Joanna Stern report on iPhone’s passcode vulnerabilities after a theft

This very thing has been going on for quite a while in Brazil and I suspect in many countries as well.

Last year, a few cases got the headlines and inspired a few changes in App design, mainly from Financial Institutions. The most adopted feature is for the App to demand a specific password (not your passcode) to open.

However, in the name of convenience, many of these apps will allow for FaceID unlocking which will circumvent the need for this specific password. And that can be reset via the Passcode route as well.

For those who can, the most adopted tactic is to keep a second phone (an Android or an old iPhone) permanently at home. This phone only will have all banking apps and other sensitive stuff, so we’re back to the home banking days.

That said, the fact that the passcode can unlock this much is a huge design failure from a security standpoint. And the fact that this theft can propagate to the whole suite of your Apple devices is really troubling. Joanna was precise in pointing out the culprit.

For us, let’s just hope Apple addresses this now that US media is on.


Interesting, but where do the theft get the passcode from?!

Shoulder surfing? People have been stealing credit card numbers, ATM pins, etc. for decades just by observing people.


Groups of two or three thieves would go to a bar and befriend victims, often asking them to open up Snapchat or some other social-media platform, said Sgt. Robert Illetschko, the lead investigator on the case. During that interaction they would try to observe the victim unlocking the iPhone with the passcode, he said. If they didn’t catch the passcode at first, they might have tried to get the victim to hand them the phone for a photo and then subtly turn it off before handing it back, he added. After an iPhone is restarted, a passcode is required to unlock it.

So, the secret is to use FaceID, instead of the passcode, and if you really need to type in the passcode in the few cases this is needed, you simply have to do so in a way, nobody could observe you.
Additional, simply do not hand your phone to someone you do not know at all.

Seems to me that this is much easier, than to keep a second phone at home…


There is no digital device that is more important than your iPhone. Yes, it is the key to your digital life. And it has to be treated as such.

While I appreciate the attention to this topic especially among those who apparently have not fully recognized the importance of protecting sensitive data, I am not 100% ok with it to be called a vulnerability or even a problem because this issue only is an issue as long as you do not only „deliver“ the iPhone to the thief, but also the passcode that is needed to unlock the iPhone. The issue here is not so much the iPhone or iOS but the broad carefreeness regarding this topic in public.

My tips:

  • Use an alphanumeric passcode (Set a passcode on iPhone - Apple Support). Do it. It is not that big of a deal in combination with Face ID and it is worth it.
  • Do not enter the passcode in public if others are watching or are able to watch.
  • A cloud is a cloud. If your data is in the cloud only, then you are not the one really owning your data. This also means that Apple Photos should not be the only place where you store your photos. Do not put all your eggs in one basket. But that is not enough: make sure that you always can have physical access to the place where one of your baskets containing your data is being stored. I really like Apple’s ecosystem. But I never will trust it being the only place where my data is being stored. Like I never would trust anyone else being the only option holding my data. Never.

(U.S.?) Banks really should up their game when it comes to security:

  • It is crazy that it is that easy to „create“ a credit card that easily.
  • My three German banks have stopped sending SMS to authorize transactions quite some time ago. The authorization is being handled through separate apps. In order get those apps started, I needed a one time QR code that was sent via snail mail to my home address. The app is being locked by a password you have to create in the setup process. The password I have chosen is unique and consists of 30 characters. So, how many times do I need to enter this password? Well, almost never because the apps accepts Face ID OR the password. And, yes those apps are not only on my iPhone but also on my iPad. If my iPhone is stolen, my second factor for my banks still is available to me.

Be it as it may, no matter what you do to protect your stuff: as soon as you provide the thieve not only with the device that is storing the data but also with the keys necessary to use it, nothing is safe. There is no real solution. The solution is to be aware what a passcode means.

The new kid on the block of course are physical security keys:

And I really am considering to activate that feature in the future, but I am not ready for it yet. And even with those keys: if a thieve „drugs“ you and steals the iPhone AND the physical security key, well, then he/she has the keys, too.

This is the real message here: you have to protect your data and keep it safe. You have to protect the keys.

P.S. I am fully aware of the fact that it is easier said than done what I have written. I am glad about Joanna Stern’s report because everybody needs to think about how to secure data. Not only Apple. Everybody.

1 Like

That is the bottom line. And now that this “issue” is getting a lot of attention are we going to see an increase in phones being grabbed and people forced to give up their passcode?

The main problem, IMO, is the passcode unlocks the Keychain.


Absolutely. If Apple enabled users to implement a real password to unlock the keychain, it definitely would increase the security.

But even if they did so, the user still has to execute his or her responsibility wisely to create a secure passcode that is unique. Repeating the passcode will not be of any help. But you definitely have a point: if there is one thing that is flawed to some degree, it is that you are able to unlock your keychain just with your pass key. If the passcode is only a four digit code, it is not much to protect data.

It is not easy for companies like Apple to do this right. If they make stuff too inconvenient, they will annoy some customers and if they don’t, stuff becomes less secure. Security starts with awareness on the user’s end.


That is not a problem at all, as it makes no difference if you hand over a thief the passcode, or a password for the keychain!

The difference is that if there was a password and the password was unique, the passcode would not be of any help to unlock the keychain. So, there is a difference. :blush:

A dedicated password for the keychain would put the keychain on par with third-party password managers.

We’ve had issues with this sort of thing with a child who has a screen time passcode. It’s apparently not possible to set a complex alphanumeric code for that, and their eyes are very sharp.


Also surprising is that you change the iCloud password without entering the OLD password. Most sites require that and that would block several parts of these exploits.

Not, if you hand over the thief the password, or passcode.

Many considerate thoughts, and mostly in the right direction. That’s why I love this community.

However, I think most comments here overstate personal responsibility on this matter while understating the companies’ responsibilities for their design and security UX choices.

True, but sometimes people are not in a position to deny such valuable information: they may be coerced (say by a robber) or even put into an altered state (say they drink alcohol or take drugs at a party or even after some medical procedure).

Sure these are extreme topics not addressable by operating systems and app design, but there’s room for improvement in the UX by the very same people who design these apps and OSes.

The fact that the passcode not only unlocks the keychain but allows the user to even change the iCloud password and also block your MacBook or iPad at home (via the Find My app) in a mere few minutes is even more troublesome. So it’s not only a matter of that data, that may be safe somewhere else in a backup, but also that the overhead of security details on the passcode makes it very easy to impersonate someone, cause serious financial damage and even brick all other devices that the victims may have linked to their account (even their family members should they have Family Sharing turned on).

Damage can spread rapidly.

So how could the companies help?

One way is to decrease the power of such piece information, making it less capable of performing huge changes or actions.

How much less capable should the passcode be? It’s a tricky thing to say and once again, @Christian gets it mostly right:

However, there are some things that are not in the power of the user, such as deciding that a passcode/phrase will not allow for iCloud password resets or that you can use Apple Cash/Venmo/WhatsApp pay, etc.

@lsamberg also gets it:

Companies should definitely work harder in designing better policies to avoid these pitfalls. Setting time and location limits to avoid the serial change of settings and passwords without further validation or even using AI (even in-device to avoid privacy concerns) say to recognize changes in patterns of phone usage, could help. I’m no security expert, but I hope they get a louder voice in coming UX meetings.

In the end, every single security measure can and will be circumvented with some time and dedication by a malicious agent. These are just deterrents, the many, the harder and longer it will take to do things. It seems to me that keeping this many points of failure in a single passcode/phrase and device will lead to an increase in data horror stories in the coming years. It is a bad security design decision.

As for @Ulli 's take on the second phone:

While I completely understand the strangeness caused by such a habit, it’s definitely something to consider if robbery or any kind of violent pressure is somewhat common in the place you’re living.

Going totally personal here, but a friend got shot a few years back because he refused to give the robber his passcode. After that, I decided to keep a second phone at home. And I’m not alone in this as many Brazilian new sites point out (for instance, this is from 2021).

As for me, I keep my old phone at home with my main bank apps on it. It never leaves home. On my everyday phone, only keep a secondary bank app there with just some money to “spare” and use in everyday expenses. This way if a Robber gets my passcode and even opens this bank account he’ll get some money from it, but will not access all of my money. It’s rather extreme, I know, but something to be considered should anyone have the same fears.

The security x ease of use is a tricky balance to strike and should not be held only to the user.


I agree that a single, simple passcode should not be able to unlock so much, but Apple is in a now win situation here: The instant that they introduce more robust security controls the public (fuelled by over dramatic youtube-“journalism”) would jump down their throats over it.

Apple does provide a very effective way to mitigate the scenario described in the JS piece. They let us (and push us to) create a long alphanumeric passcode that would be very difficult to obtain by “shoulder surfing”, and couple that with biometric identification so that we don’t have to type it in every single time. Given that option, the vast majority of people that I know still opt for a six digit numeric passcode.

That said, I’ll repeat that I think it’s an unwise security design that a single, simple passcode can unlock so much.

Yes, this may be a problem.

Here in Sweden we have something called “Bank ID”. That’s another layer of security (Face ID or 8 digit code) for all bank transfers.

As always, the more secure something is, the more annoying it is to use it.
There’s is only one way to be sure – Toss you iPhone and cut the cable to your ISP.

Talking abut security: The most idiotic flaw in the Apple Eco System is that you see what numbers and letters are shown a short moment before they are turned into a bullet. Not very good when you’re doing a presentation for example… :man_facepalming:

The report asserts otherwise and show how you can take over an AppleID account with just a stolen phone and passcode.

Yep, I just tried that and realized I was wrong. My bad.

I have 2 factor authentication, and was actually quite baffled that the system didn’t ask to verify the change on any other units…! :thinking::scream:

1 Like

Yeah, that seems weird to me too.

That will not going to work. You have to keep a balance between the normal usage, and deviations from that, and what could be detected by a potential AI if someone else is using the phone.
And what happens then?
Say your wife or your kid is using your phone for a moment, should this end up in disabling the phone?

I had a relatively new credit card some 2 decades ago when I traveled to a trip to the US.
When I arrived there, I used the card there of course, and got a phone call, at the evening from my credit card company, who where “happy” to tell me that my card was stolen, and misused, but that their system had detected that, and the card was blocked, and a new one already on its way to my bank.
The lady was a little bit upset, as I told her that the card was not stolen, that all uses of the card she told me about before where my own ones, and that I am currently in the US and get the card mainly to use it for that trip.
At the end I had a lot of trouble, because the Hotel got a fraud alert, the Rental-Car-Company, too. Some other purchases I did that day were also affected, and I even had to talk to the police, the Rental-Car-Company send to my Hotel address on their registration, because I “fraudulently” used a “stolen” credit card.
All that happened, because the CreditCard Company was using an “AI”-System that had detected my use of the credit card in Germany the day (or maybe two) before my trip, and as the next usage was in a different country, the system “detected” a “stolen” credit card.
Cost me a lot of sweat, I lost physically three days to solve that out, and the trip lost any kind of pleasure for us, because we were kind of afraid that every future use of one of our other credit cards could turn into the same disaster (for god sake, it didn’t!).

I understand, that you are concerned, but I think you are following kind of a wrong approach, at least for the most civilized countries.
There are numbers you could call, to block and disable banking accounts, credit cards and phones, if they are stolen. This is also the case for Brasil, as far as I remember.

If you keep a second phone on your house, what makes you believe that a armed robber is not showing up at your front door, and asked you for this phone, and the codes?
I am sorry for your friend, but a general rule for handling Guys with Guns, at least if you do not carry one for your own in a quick draw, you just comply with what the Guy is asking you for.
If you do so, you have a chance to survive, and call the already mentioned number thereafter.
You could not win that game…
And, if you are really that concerned, I would not use my full name, profession and location on the internet, together with providing there details about your security measures regarding your banking behavior, and the location of your “Banking-Phone”.
This is a invitation for everyone, who walks around with a gun in your area…

1 Like