Woman got locked out of her Apple account minutes after her iPhone was stolen and had $10,000 taken from her bank account says Apple was 'not helpful'

[Eric]

A woman who got locked out of her Apple account minutes after her iPhone was stolen and had $10,000 taken from her bank account says Apple was 'not helpful at all'

Reyhan Ayas was standing outside a bar in New York when a man snatched her iPhone and ran off. She said that was only the start of her Apple ordeal.

www.businessinsider.com

• A woman said that soon after her iPhone was stolen, she was locked out of her Apple account.
• Reyhan Ayas said Apple was "not helpful at all" after $10,000 was taken from her bank account.
• She told Insider: "Once someone gets into that security environment, it turns against you."

 

[Alli]

She’s not altogether wrong.

 

[fooferdoggie]

I think it takes more then just the passcode to do such things?

 

[Yoused]

Since Apple makes those Air Tag things, the logical next step, for person security, would be to make the inverse of that: an RFID-like bauble that is separate from the phone and prevents a person who does not have it on their person from gaining full control of the phone.

 

[Roller]

Since Apple makes those Air Tag things, the logical next step, for person security, would be to make the inverse of that: an RFID-like bauble that is separate from the phone and prevents a person who does not have it on their person from gaining full control of the phone.

Something similar could be done with an Apple Watch.

 

[fischersd]

Since Apple makes those Air Tag things, the logical next step, for person security, would be to make the inverse of that: an RFID-like bauble that is separate from the phone and prevents a person who does not have it on their person from gaining full control of the phone.

So, the muggers will just ask for the bauble as well as your phone.

Yes, once they know your passcode, they can access your banking, change your Apple ID password. People shouldn't be using 4-digit passcodes.
Too easy for people to see that over your shoulder, then swipe your phone.

Me, I think using your childhood phone number is a pretty good one.

 

[Alli]

change your Apple ID password

In order to do that you need the password for the AppleID, not just the device passcode. Half the time you can’t even make an App Store purchase without re-entering your password.

 

[Eric]

In order to do that you need the password for the AppleID, not just the device passcode. Half the time you can’t even make an App Store purchase without re-entering your password.

Right, I just saw a story on the news where they say thieves are now targeting iphones right the victim logs in, then change their passcode immediately, then "disable find my iPhone" and I'm wondering about that part. Are you allowed to change to a new PW without entering your existing one?

 

[Yoused]

Are you allowed to change to a new PW without entering your existing one?

The story says that he watched her entering it, so that particular guy had it.

 

[jbailey]

In order to do that you need the password for the AppleID, not just the device passcode. Half the time you can’t even make an App Store purchase without re-entering your password.

Unfortunately you don't. If you are logged in to an iCloud account on your iPhone and you have the unlock code for an iPhone you can change the AppleID password without any further security except typing in the unlock code once more. The article says that the thief shoulder surfed to get the unlock code which was only 4 digits. It is kind of mind boggling that Apple allows this but trying to buy a movie on my Apple TV frequently asks for my AppleID password even though I have the store set to never ask.

 

[Eric]

The story says that he watched her entering it, so that particular guy had it.

The question I have is even if you have the passcode can you change your Apple PW as well (to disable find my iPhone)? I don't think you can, a separate news story I watched this morning claimed that's what the thieves were doing.

 

[jbailey]

The question I have is even if you have the passcode can you change your Apple PW as well (to disable find my iPhone)? I don't think you can, a separate news story I watched this morning claimed that's what the thieves were doing.

Try it. You'll be surprised. As long as your iPhone is logged into iCloud and you have the unlock code, you can change the AppleID password without any further security.

 

[Roller]

The story says that he watched her entering it, so that particular guy had it.

The guy had her iPhone's passcode but not her Apple account password, which would have been harder to get just by observation, unless it was very simple/short. However, you can change your Apple ID password just by entering the device's passcode, which I think is a security hole. You should be able to set it to require the old password first. However, the part I don't quite understand from the story is how the funds were stolen — banking apps require a password and/or facial recognition to log in. Maybe they were stored in iCloud Keychain.

Regardless, it sounds like the victim could have followed better security practices, including using a longer passcode. A bit odd for someone who is a senior economist at a workforce-intelligence company.

 

[Eric]

Try it. You'll be surprised. As long as your iPhone is logged into iCloud and you have the unlock code, you can change the AppleID password without any further security.

Anytime I've tried to actually disable find my iPhone it's required my iCloud PW.

 

[Roller]

Anytime I've tried to actually disable find my iPhone it's required my iCloud PW.

Yes, but once a thief has changed the iCloud password, which takes just a few seconds and only requires the device's passcode, they can do what they want. As I said, that's a security hole.

 

[Eric]

Yes, but once a thief has changed the iCloud password, which takes just a few seconds and only requires the device's passcode, they can do what they want. As I said, that's a security hole.

Okay, just tested and see what you're saying and wow, what a security hole. Seems like all they have to do is require the existing iCloud PW in order to change it.

 

[rdrr]

So other than not using a 4 digit code, how can you close that hole down? Asking, because I am going overseas soon, and iPhones are the number one target of pick pockets. I even swatted away a bad pickpocket on the express train to the airport in Paris as he was going into my pocket with my iPhone.

 

[Eric]

So other than not using a 4 digit code, how can you close that hole down? Asking, because I am going overseas soon, and iPhones are the number one target of pick pockets. I even swatted away a bad pickpocket on the express train to the airport in Paris as he was going into my pocket with my iPhone.

Just add "Enter existing password" when attempting to change your iCloud PW, seems like a simple enough thing for Apple to add.

 

[rdrr]

I thought to myself wait don't I have 2FA on my apple ID account? Sigh... What is the sense of 2 Factor Auth, when the two factor is an SMS text to the phone that has been stolen.

 

[Edd]

The guy had her iPhone's passcode but not her Apple account password, which would have been harder to get just by observation, unless it was very simple/short. However, you can change your Apple ID password just by entering the device's passcode, which I think is a security hole. You should be able to set it to require the old password first. However, the part I don't quite understand from the story is how the funds were stolen — banking apps require a password and/or facial recognition to log in. Maybe they were stored in iCloud Keychain.
Yeah, WTF with the stolen funds. I don’t use Keychain or any service like it, so I’m missing something here. If you steal my phone you’re not getting into my funds, most likely. Different passwords by a long shot.

My response just absorbed into the quote right when I posted. This software is fucking annoying sometimes.