Woman got locked out of her Apple account minutes after her iPhone was stolen and had $10,000 taken from her bank account says Apple was 'not helpful'

I thought to myself wait don't I have 2FA on my apple ID account? Sigh... What is the sense of 2 Factor Auth, when the two factor is an SMS text to the phone that has been stolen.
Exactly. This is an issue they're all going to have to work out.
 
So other than not using a 4 digit code, how can you close that hole down? Asking, because I am going overseas soon, and iPhones are the number one target of pick pockets. I even swatted away a bad pickpocket on the express train to the airport in Paris as he was going into my pocket with my iPhone.
When traveling, I try to keep my iPhone in a zippered pocket to deter pickpockets when I'm not using it.

Beyond that, I don't think there's anything practical you can do other than using a longer passcode. I'd also make sure that access to banking and similar apps/websites is protected by strong passwords. that aren't readily accessible on the device. My phone also has corporate mobile device management, so it can be erased remotely if I request it, but I realize most people don't have that option.
 
My response just absorbed into the quote right when I posted. This software is fucking annoying sometimes.
Agree on both counts. I don't understand how the funds were stolen, unless she was careless.
 
Agree on both counts. I don't understand how the funds were stolen, unless she was careless.
Reportedly a 4 digit unlock code and passwords in the iCloud Keychain. I don’t know almost any of my passwords because they are auto-generated and kept in my keychain. But I also have 10+ number unlock code. But if someone got my unlock code and my iPhone they get just about everything except my MacOS login password.
 
One would at least need to know the passcode to change the PW so there's that. What the local news is reporting is people snatching the phone after you have logged in with your passcode but they still don't know what it is, that would at least prevent them from turning off find my iPhone.
 
Reportedly a 4 digit unlock code and passwords in the iCloud Keychain. I don’t know almost any of my passwords because they are auto-generated and kept in my keychain. But I also have 10+ number unlock code. But if someone got my unlock code and my iPhone they get just about everything except my MacOS login password.
I also have a long (11 digit) passcode, but I use 1Password instead of the iCloud Keychain.
 
My iPad periodically asks me for my password to unlock (usually after it has been idle for hours upon hours) because my fingerprint it not good enough. Seems the they could also go the other way, requiring a biometric cross-check in critical situations.
 
I thought to myself wait don't I have 2FA on my apple ID account? Sigh... What is the sense of 2 Factor Auth, when the two factor is an SMS text to the phone that has been stolen.
Apple’s 2fa isn’t an sms, fwiw.

if your phone is stolen or lost, first thing you should do is log in from another device and remove the stolen device from your list of “trusted devices.”
 
We seem to be getting a rash of stories about either AirTag tracking or passcode bypasses with Apple products. I'm wondering if this is just because it's Apple and that makes headlines, based upon actual security concerns, or that Windows and Android devices are just assumed to be insecure and breaches with those devices aren't worthy of headlines.

Counteracting that notion, a top U.S. government cyber official praised Apple for security advances.


"Cybersecurity and Infrastructure Security Agency Director Jen Easterly held up Apple as a positive example of accountability and transparency for its security practices during a speech delivered Monday at Carnegie Mellon University."

Easterly notes that 95% of Apple iCloud users enable multifactor authentication, while only about 25% of Microsoft and 3% of Twitter users do the same, stating that the numbers from Microsoft and Twitter are "disappointing". She did give credit to these companies for disclosing those numbers.

Apple can always improve, but they've come a long way from the days when Mac OS X was considered relatively insecure, and simply protected by having a small percentage of overall PC marketshare.
 
We seem to be getting a rash of stories about either AirTag tracking or passcode bypasses with Apple products. I'm wondering if this is just because it's Apple and that makes headlines, based upon actual security concerns, or that Windows and Android devices are just assumed to be insecure and breaches with those devices aren't worthy of headlines.

Counteracting that notion, a top U.S. government cyber official praised Apple for security advances.


"Cybersecurity and Infrastructure Security Agency Director Jen Easterly held up Apple as a positive example of accountability and transparency for its security practices during a speech delivered Monday at Carnegie Mellon University."

Easterly notes that 95% of Apple iCloud users enable multifactor authentication, while only about 25% of Microsoft and 3% of Twitter users do the same, stating that the numbers from Microsoft and Twitter are "disappointing". She did give credit to these companies for disclosing those numbers.

Apple can always improve, but they've come a long way from the days when Mac OS X was considered relatively insecure, and simply protected by having a small percentage of overall PC marketshare.
One thing I've rarely questioned them on is security, I've always felt they take it seriously.
 
One thing I've rarely questioned them on is security, I've always felt they take it seriously.
Here's an article featuring numerous security experts who were asked about Mac vs. Windows security.


I think Ray Walsh of advocacy group ProPrivacy put it best when he said: "Apple can be credited with an advantage due to its tighter control over the hardware that runs macOS. This does make macOS more secure, which improves data privacy by decreasing the chances of hardware-based vulnerabilities that lead to hacking or surveillance."

To wit, MSI released 300 different motherboard models with Secure Boot turned off, making PC users vulnerable for 18 months before addressing the problem. That sort of insanity doesn't happen with Apple, because they control the entire stack and take security seriously.

The conclusion among the collective group of experts: "Neither company is doing enough to please cybersecurity experts. But with few alternatives, we're still left having to decide between the two, and almost everyone agreed: Your data is likely safer and more private on macOS than on Windows."

That article was published in 2020. Since then, Windows 11 has proven to be significantly worse for privacy and data collection, while Apple has implemented Advanced Data Protection across its line of products. The fruit company has also developed XProtect Remediator to squash malware in macOS, implemented the immutable Signed System Volume, among other advancements.

Of course, Apple could do more, which they are. Good security and privacy are a process, not a destination, because the threat landscape is constantly evolving. Their tight historical vertical integration strategy has assured that Apple can react more nimbly and consistently compared to the competition.
 
So, I just went through changing my lazy 4 digit passcode to a 6 digit. Not sure it would make any difference if someone were watching me, and were able to memorize it. During the process, you have to enter the existing passcode, then your apple ID password to turn it off. Currently my apple ID password is stored in my 1Password vault that needs either my face or master password. Then to turn it back on, again my apple ID password.

Seems like a process that should be used if changing the apple ID password as well.
 
☝️

So based on the article and this thread, I changed my iPhone 4 digit passcode to 6 digits and I am so glad I did. Also I changed the auto-lock down to 1 minute and at first I was annoyed, but again I am so very glad I did.

TLDR;
I dropped my 10 day old iPhone 14 on an open air car tour in Nice France and a very opportunistic thief led me through a chase throughout Nice. Never recovered the phone, and luckily only lost out on the phone cost, plus some lost photos.

Backstory
The day before my wedding I rented a large SUV from the airport to haul all the stuff to the venue and to have an easy day after the wedding to go directly to the airport from the hotel of the first night. So when I went to pick up the behemoth (not use to large SUVs), I was holding my iPhone in my hand as I was climbing in. My elbow hit the A-pillar and it went flying across the garage and shattered when it landed. I ordered a brand new iPhone 14, and had my son bring it to the hotel the day of the wedding. Mistake number 1, I somehow selected paying full freight (not using the Apple Card 0% financing) and selected Apple Care+ WITHOUT Loss and Theft coverage. Double ouch! Also, because I was preoccupied getting married, I didn't have much time to fully transfer the phone over, so I did as much as I could and put both phones in my carryon.

Main Event
All during my trip up until the faithful day, I had problems with the new iPhone. SIM issues getting good signal and using a foreign e-sim. Wifi was either not connecting or extremely slow (my wife didn't experience any of this), and my iPhone and photo cloud sync/backups were hit or miss, unless I manually intervened. Again and foolishly didn't spend a lot of my time away from enjoying myself to dig into the issues fully.

So I was on a tour in an open air scooter in Nice (see photo), essentially it's a 3 wheel scooter with a shroud. Great tour and I saw some amazing sights, but near the end I saw some people with suitcases waiting to cross the street and I thought I heard the classic sound of a cell phone hitting the ground. I thought to myself, "well someone is having a bad day." A few seconds later when I pulled up to a red light a truck occupant got my attention and informed me that I lost my phone a 1/2 mile back. Seeing that I was a block away from the tour garage, and since they guide was already upset at another group member for holding up the group I proceeded to go ahead rather than turn around, praying that it would still be there. Mistake number 2.

As soon as we stopped at the tour ending point I informed the guide, and he asked if I had location services on it. Luckily my wife did and sure enough the phone was still live. However it was no where near where we had driven by, So the guide immediately threw a helmet (three sizes too small) on my head, and had me get on the back of his Vespa, and we were off on the chase.

I don't know if you have seen people in Europe drive scooters in towns like Paris, Rome, and Nice, but they do not adhere to any road rules. One the back of his scooter, holding on for dear life with one hand and holding my wife's phone with the other to show him the live position of the iPhone, we raced through the streets of Nice. We went the wrong way on oneway streets, up on sidewalks, through red lights, splitting lanes in stopped traffic, and narrowly missing pedestrians and almost getting hit by cars ourself. I must have seen a good portion of that city on this scooter chase of 45 minutes. It was my own version of the French Connection car chase scene. Eventually the thief ducked into a gated community that we couldn't get into. The tour guide who went above and beyond to get my phone back, had to give up and quite frankly I was glad. By that time I wanted just to get back to my AirBnB to lockout and erase the phone.

I spent the next day and a half changing all my passwords to google, apple, my password manager, work credentials, credit cards, financial accounts, and social media. I flagged the serial number and IEMI number to Apple and AT&T to be blacklisted. I even went as far as freezing out all my Credit Cards to make sure they didn't somehow backup my phone and gleam that info. Coincidentally I started receiving spam calls from Malaysia the next two days, I never picked up the phone. Luckily it looks like nothing has been compromised, but I am watching my financials info like a hawk now.

One of the most annoying parts was my support discussions with Apple and AT&T. In the Apple discussion I was trying to get a refund on the Apple Care+ that I only got to use for 10 days. Explaining to them that I didn't need it for a now stolen iPhone, and as expected they heartlessly didn't care. The more frustrating and popsicle headache inducing conversation was with AT&T. To verify my identity they wanted to send a verification text. After carefully explaining for three times, that I didn't have the phone because it was STOLEN, they still insisted on sending a text. I politely asked if they could email me the code to the email on the account file, and they told me it could only be sent via text. After getting the tech to recognize the flaw in their 2FA system, he told me the text could be sent to any phone on my account. Sigh... Again I explained to him those numbers are in the US and I was in France with the nagging little problem of timezones. Good thing it was now about noon CET and only 6 AM Eastern time. Another 30 minutes of rousing my son that early on a Saturday morning wasn't fun, but eventually I did pass AT&T process of verification... Whew! I did however 1 star their service and gave them a lecture about the flaw in their security process.

All in all, it looks like I just lost the cost of the iPhone and Apple Care+. However, I did lose a day and a half of photos, due to the syncing issue I mentioned about. Also looking back on the chase, I am lucky not to have lost more by getting into trouble in some seedy parts of Nice or have gotten into an accident in a foreign country. The other part to this story is that my wife was alone without her cell phone, and wondering where her husband was after 45 minutes. She did come up with the plan to find the nearest US Consulate and asking if an idiot American was in the hosipital due to aa scooter crash. Luckily we are able laugh about this adventure once I had locked the stolen phone and erased it.
 
It just occurs to me: there was a local news story about how the breaking generation (whatever they are called, Z, Millenials, damn, who can keep up?) are trending toward dumbphones, and these kind of anecdotes give some clue about their motivations. I mean, granted, it is entirely feasible to use a smartphone in ways that do not involve filling it up with all your personal info, but I guess young people would just rather not have even the risk so close at hand.
 
It just occurs to me: there was a local news story about how the breaking generation (whatever they are called, Z, Millenials, damn, who can keep up?) are trending toward dumbphones, and these kind of anecdotes give some clue about their motivations. I mean, granted, it is entirely feasible to use a smartphone in ways that do not involve filling it up with all your personal info, but I guess young people would just rather not have even the risk so close at hand.
I saw that story and it seems to be nonsense.
 
Back
Top