is there a security flaw in apple passcode and or ID ?

Question

Level 1

0 points

is there a security flaw in apple passcode and or ID ?

Recenlty a mate of mine had his phone snatched while using it on the street. Essentially 2 guys. One took the phone our of his hand and it was handed to a guy on a moped who sped off. At that point the phone was switched on AND unlocked as it was in use at the time.

My mate confronted the first guy who took the phone and passed it the the other guy, who thretened him with violence, so my mate ran off. Meanwhile the second guy on the moped was gone with the phone.

At the point the phone was snatched, it was unlocked, however my mate insistes 100% that he has a passcode on his phone, as well as faceID. He had to set this set up as he uses apple pay with his credit card registered.

Within 20 minutes, (when my mate caught up with us, and we called the police), his apple ID password was changed, (so he was locked out of his own icloud account) his credit card registered to appleID was maxed out, AND two banking apps on his phone had been compromised and money taken from his account.

The thing i cant understand here is that any changes to appleID password or any other security stuff that needs to be changed is 'supposed' to require the re-entry of the phones passcode. So how has this happend if they did not have it?

For example, to reset your appleID password from a phone, not only do you need to recieve the sms message, (which you would if you had the phone), but you also need to re-enter the phones unlock code.

Either there is a serious security flaw in the way apple resets appleID password from a phone that is not secure, an issues with the lock function on iOS, OR these guys have some serious tech that can bypass all the security on the apple iphone.

My mate insisits he has all the updates, Its a 13pro i think, and is pretty securtiy minded. He did NOT reveal the unlock code to the theives. 100%

On a side note, apple were pretty useless to help. In fact even after calling apple, they can not do anything about securing his apple ID or locking his icloud access. He has to wait something like 26 days for some process before they can help him....what a total joke....

Posted on Apr 16, 2023 6:52 PM

Reply

Answer 1

May 31, 2023 8:00 AM in response to mrmacinman

You’re welcome.

I’m probably as guilty as the much of the World re: unlocking my phone in potentially inappropriate situations.

Behavior modification IS hard!

Re: “… I did read somewhere earlier versions have had security flaws in the Lock Screen passcode being bypassed …”

FYI, an iPhone’s “Passcode Lock” has not been an issue to my knowledge …

… however some previous versions of iOS apparently did allow the AppleID Password to be changed from an unlocked device without requiring re-entry of the passcode.

Unsure as to which iOS update revised this behavior.

Reply

Answer 2

May 31, 2023 6:31 AM in response to mrmacinman

Not sure which iOS your mate was running at the time …

… but in the current iOS (16.5 - Released on 18 May) changing either one’s AppleID Password or the Device Passcode DOES require manual re-entry of the device passcode.

Reply

Answer 3

May 31, 2023 6:58 AM in response to mrmacinman

That said, an unlocked iPhone probably should really be treated as if it were a wallet.

All the tech safeguards in the World can’t makeup for a lack of Situational Awareness.

Just as we wouldn’t stand on a busy corner or sidewalk with an open wallet counting our cash; similarly we shouldn’t do so w/ an unlocked iPhone.

I realize that this represents a MAJOR “behavioral” change; but w/ so incredibly much personal info readily accessible from our mobile devices, it’s the new reality.

PS: I’ve lived in a country where the technique you described is - unfortunately - quite common and VERY “well developed.” 🙁

Reply

Answer 4

mrmacinman Author

Level 1

0 points

May 31, 2023 7:33 AM in response to lkrupp

Thanks chattanoogan for the common sense answer. You are totally correct re not using phones on street corners etc, even briefly...its asking for trouble.

The version would have been at least 16, which I think is the version shipped on an iPhone 13 pro…

Whatever it was, I really don’t subscribe to the notion that there is a simple “NO flaw” answer……there probably is….however unlikely, and depending what legislation is in place to ‘soften’ the crypto by the government of choice where you happen to live..

I did read somewhere earlier versions have had security flaws in the Lock Screen passcode being bypassed. Even if only to access contacts….

Reply

Answer 5