Apple’s iPhone Passcode Problem WSJ

Apple’s iPhone Passcode Problem WSJ(youtube.com)

23 points by sergeym 3 years ago | 31 comments

Can the submitter provide a summary? Unlike a text article, you can't quickly skim a 9-minute video to figure out its main point.

gorkish 3 years ago | |

Summary:

Due to the complexity and recursive nature of modern digital authentication, it turns out that often all that is really really actually protecting a user's identity at the end of the day is a 4 digit PIN code that they happily type in front of anyone and everyone hundreds of times per day.

An attacker with knowledge of someone's PIN can use it to gain temporary access to a user's device, and then they have both auth factors necessary for a complete takeover of the account associated with the device, which is very often being used as the IdP for many other accounts and services. Commence lateral movement.

It's plainly evident to anyone with half a brain that a two factor scheme that authenticates the second factor with the first factor is not, in fact, a two factor scheme. When the first factor is so weak that it can be broken by looking at some smudges on the screen, well, here we are.

But consumers are idiots, and if you actually forced them to use proper authentication schemes then most people would simply lock themselves out of everything and lose all of their data permanently multiple times per year. As a practical matter, I don't really see a good way to overcome user irresponsibility.

tinus_hn 3 years ago | | |

Does the video claim this is unique to Apple/iPhone in any way?

fckgw 3 years ago | |

Thieves are watching people input their PINs into phones and then stealing the phones. They can then gain access to any apps that use the "sign-in with Apple" feature that uses Face ID or PIN to log instead of the app's own login.

randyrand 3 years ago | | |

> uses Face ID or PIN to login

I just tried this and neither LastPass nor any of my banks accept PIN. It’s FaceID or the full 3rd party password only.

Is this a real issue? What banks and password managers allow pin? Only Apples built in manager?

newaccount74 3 years ago | |

1) Criminals work in groups to steal iPhones. One person will watch you or take a video of you entering your passcode, another person will snatch the phone from you.

2) Within 3 minutes, the criminals will use the phone passcode to reset your Apple ID password, change the trusted phone number of your Apple ID, and set a recovery key.

3) Now they can deactivate "Find my iPhone"

4) And they can log out all your other devices, lock them, or even erase them remotely

5) Now you have no way to access your iCloud account, and the thieves have completely taken over your digital identity

6) Using passwords saved on the phone, and with SMS 2FA, they can now transfer money from all your accounts

7) Using other data stored on your phone (eg. in photos), they can apply for Apple Credit Card and use that to steal more money from you

Joanna Stern recommends these steps steps:

1) Use a complex passcode

2) Use a 3rd party password manager with a different passcode

3) Check your photos to make sure there are no photos of sensitive documents

Seanambers 3 years ago | | |

So the 6 digit iPhone passcode overrides the iCloud master password? That's insane.

cute_boi 3 years ago | |

6 digit Iphone passcode can open a treasure box. Never store bank password in iPhone password manager.

xrayarx 3 years ago |

There is a sophisticated scam targeting apple iPhone users, that starts with stealing the phone and ends with draining all financial accounts, there are hundreds of cases with damage in the five digits and apple doesn't care.

The remediations recommended are:

  - alphanumeric passcode

  - different passcodes for financial apps

  - not using the native password manager

  - not storing credentials for financial apps in any password manager

  - if you have to enter the code do not do so in public or hide it

How an alphanumeric code helps defeat this adversaries is beyond me, because the video describes the attackers recording the code from over the shoulder.

Why MFA or tokens are not recommended, I do not know.

qaz_plm 3 years ago | |

There was a thread yesterday where someone suggested using a screen time pin, different from device pin, and disabling access to iCloud settings as a potential way to protect yourself too.

xrayarx 3 years ago | | |

Where was that? Might be interesting

fckgw 3 years ago | |

What would you like Apple to do?

xrayarx 3 years ago | | |

I'd say real MFA, so buy an iPhone and get at least to tokens for free.

Immediately deliver a software update that remedies the various steps in the attack.

The victims loose all iCloud data including all photos of sometimes ten years or more. There needs to be another layer to protect backups.

Have two pins like with the SIM cards with pin and puk. Should actually be something that apple should have thought of from the getgo.

kobalsky 3 years ago | | |

not letting banking or TOPT apps work or showing validation sms codes without biometric unlocking even if you type in the password or pin.

I wouldn't mind it a bit if biometric face id triggers every time I need to read a validation sms or use a security sensitive app, even if the phone is unlocked.

time lock important changes like biometric info or anything that may result in an account takeover.

newaccount74 3 years ago | | |

Add a time delay to the password reset feature, and notify all other devices that a password reset was attempted.

upbeat_general 3 years ago | | |

Not allow resetting from a device only with the pin?

Also don’t allow the pin for some operations (or let you disable this). E.g. for viewing passwords or other sensitive operations besides login, it’d be safer for me to not allow pin access and only Face ID.

randyrand 3 years ago | | |

Don’t allow PIN as valid login for for password managers or apple id changing?

pain2022 3 years ago |

The problem is that one can change Apple ID password knowing only the pincode. No old password asked. This gives thief a full control of Apple ID

Settings -> Apple ID (top panel with name) -> Password&security -> Change password

N_A_T_E 3 years ago | |

Wow, I just tried and it’s very easy. Seems like a huge miss of privilege escalation allowing someone with the pin and phone to escalate to full password. This should require the old password or more steps.

vucetica 3 years ago | |

Someone on a different thread suggested to use the screentime (with a different passcode) and disable icloud settings. Works like a charm.

Axien 3 years ago |

I’m stunned you can change your Apple password with just a passcode and the device.

diebeforei485 3 years ago | |

There was a large problem of websites showing fake Apple ID login screens to steal people's Apple passwords.

Since then, Apple has changed iCloud log-in to use a derived key that requires the 6-digit passcode. This has reduced the problem dramatically.

It's very strange that they don't require the old password or any sort of 2FA (for users with multiple Apple products) to change the password though.

bogomipz 3 years ago |

This appears to be a video discussing the following WSJ article:

"A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life"

https://archive.is/Q4NOR

uni_baconcat 3 years ago |

Since iPhone is work as a trusted device for passkey, Shoulder surfing is an exceptional method of attack.

cityzen 3 years ago |

Love the irony that they prominently show LastPass on here.

- alphanumeric passcode - different passcodes for financial apps - not using the native password manager - not storing credentials for financial apps in any password manager - if you have to enter the code do not do so in public or hide it