried about it, it would be relatively trivial to make a physical backup of your most important and precious data to something like an external HD, and store it somewhere such as a safe deposit box or trusted relative’s home. For critical data, it’s always fundamental to have multiple redundant backups, if you want your data to be preserved even in the face of catastrophic failures. You should look up the 3-2-1 Backup strategy and implement it if you are concerned. This will also protect against things like ransomware attacks.
Just use memory cards. It’s better that way anyway.
It's why I'm still paying by credit cards, credit cards companies have loss prevention department 24/7 to lock the account after they verified you. Customers are not responsible for the charges from thieves
@@___beyondhorizon4664 what are you talking about? A CC company can’t help you get back your lost baby photos or all of your business contacts and appointments. They don’t even offer financial restitution.
Excellent report. Look forward to more.
Great advice. Thanks! Making changes to security asap.
Other apps should implement their own passcode mechanisms and not rely on the iPhones password. Also I was really shocked when I found out I could change my iCloud password with just my iPhone passcode. When you have the passcode you can essentially access everything on someone else’s phone since most of the authentication mechanisms fallback on that.
Other apps already do that. You have to manually change them to use Touch ID/Face ID, and regardless of what password you use to sign into them, if you let the phone save that password into its own password manager, then that’s still a user choice, not something it does automatically.
@@babybirdhome a lot of apps where you can protect with Face ID / Touch ID can still be unlocked using the phone's Passcode. In other words, they don't allow you to create a specific PIN code.
When I go to access my banking apps on my android it forces me to use my fingerprint and doesn't allow my pass
Wait, there are people that don't treat their phone's passcode like an ATM pin? I'm blown away by this! I use fingerprint in public or check over my shoulder before inputting a passcode.
There are people who don't even lock their phones. Super sheltered people who have never lived as victims until sometime in their future.
Biometrics is the easiest to hack hehe 🧑🏫
Does iPhone give you the option to put in a letter password? My Samsung has an option to use passwords with letters than numbers.
Amazing content!
It has been happening in Brazil for a while too. I would recommend also locking the SIM Card.
Yep I lock my SIM card but only works when I have my phone off and they turn it back on again they have enter a password
I think the lesson learned is to be more careful when using your phone in public, maybe a 6-digit passcode is not long enough especially if they can use a 6 digit passcode to basically ruin your life.
😔 Maybe we need a better system? But what would that be? 🤔
@@hansolowe19a separate passcode for settings.
@@bngr_bngr that would certainly help.
@@hansolowe19 I‘lol bet most of this started during c0vid when everyone was wearing a mask. iPhones couldn’t recognize people’s faces so they were forced to enter their passcode every time.
me seeing this with 4 digit passcode xd
What about using physical security keys like Yubico? Would changing the password require them? If that’s the case they would need to steal them as well.
This isn't really different from any kind of purloined password situation. The problem is that it's easy to see people entering the iPhone passkey in public. Wearing masks made this worse, since even with Apple's hacks to allow face id with the mask on, sometimes you need to use the passkey. If it were available, a combination of fingerprint OR face id would help a lot: use face id but if it doesn't work, use the fingerprint sensor, with the passkey only if both fail. The best cultural change would be to get into the habit of always ensuring privacy before entering the passkey.
I would highly recommend iPhone users to change the Account Changes in Screen Time to Don’t Allow - this will disable access to your Apple ID. Also, changing the Passcode Changes to Don’t Allow will hide the Face ID & Passcode option in settings. If I remember correctly you will be asked to create a new pin, which will used to gain access to these settings - this will be a different pin from the passcode to enter your phone.
Just make sure you don’t allow Apple ID reset on your screen time PIN
Just tested this, I have still been able to hack myself, it just took longer.
Looks like the only protection against this type of attack is to have advanced data protection on with a hardware key set-up. Just make sure you hold your recovery key in a secure offline location. Inconvenient but a must do if this attack grows in popularity.
@@pingping7594 how were you able to hack yourself?
What about using "Screentime Restrictions" to block "Account Changes" with a screentime PIN different from your main passcode?
It is also a headache to enter password too if it is a strong one. Maybe best solution is to ask for passcode and secondary security check could be face id and if not enabled enter password
Using an alternative password manager was the first mitigation I thought of. Terrifying problem, great advice!
Surely having Lastpass so prominent is also not very safe, as they have been recently hacked 🤔 Another advantage in keeping a Sim card as you can lock those as well
great guide! gonne try it this weekend!
GREAT STORY.....................THANKS
You can also configure Screen Time to block changes to the Apple ID, using a different passcode
I think this is the best idea yet, stops changes to accounts and passcodes. It seems there are ways to reset the Screen Time passcode, however most of these methods mean the reset of the whole phone or requires an encrypted backup of the phone which if you set the encrypted backup password that cannot be changed. Not sure if there are other options, but a good idea.
@@miketech79 I'm surprised this wasn't mentioned in the video
How can I do that?
@@Nicx8 settings, screen time, content privacy restrictions, account changes, don’t allow. Then just set a different passcode for screen time
@@cesarkuroiwa thanks for the heads up
That's why you should use biometric authentification methods. I use my fingerprints for authentification and set a whole complex password as code (with special characters, letters and all that good stuff (it was fairly easy to configure on my android device). Also it locks the option to authenticate with finger print after 72 hours (or a restart/shutdown of the device) I also use high capacity micro sd cards in my phone to save my pictures and don't rely on any cloud solution. (They're backed up regularly with a NAS server) I also use linux mint as my computers operating system with drive encryption. I also generally don't do any banking with my phone. Do these simple little things and you'll be unlikely to get stolen of everything valuable to you...
Barely anyone uses SD cards or backs up their stuff to a NAS server let alone use Linux
@@mich977f You should. It isn't expensive (micro SD cards are dirt cheap, and NAS servers are easily built and configured with an old PC) and Linux is simply the best OS Kernel there is. Most distributions are free and some extensively open source. There's no reason not to use a Linux distribution for mondane office works. If your work needs a Windows program use wine or a Windows VM. If it requires USB pass-through use dual boot...
At 6:33 they say it works the same way on android. But that doesn’t generate as many clicks and views.
I hope things work out. And …Maybe let’s all stop storing our bank logins and personal identity info on these devices. Everything is not made for digital spaces.
Yes, very true. Awareness discussion, good WSJ.
Blackberry used to have two separate passwords, one for the Lock Screen and one for the password vault. And it used to have picture password, where you put a chosen number on a specific part of a picture. It was basically unbreakable. Apple needs to have a picture password as a lock.
I still have my Z10 - yeah I do miss that password unlock !!
@@serggc, I thought, Blackberrys are dead by now, because the servers were shut down.
@@stolmich I think you can self host one... haven't used mine as a daily driver in years. but it still boots ( I turn it on every couple of months - Gmail still worked on it last time)
@@stolmich and I just remembered! the z10 ( and all other blackberry 10 OS) don't really need BB servers to access internet / emails / messenger. They have a limited setup but this is something i did when i got mine was cancel the 1€ per month surbscription with my carrier for that BB server.
Omg this is eye opening
Thanks for bringing this very special video to us.
Really good piece, I’ve never saved my banking or email passwords on any device for this reason. There are some passwords that you should only save in your personal memory (aka your brain). Also, make a local backup of all your photos, even without theft if Apples cloud got compromised you could lose everything.
THIS! It’s good practice to put your photos on an SD Card. I do it every 3 months. It doesn’t take long at all! Set a reminder. It’s so worth it to not lose all your memories like this poor woman has!
Same I never use Apple Pay and people are like sheep they think it’s cool until someone gets ahold of stuff they can use
you know that passwords are biometric and pin protected?
@@bradyhunsberger An SD Card can get stolen if it remains inside the phone.
In Sweden we have "Bank ID", its an additional layer of security that protects all your bank apps, goverment apps, mail apps, stock brokage ETC. Its installed on your device and when apps need to verify your identity they just send you to the app and you have to type your unique passcode. You also use it to get in to all these accounts on other devices, then you just scan a QR on the computer screen from the app and then type the passcode on your phone, you also use it for every card transaction online. Ive never understood why all countries dont have this.
it’s an easy way to track people
GREAT video!!! It all could change, initially, if Apple asked for the current Apple ID password when you want to create a new one. I hope they change that on the next security update
I'm pretty sure on Android bank apps by default will not store a password in keychain. I'm pretty sure Samsung knox doesn't even allow this, with a requirement only to be used with biometrics
There's another thing people can do and that is to enable screen time with separate passcode and then in content & Privacy restrictions disable account changes and passcode changes that will effectively block Access to the Apple ID tab in the settings app
Really good advice! I’ve used it for many years. Gives you a second layer of protection.
U can just disable it and then move on to change ur Apple ID how is that a fix ? If a thief went to the effort of stealing ur phone and passcode he would definitely be willing to take two more seconds to disable screen time and continue to lock u out of ur phone
Thank you for this story- now I know how to use my phone in a more secure manner while in public. Hopefully Apple views this video as well!
one bank account online for payments and your savings should be offline account, no internet... in person in the bank for transfer... good tip?
Also, if you have it set up, turn OFF Passkeys & don't use the saved passwords feature for your email and other important services. These are also protected by your pin code on your phone - so they could change not just your apple ID passcode, but your Gmail too
This video just prompted me to switch to an alphanumerical passcode for my phone. Good topic to cover!
Excellent story. I’ll be making changes where needed… and avoid bars😛
Fingerprint sensor... Wait 🤭
Just go to settings-> screen time-> content and privacy restrictions -> disable change passcodes and iCloud account changes. That’s it.. you don’t have to worry about anything else.. your welcome btw.
We need more of WSJ tech/investigative journalism to make REAL impacts. Not just some leaks about next titanium iPhone. (Those are fun too, but not as important as what this piece is).
A good solve for this would be the ability to use a second passcode (different from the unlock code) for stuff like accessing keychain and changing appleID password. Basically everything except unlocking the phone should have a separate password/passcode since unlocking is something we do a lot in public and sometimes the device forces to enter passcode instead of using faceID.
There's probably multiple ways to do this. The user could maybe choose between one of the options or select all of them and only need 2 out of 5 to get into the settings: 1. A second authentication device, like a USB security key that has to be physically set into the phone - OR - registered Airtag has to touch the phone. 2. Face ID in addition 3. Touch ID in addition 4. AppleID Password in addition 5. Set a home device as secure device, like Macbook, which can easily access settings, while the Phone needs two of the listed methods.
This is already possible and a feature of the iPhone and has been in its current incarnation since 2018, and before that since before 2010. You can use Screentime (before that, “Restrictions”) to set a separate passcode, and require this passcode to make certain changes on the device, such as to accounts, the saved password list, and the password reset. Joanna was either not knowledgeable enough to know this, or negelected to mention it. The fact that this has been available for over a decade, and hardly any users use it (and was not even mentioned in this coverage) shows how rare this instance actually is and that few if any users would actually bother to go through all this trouble, as the loss of convenience is worse than the relatively low risk of an attack like this.
@@spacecadet2172 WRONG. The screen time passcode can be reset by clicking "forgot passcode" putting in Apple ID (which can be easily guessed or obtained by looking at emails, app store, itunes store, apple music, apple tv, find my, etc), and then resetting the screen time passcode with either the phone passcode or a simple SMS to the phone itself. This is dangerous advice to assume that it is secure when it is not.
So basically more like the windows hello system. I kind of like that idea.
Shouldn’t use of physical security keys prevent such form of attacks? I guess YubiKey is required to change iCloud password then?
This is insane! Wow, my heart goes out to anyone affected. Very shocking… Apple needs to fix this. I use all platforms and operating systems for work and luckily barely use the iPhone. I will check the settings and make these adjustments
Apple MUST DO MORE! THANKS Joanna for alerting everyone!
How about you? You can do more... It's many other option on the market... But you have to spend time from learning other kind of phone... Really!
Saving your bank app's password in the Apple password manager isn't a smart idea. In Turkish and Norwegian banks, it's actually not even possible. Those apps won't allow passcodes to be stored.
In my country too. It’s not possible.
The option should be there regardless. However when it comes to bank activities one should have the credentials etched inside their own minds. Or even on physical paper and stashed somewhere in the house such as a notebook. The notes app also lets you make up a password for the app itself with letters and numbers as options. Meaning you can have certain notes locked and only accessed via said password specific to that app. If anyone has other sensitive data on there, that data has a diff password from the main one used to unlock the phone thus preventing data leaks. This is why its a bad idea to screenshot passcodes and what not. It's also important to keep the OS updated for security patches. Touch ID and Face ID would also really come in handy. The fact she has a Mac is also an issue itself vs if she had a Windows PC with iTunes on it she could have manually backed up ALL her Data on it. Meaning she didn't have to upload to the iCloud unless shes constantly running out of space. Strange tho, if i recall correctly; to change the apple id they need a separate password vs the main 4 digit code that unlocks the phone. My guess is she had that info either in the notes app (with no password specific to notes app) or she had screenshots out in the open on her photos app. Furthermore having bank passwords saved on your phone is a bad idea. She could have called her bank to freeze her accounts too... Just makes me angry for them. In this case filing fraud reports with the banks seems like a dreading task but more than likely they can get their life savings back. As for the priceless picture memories on the wiped iCloud id, big rips.
@@Sparkyh lol ya'll people saying physically writing down a pw on a piece of paper in 2023 is a good idea rather than using an encrypted pw manager that requires multiple layers of authentication to get through are wrong for that
Good thing I have it so only my Mac can change settings on phone etc. I tried to turn off find my phone said waiting for other device (my Mac) so I’m good there. I use bw hosted on my own server and it uses a yubi which needs to present to do anything for my logins. Also the store where I got iPhone literally told me don’t use keychain etc for this reason so thank goodness for him telling clients this. Also found out a rec key from vid and if you have one setup you need it to remove old to add new so ya.
Yes I totally agree. To change Apple password passcode should not be used. Also there should be additional user id along with Apple id while changing password because apple id is visible always. Also in India your Apple id is supposed to be phone number only, so much for privacy settings.
My advice is to have situational awareness and don’t have your face buried in your phone in public. I know it’s hard but remember when cell phones weren’t a thing and you didn’t have the option to stare at the screen while waiting outside a bar etc?
Apple recently added the ability to use a security key as a form of two-factor authentication. It’s in the same menu that was shown when changing your password. The security key is a physical device that can be kept on a keychain, for example.
so if they steal your phone and keychain, then what?
@@TomNook. Getting security key, passcode and phone stolen is bad luck. The threat actors can bypass multiple defenses. The strength of security keys is cryptography which addresses the shortfalls of SMS-based security codes and time-based one-time passwords (6 digit code)... not helpful when it gets stolen along with your phone and credentials. Be cautious of using security keys in public and who is around you.
Love the suggestion for LastPass............................ hahahaha.
Did I see a screenshot of the password manager, LastPass at 8:44? hmmm
If we need to protect our PINs when using bank cards, the same criteria should be applied when entering the 6-digit codes on an iPhone.
You can't change your password by having the passcode on Android, you need to enter the old one, besides android users usually use patterns and not passcode to secure the phone and they are way more difficult to memorize.
1. Thieves don't need to change your password. They just need to sign you out from all other trusted devices so that you will not change it. 2. I need a citation on the pattern-is-difficult-to-memorize-than-passcode thing.
You can take a video of the person entering their pattern.
@@sexyscientist You need the account password to remove trusted devices, the phone pin code is not enough to remove trusted devices. Account password and phone pin code are not the same. Additionally you need the account password to turn off find my phone, phone pin code is not enough to turn off find my phone :)
@@PrincePawn No, you don't need anything... no pin code, no password to sign-out from a device. I just signed out one of my device using my phone. Same goes for "find my device". Tried and tested.
@@sexyscientist I just tested, you need account password to change password, not just PIN of mobile.
Exactly why I never do financial work on a portable device. Only do financial on a specific computer at home used for only financial.
The fix is pretty simple, it’s been followed in apple notes for a long time, where, you have a different passcode (however, now apple enables using device password, but thankfully it’s just an option) The same principle should be followed in apps like settings and photos..
8:14 #2 is very important
This is huge enough to where they should address it by the next showcase. Second Unlock code for apps on the protected list. Biometrics and 2 unlock codes required to make “deep” account modifications
they already have had this feature for over 10 years, currently part of ScreenTime, before that called Restrictions, but Joanna is either so poorly informed she didn’t even know about it, or she deliberately didn’t mention it would interfere with her attention grabbing “gotcha” narrative. Very poorly investigated story.
@@spacecadet2172 majority of average users won’t even know what that is or know how to use it, thats the issue
@@ITzPeter100 how does that change the argument that apple should add it tho? Apple has had this in place since before 2010 and hardly anyone even knows about it let alone uses it. The fact that it’s so niche goes to show how incredibly rare such an attack is, and attacks are largely driven by user error/ignorance.
Are you shure it works the same way on android? I cant do anything on an samsung account without the samsung password. No option to reset it or change anything security related. The autofill app has another pin than the lockscreen so you would need both of them. It just really doesnt seem to work like shown
Good segment. It motivated me to reset to a much more secure passcode.
Use face ID or fingerprint ID only. It's important to NOT use the passcode except when the iPhone forces you to, and to cover up the keypad with your other hand when you type it in, and look around you to make sure no one is watching you type it in. If someone is watching you, move to where no one is watching you before typing it in.
Not a real solution: Thieves will just point the phone to your face or rip your finger off for touch ID
@@wotube6387 Fingerprint is the best bet here. Nobody will rip your finger that too be in a public place like pub to unlock your phone.
Joanna's excellent advice: treat it like an ATM PIN