User profile for user: jeromedy
jeromedy Author
User level: Level 1
9 points

Request to improve Recovery Key Security

I read with great alarm a new trend of people cozying up to you, getting you to use your passcode to log into your phone (watching while you do so) and then immediately taking the phone away from you and running away. They then immediately change your Apple ID password and go into Account Recovery and create a Recovery Key which prevents you from doing anything with ANY of your apple devices as they have now changed the Account ID password, disabled Find My, and prevented the use of the Account Recovery service.


Apple needs to nip this in the bud immediately. I suggest that they now require additional security for CHANGING the Recovery Key once it has been set. Either register another passcode strictly for use in changing the key in the future (maybe requiring the use of the current recovery key to change the recovery key?), require the participation of the recovery assistance person, or require the account to go through something like the account recovery process. I'm thinking requiring the last two might be the best because it prevents someone(s) holding a person under duress to reveal their passcode AND recovery key passcode.


In the meantime I strongly suggest using biometrics (face or finger) when in a social setting and if you MUST use a passcode, do so in a manner that it can not be observed. If you are drinking, you should seriously consider NOT using your phone in public.



iPhone 12

Posted on Feb 26, 2023 7:32 AM

Reply
Question marked as Top-ranking reply
User profile for user: jeromedy
jeromedy Author
User level: Level 1
9 points

Posted on Feb 26, 2023 8:17 AM

I should have added that the pain doesn't stop with just the theft of your phone and Apple ID. If you used Apple's ability to store your passwords as well, they can now rifle through your financial accounts. They can also go through your photos to find critical information like your passport, driver's licenses, insurance cards etc. They can use all this to open new credit accounts in your name.


I would suggest


1) Do NOT use apple key chain as it make's it way to easy for someone who steals your phone and has passcode access to the breach all your other accounts.


2) Do NOT store any photos that contain sensitive information in your photo library. Instead put them into a secure note (a note that has to be unlocked).


3) Always put a security freeze on all three of the credit reporting services. In this way no one can open new credit accounts in your name.


If I sound security paranoid, I am as I spent several years creating applications that required DOD level security.

View in context

Similar questions

8 replies
Question marked as Top-ranking reply
User profile for user: jeromedy
jeromedy Author
User level: Level 1
9 points

Feb 26, 2023 8:17 AM in response to jeromedy

I should have added that the pain doesn't stop with just the theft of your phone and Apple ID. If you used Apple's ability to store your passwords as well, they can now rifle through your financial accounts. They can also go through your photos to find critical information like your passport, driver's licenses, insurance cards etc. They can use all this to open new credit accounts in your name.


I would suggest


1) Do NOT use apple key chain as it make's it way to easy for someone who steals your phone and has passcode access to the breach all your other accounts.


2) Do NOT store any photos that contain sensitive information in your photo library. Instead put them into a secure note (a note that has to be unlocked).


3) Always put a security freeze on all three of the credit reporting services. In this way no one can open new credit accounts in your name.


If I sound security paranoid, I am as I spent several years creating applications that required DOD level security.

Reply
User profile for user: Chattanoogan
Chattanoogan
User level: Level 7
32,156 points

Feb 26, 2023 9:20 AM in response to jeromedy

FWIW: You can use Screentime’s “Content and Privacy Restrictions” - with another unique pin - to restrict access to your AppleID and inhibit passcode changes.


It doesn’t “fix” everything but it’s “more than nothing.”


And as correctly pointed out … in-person duress can overcome ANY security settings.


I’m also a long numeric passcode advocate. Typing-in a 10+ digit numeric passcode is fast and easy … if you use “known only to you” phone numbers or other “burned into memory” number strings from your past … and are virtually impossible to steal by even “direct observation.”



Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
146,671 points

Feb 26, 2023 8:48 AM in response to jeromedy

Duress has existed for aeons, and there’s no good technical solution: https://xkcd.com/538/


Thefts and pickpocketing have been prevalent in areas for aeons, too.


These particularly when the mark is not paying attention.


As for your feedback for Apple on recovery key creation, send it directly: Product Feedback - Apple


They’ll probably want to switch recovery key creation to prompting for the Apple ID password and not the device passcode, or such.

Reply
User profile for user: jeromedy
jeromedy Author
User level: Level 1
9 points

Feb 26, 2023 8:59 AM in response to muguy

Well there have been several articles about this issue now, including this one in Wall Street Journal:


Apple’s iPhone Passcode Problem: How Thieves Can Take Over in Minutes

Your passcode unlocks far more than just your phone


By Joanna SternFollow


Feb 23, 2023 7:50 pm


iPhone thieves across the country are locking people out of their Apple accounts and draining their bank accounts—sometimes before victims even know what happened. How do they do it and how can you protect yourself? WSJ’s Joanna Stern investigates.


A couple of my recommendations are in this article.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Request to improve Recovery Key Security

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up