Apple’s iPhone Passcode Problem: Thieves Can Ruin Your Entire Digital Life in Minutes | WSJ 

They do. I don’t know what these people enabled.

@@NinjaRunningWild thats what I thought

@9pm Till1Come Yes and that-s also wrong for apple to do. That one password should never be accessible on keychain no matter what.

@@NinjaRunningWild I just checked on mine and you only need pin to change icloud password.

yes, but they do this because 1000x more people complain that they forgot their AppleID pw and then have trouble resetting it (especially if the iPhone is their only Apple device). Then WSJ would be doing a video about how awful apple is for making it so hard for people to reset their passwords and locking people out of their accounts. Security policy is always about making tough calls about where to draw the line between convenience and security. Far more people are affected by forgetting their passwords, than the relatively rare instances described in this video, which require not one but a whole cascade of failures to occur.

doesnt work if people have their apple id password saved in icloud keychain...

seems like that alone woud solve half the issues

What if you have forgotten your AppleID password and want to reset it?

@@abhimalik8437 Then use 1) a second device to authenticate the user or 2) security questions.

Except the AppleID password is only used in very few instances so it is very easy to forget it.

I agree, poor lady 😔 It's an important lesson for her and everyone else to take digital security more seriously. This video is a great example to show friends and family who don't. It might open their minds a bit when it comes to these things.

I must've jinxed myself because a few days later my phone got the black screen of death. Thankfully I back up family photos onto drive pretty regularly, but I hope I don't lose all my other photos, memos, messages😭

​@@frankfeng6199 But how can they steal money from her bank account? In my country, it's a two step verification. One with OTP message code, and your bank pin number. Is it different in the USA??

​@ghost mall But how can they steal money from her bank account? In my country, it's a two step verification. One with OTP message code, and your bank pin number. Is it different in the USA??

Also look what happened to Jennifer Lawrence and other Celebs. (altough some people say they leaked the photos to gain popularity*) *not gonna lean towards one or the other side, I simply don't know

Iphone has ffingerprint?

@@Difracil The iPhone 5s - 8 and SE models do (Touch ID).

@@LOTR_BTTF well that's an old model. Do you think robber will bother to steal that?

@@LOTR_BTTF , I prefer Touch-ID over Face-ID at any time.

I’m a bit confused. I have Face ID to get into my iPhone. I suppose that a thief could steal my iPhone when I am logged in play with my iCloud account. But my bank apps here in Australia require a separate login or face Identification. I’m assuming that a thief’s access to my iCloud account will not give them access to my bank accounts unless Apple somehow allows this.

Because you're not tech savvy.

@@prevaloir5362 no. It's because he's not theft savvy

You aren't nearly a tech savvy as you think you are. Switch to samsung knox

@@carstenb23😂😂perfect

you use Apple you are not tech savvy

I thought you had to authenticate with 2FA to change an iCloud password?

@@Bradley-Thomsen Yes you do, unless you go out of your way to disable it manually.

But there is an additional layer. Just tested hacking my own phone, and the methods shown here doesn't work.

@@Bradley-Thomsen🤟

I don’t believe this one bit no one can change your iPhone to change the passcode to lock you out of it unless you didn’t have a passcode to behind with then at that point they can make a passcode to lock the person out then they can use that new passcode to to change their password this is BS 😂

@Toboe Key It is not her fault for using a cloud system... everyone does it. It's easier to work with than carrying hard drives that can get the tiniest bit of liquid in them and they're gone forever. All and every method has its disadvantages

Honestly, my financial institutions simply block most transactions that seem the least bit suspicious, often making me need to explain to them yes... it really is me doing a purchase.

That doesn’t help and never has . Yall think cages are the answer and it AINT . Stop

​@@CadiKaneit is the answer!

​@@CadiKaneactions have consequences behind them so if you don't learn life will teach you.

Yup. Another case of users using a device they did little research on.

Thank you!!

@@dinoscheidt if it's not the default then it's not a lack of knowledge issue

I’ve just done this now. Thank you

Thanks for the tip

Yup, I just deleted my account with them. Bitwarden has worked well for me.

Thank you, I was about to say the same.

Yup

1) Meta data was expose. 2) Stored password hash databases were stolen. Correct, unless you had a garbage password and a very low iteration count. Your passwords are 'reasonably' secured. Password databases if done right. Are hashed. Research hashing and iterations. That is the entire point. Every other major organization and industry has gotten breached. Last Pass got breached? So what? 3) She was too lazy to buy a few hard drives. To backup all the pictures and files she had on the cloud. That is completely on her. I am going to take a shot in the dark. That she makes at least $20,000 than me gross. I barely qualify as middle class. I do not blame people for getting hacked. Most Apple Users I have known. Are lazy and or ignorant of their own technology. There is one person in particular. Who did everything wrong. After me explaining in detail for years. What to do and how to do it. I am not an expert. I did not finish college. O and I am bleeding money right now. So following the basic 3 2 1 Rule. Too lazy to go to any other store online and offline. To take $1,000 to $2,000 max and buy a bunch of drives. I buy Apple stock. Simply because I have done enough research on whom Apple targets. For the most part. The rich & ignorant lazy people. Apple puts a lot of its security on easy mode. And people still do not do everything Apple allows you to do to secure the account. 4) My password managers are open source. So any zero day exploit can pown me. At least everybody sees the code. How secure do you 'think' you are? FYI, I respect Apple not screwing over the entire human race. That being said, you do not see the source code. I am not a programmer. At least I could if I wanted to. Learn coding or failing that. Pay a bunch of people at random to review it under penalty of law. To tell me if it is solid or not. 5) Another lazy Apple user. Again, sucks she got hacked. They do have App Blocking Applications. The best I have seen are tied to Antivirus programs. 6) PINs? Most users use PINs for all their mobile access. Horrible idea.

Then ditch apple and use real computers and phones.

Or not tie yourself to the Apple ecosystem. Use 3rd party password managers. Preferably open source. Get an App Blocking application. Commonly referred to App Lockers. Encrypt your files.

Did you have your 'memories' backed up on separate hard drives? Remember, the cloud is just someone else's hard drive.

@@jamesedwards3923 I did not. I thought paying for the premium storage tier at a Fortune 3 company would protect my data just fine. It was a conscious decision to stop backing up locally but obviously not the right choice.

@@lucabrasix Never go with showmanship. Go with what it is and what the potential is. Never anything else.

Iphone

Yeah I thought you needed the Apple ID’s password

@@MasterKey2004 same

It’s not enough to change your Apple ID buy it’s enough to get into the password manager of the iPhone and then you can get the access of all profiles. It is not only an iPhone problem, it’s a problem of all digital devices

This is the dumbest thing Apple has ever done.

i have a second phone too, i live in europe and i mainly use it on travels.

Good to know!!!

great advice. the accompanying WSJ article mentions the Screen Time protection

Good tips! Thanks

Yep, I have 2 phones for travel!

Exactly

This 👆🏽

Thanks for this. Just did this now for my iphone ❤

Thank you for this. This was not known and it’s been a great find for me. I had this enabled immediately.

Did this and it prompted me to enter my Apple ID and password so I can use that to reset screen time passcode. I suggest skipping that (hitting cancel and accepting the skip on the next pop up)

Next time, turn on your recovery key. Then call Apple and provide these 28 digits and Apple can help you further. Without this key, Apple cannot do anything for you.

Did you have biometrics on and the phone happened to ask for the PIN code, which then was picked by an outsider?

@@terohann sometimes the iphone just ask your passcode because it didn’t recognised your face or for no reason, just for fun.

@@terohann yes exactly this. And then the thieves were able to bypass Face ID to use my wallet and access my banking apps

You can also be robbed at knifepoint and forced to give them your passcode 😢

Of course they didn't own up to their mistakes. This is the fundamental character flaw of the company and ALL it's users. Anyone who is capable of admitting and learned from their mistakes wouldn't still use apple.

Whenever I travel abroad I use a burner phone... it only took me one time to get my phone stolen to learn that.

7-1

​@@TainoblazedYou bring a phone good enough for the job. That does not look expensive. Even the case.

I don’t get it. This whole thing can be avoided with using Touch ID or Face ID.

Lies again? Fail Security

That option should be on by default, it would save so many accounts!!! And your comment should be first so people could see it.

There’s nothing paranoid about it

What’s SSN

Dude, the ignorance of technology. From people younger than I. Is amazing. I once asked a 18 to 20 year old. Woman, did you store the data in .pdf? She looked so confused. Keep in mind. I am casual user who grew up between Windows 95 and Windows XP. Apple Users are amongst the worst offenders. You can store an image in an encrypted state in so many ways. It is laughable, when I explain it to people half my age. They have absolutely no clue. In my experience most users 'understand' why they should secure their data. They just do not want to learn how on even a basic level.

Storing critical information in a unencrypted state? Horrible. People do this nonsense all the time. There so many ways to encrypt data and files independently. In my professional and personal experience. Most users are lazy.

@@jamesedwards3923 You said: "Apple Users are amongst the worst offenders." That's because most Apple users think Apple devices can not be hacked or get malware. It is exactly what Apple marketing has been pitching and it works. Their fans blindly believe it.

I know some people with iPhones where their Face ID doesn’t work on the phone. I think they dropped their phone and then it stopped working.

It would be enough to just ask for the old password. Also, what do you do if you've had face surgery and lost both arms at the same time?

Bad idea, not everyone wants to use biometrics and it's also not surefire to work.

​@@fanban2926 You've not thought it through. You can have up to 5 ways to have double authentication. PIn + FaceID Pin + Fingerprint Pin + Physical security key, either a usb key, or touching an airtag for example Pin + Being in proximity of a device you set as trusted at home Pin + Account password Pin + additional Pin 😆kinda like you needing to enter an additional Pin to open your Bank account on the phone.

A secondary “passcode” already exists, it’s called Recovery Key. Which is way longer than a passcode.

Yes but they don’t offer Touch ID on newer phone for some reason

@@organizedchaos4559 they offer touch id on the SE. And anyways just use FaceId

The biometrics will prevent this specific attack, but they are not superior to passcodes. They have different vulnerabilities, and most importantly, once compromised, cannot be changed.

Everything about here is so stupid on Apple's part. But I also don't get why the woman doesn't have Face ID enabled. Can we confirm if this vulnerability exists if you have Face ID enabled too?

@@organizedchaos4559 Face ID works the same way. That why I use the term biometrics and not touchID

FaceID stops shoulder surfing.

@@brandonw1604 Many have mentioned FaceID and TouchID, but it won't be a full solution: Thieves will just point the phone to your face for Face ID or rip your finger off for Touch ID and then change your passwords, and you have the exact same problem as before!

its not simple and easy to fix, as literally more than a million to one ratio of people have problems with forgetting their AppleID password and having trouble resetting it (especially if they only use one apple device) compared to this extremely rare crime outlined here. They would be solving one problem but in turn creating a million new ones. There are a lot more articles/pieces about evil Apple “locking people out” of their account because they forgot their password than there are about this problem.

@@basicallyhuman Mostly false. FaceID works in pitch black darkness as it uses the infrared flood illuminator, rather than using the camera like many paltry imitations on other devices. So bad lighting has no affect. FaceID also now works even with a mask, and before that you could also use your apple watch to unlock it with a mask. The time out period for lack of use is 24 hours. I find it hard to believe that anyone using their phone in a bar at the end of the day would have not have unlocked their phone once in the past 24 hours.

@@wotube6387 make you look after they steal your phone or take your finger? This isn’t happening in Kabul it is NYC.

Anyone have device passcode can add his/her fingerprint to touch ID, that's still cause the problem

great idea

Do you know how many people forget the answers to their security questions???

@@lauragonz34 if you forget the name of your first pet or the street on which you grew up, you deserve to lose your phone.

Security questions are way to easy to guess and 99% of the time are either on public records or can be found online and on social media which many people do not keep private. It’s because of this reason that many companies are phasing out security questions. The 2 examples you gave (the street you grew up on) can be found through white pages, and (the name of your first dog) will most likely be on your social media. Not always but it’s a pretty good bet.

I can't tell if this is sarcasm.

@@AndrewCortesi I meant what I said. Didn’t know it was so easy to change password with just a passcode. Always thought you needed to put your old password, but all it takes is just your passcode.

@@koolkat214 i am supprised that you didnt know that, that is the reason why biometrical is so important. When you use bio insted of a pin nobody can see how to get into your device

@@MrJudgi I have Face ID on, but even with that on, I’ve just now learned that it is useless if someone knows your passcode. I always thought you needed more than just a pass code to change your Apple ID, but this video was eye opening for me.

yeah i'm glad i use safe Samsung

Or just implement touch id..

Well nobody would remember the passcode you never type in , they just should use Multi-factor authentication. So if you want change your apple id password with your passcode you have to allow it with a second apple device.

@@BENJB220 I see what you are saying, but that is pretty bad in justifying apple monopolizing your devices, further not everyone can afford or want to buy into the walled garden.

@@BENJB220 "you have to allow it with a second device.*" Don't give them ideas on how to further lock people in to Apple ecosystem

@@Nicholas_Steel haha true. But unfortunately they already do it if you sign in your Apple ID to a new device.

I still do itunes backup on my computer which is also backed up somewhere else

😔 Maybe we need a better system? But what would that be? 🤔

@@hansolowe19a separate passcode for settings.

@@bngr_bngr that would certainly help.

@@hansolowe19 I‘lol bet most of this started during c0vid when everyone was wearing a mask. iPhones couldn’t recognize people’s faces so they were forced to enter their passcode every time.

me seeing this with 4 digit passcode xd

Just make sure you don’t allow Apple ID reset on your screen time PIN

Just tested this, I have still been able to hack myself, it just took longer.

Looks like the only protection against this type of attack is to have advanced data protection on with a hardware key set-up. Just make sure you hold your recovery key in a secure offline location. Inconvenient but a must do if this attack grows in popularity.

@@pingping7594 how were you able to hack yourself?

There are people who don't even lock their phones. Super sheltered people who have never lived as victims until sometime in their future.

Biometrics is the easiest to hack hehe 🧑‍🏫

if you are that worried about it, it would be relatively trivial to make a physical backup of your most important and precious data to something like an external HD, and store it somewhere such as a safe deposit box or trusted relative’s home. For critical data, it’s always fundamental to have multiple redundant backups, if you want your data to be preserved even in the face of catastrophic failures. You should look up the 3-2-1 Backup strategy and implement it if you are concerned. This will also protect against things like ransomware attacks.

Just use memory cards. It’s better that way anyway.

It's why I'm still paying by credit cards, credit cards companies have loss prevention department 24/7 to lock the account after they verified you. Customers are not responsible for the charges from thieves

@@___beyondhorizon4664 what are you talking about? A CC company can’t help you get back your lost baby photos or all of your business contacts and appointments. They don’t even offer financial restitution.

Other apps already do that. You have to manually change them to use Touch ID/Face ID, and regardless of what password you use to sign into them, if you let the phone save that password into its own password manager, then that’s still a user choice, not something it does automatically.

@@babybirdhome a lot of apps where you can protect with Face ID / Touch ID can still be unlocked using the phone's Passcode. In other words, they don't allow you to create a specific PIN code.

When I go to access my banking apps on my android it forces me to use my fingerprint and doesn't allow my pass

I think this is the best idea yet, stops changes to accounts and passcodes. It seems there are ways to reset the Screen Time passcode, however most of these methods mean the reset of the whole phone or requires an encrypted backup of the phone which if you set the encrypted backup password that cannot be changed. Not sure if there are other options, but a good idea.

@@miketech79 I'm surprised this wasn't mentioned in the video

How can I do that?

@@Nicx8 settings, screen time, content privacy restrictions, account changes, don’t allow. Then just set a different passcode for screen time

@@cesarkuroiwa thanks for the heads up

There's probably multiple ways to do this. The user could maybe choose between one of the options or select all of them and only need 2 out of 5 to get into the settings: 1. A second authentication device, like a USB security key that has to be physically set into the phone - OR - registered Airtag has to touch the phone. 2. Face ID in addition 3. Touch ID in addition 4. AppleID Password in addition 5. Set a home device as secure device, like Macbook, which can easily access settings, while the Phone needs two of the listed methods.

This is already possible and a feature of the iPhone and has been in its current incarnation since 2018, and before that since before 2010. You can use Screentime (before that, “Restrictions”) to set a separate passcode, and require this passcode to make certain changes on the device, such as to accounts, the saved password list, and the password reset. Joanna was either not knowledgeable enough to know this, or negelected to mention it. The fact that this has been available for over a decade, and hardly any users use it (and was not even mentioned in this coverage) shows how rare this instance actually is and that few if any users would actually bother to go through all this trouble, as the loss of convenience is worse than the relatively low risk of an attack like this.

@@spacecadet2172 WRONG. The screen time passcode can be reset by clicking "forgot passcode" putting in Apple ID (which can be easily guessed or obtained by looking at emails, app store, itunes store, apple music, apple tv, find my, etc), and then resetting the screen time passcode with either the phone passcode or a simple SMS to the phone itself. This is dangerous advice to assume that it is secure when it is not.

So basically more like the windows hello system. I kind of like that idea.

I do not want that. If you do. Your choice.

Yep I lock my SIM card but only works when I have my phone off and they turn it back on again they have enter a password

Exactly.

yeah I thought it's a common sense. Use biometric log in... Your phone password is 2nd most important thing you possess following your own life. But to be fair, apple could've emphasis more on the risk of one password for everything and how to protect your password from it.

That's why I appreciate fingerprints

iPhone: Your passcode is required to enable Face ID 😐

@@joydey1794 fingerprint is even easier to break in.

Not a real solution: Thieves will just point the phone to your face or rip your finger off for touch ID

@@wotube6387 Fingerprint is the best bet here. Nobody will rip your finger that too be in a public place like pub to unlock your phone.

Joanna's excellent advice: treat it like an ATM PIN

it’s an easy way to track people

I still have my Z10 - yeah I do miss that password unlock !!

@@serggc, I thought, Blackberrys are dead by now, because the servers were shut down.

@@stolmich I think you can self host one... haven't used mine as a daily driver in years. but it still boots ( I turn it on every couple of months - Gmail still worked on it last time)

@@stolmich and I just remembered! the z10 ( and all other blackberry 10 OS) don't really need BB servers to access internet / emails / messenger. They have a limited setup but this is something i did when i got mine was cancel the 1€ per month surbscription with my carrier for that BB server.

Right. It’s not 🍎 fault

In my country too. It’s not possible.

The option should be there regardless. However when it comes to bank activities one should have the credentials etched inside their own minds. Or even on physical paper and stashed somewhere in the house such as a notebook. The notes app also lets you make up a password for the app itself with letters and numbers as options. Meaning you can have certain notes locked and only accessed via said password specific to that app. If anyone has other sensitive data on there, that data has a diff password from the main one used to unlock the phone thus preventing data leaks. This is why its a bad idea to screenshot passcodes and what not. It's also important to keep the OS updated for security patches. Touch ID and Face ID would also really come in handy. The fact she has a Mac is also an issue itself vs if she had a Windows PC with iTunes on it she could have manually backed up ALL her Data on it. Meaning she didn't have to upload to the iCloud unless shes constantly running out of space. Strange tho, if i recall correctly; to change the apple id they need a separate password vs the main 4 digit code that unlocks the phone. My guess is she had that info either in the notes app (with no password specific to notes app) or she had screenshots out in the open on her photos app. Furthermore having bank passwords saved on your phone is a bad idea. She could have called her bank to freeze her accounts too... Just makes me angry for them. In this case filing fraud reports with the banks seems like a dreading task but more than likely they can get their life savings back. As for the priceless picture memories on the wiped iCloud id, big rips.

@@Sparkyh lol ya'll people saying physically writing down a pw on a piece of paper in 2023 is a good idea rather than using an encrypted pw manager that requires multiple layers of authentication to get through are wrong for that

THIS! It’s good practice to put your photos on an SD Card. I do it every 3 months. It doesn’t take long at all! Set a reminder. It’s so worth it to not lose all your memories like this poor woman has!

Same I never use Apple Pay and people are like sheep they think it’s cool until someone gets ahold of stuff they can use

you know that passwords are biometric and pin protected?

@@bradyhunsberger An SD Card can get stolen if it remains inside the phone.

How about you? You can do more... It's many other option on the market... But you have to spend time from learning other kind of phone... Really!

Really good advice! I’ve used it for many years. Gives you a second layer of protection.

U can just disable it and then move on to change ur Apple ID how is that a fix ? If a thief went to the effort of stealing ur phone and passcode he would definitely be willing to take two more seconds to disable screen time and continue to lock u out of ur phone

so if they steal your phone and keychain, then what?

@@TomNook. Getting security key, passcode and phone stolen is bad luck. The threat actors can bypass multiple defenses. The strength of security keys is cryptography which addresses the shortfalls of SMS-based security codes and time-based one-time passwords (6 digit code)... not helpful when it gets stolen along with your phone and credentials. Be cautious of using security keys in public and who is around you.