Excellent advice. When I was the assistant manager of a large grocery store I told my employees if someone says “Give me the money”, give it to him. If that doesn’t satisfy him, give him the checks, the loose change, and offer to get him some nice steaks.
4 Likes
I am fairly confident no-one can easily “shoulder surf” my phone passphrase. Heck, about 50% of the time I don’t get it right myself. Yes it’s a pain quite often, especially with mask unlock/watch unlock being unreliable, but you’re going to have to work a lot harder to get my passphrase.
Maybe this is about protecting all those people who simply won’t use more than a 6 digit code. I bet sales wouldn’t drop much if Apple required something more complex. Sure some people will jump ship, but I suspect more jumped ship in the last few years over trivial things like no USB-C charge port.
1 Like
Don’t need to be as radical as to fully lock the phone. Just block critical security items such as an iCloud account password reset would go a long way.
It doesn’t have to be an all or nothing approach.
That’s defined a hassle and helps to support the argument that it is tricky thing to find the correct balance in the IA frontier. However, it is not a reason to discard the usage of the tool, mainly if we don’t take it as an all-or-nothing approach.
It’s just not as fast as the time it takes to a malicious agent to drain an account transferring money elsewhere. They perform this in a mere 20 minutes or so.The time it takes to call and report to the authorities and financial institutions usually take longer than that.
Sure there are other policies and fraud protections that can be invoked, but that also takes a long while (sometimes weeks or months) to kick in and you actually get your money back.
Pretty much all of that info is already available online to all of us via a simple Google search.
TBH, I’m actually not scared of that kind of robbery. If someone is tracking me that deep, then I guess I’ll have far bigger problems than a second phone.
I’m far more scared of the occasional street robbery, for this use case, the second phone approach still remain a good option.
Anyway, I guess the point of this discussion should not be one’s choices or personal fears, but to raise awareness to the broader picture in that current UX security design do not encourage good behaviors from users and make far too easy to cause a huge hassle in one’s life by keeping too much data and powers tied to a mere passcode/passphrase.
That may not be a huge problem with desktops or even laptops, but it is definitely a huge problem for phones these days.
@carlsson got it as well:
It’s just scary as even current 2FA procedures won’t protect you.
Finally,
Words to live by.
1 Like
We all knew this point was coming. All tech starts out good until the bad actors get hold of it. I loved the internet in the 90’s, now, not so much.
For me this highlights the problem of having all your eggs in one basket. I’ve been meaning to explicate myself from Apple’s all encompassing access to everything from my email to my bank accounts. This news video is just giving me a shove in the right direction.
By the way I changed my apple account password (it was due for a change), which became a nightmare with my apple watch. I had to reset it or type in a 40 character password on the watch keyboard using number, upper/lower case leters and symbols.
Nice article by Adam Engst on this matter:
3 Likes
When we leave the country we call the credit card companies in advance to avoid this.
3 Likes
My son did this and they still wanted to block his card. He had got a local SIM so their warning messages didn’t get to him.
In the end they sent a letter home and we opened it, with his permission.
He then had to phone them to sort it all out!
Joanna’s back with “Chapter 2”
1 Like
A friend of mine used to work at a retail sporting goods store, and one of his supervisors asked him what he’d do if somebody pulled a gun and asked for all the money in the register/safe. He said he’d bag it up nicely, hand it to them, and ask if they needed any help carrying anything else out to their car. 
3 Likes
I’m missing something. Joanna says “thieves use the passcode to generate a recovery key…” How did the thief get the passcode?
In her video, the iPhone allows you to regenerate a new key by just entering the 4-digit or 6-digit iPhone lock password.
Thieves are shoulder surfing and remembering the persons passcode
To be clear thieves are regenerating a new recovery key after they already know somebody’s iPhone passcode
Yes, I understood that.
That wasn’t mentioned but it makes sense.
In theory a thief could get the code by brute force if the 10-try-and-wipe setting isn’t set but probably only if it’s a 4-digit code; even then I wonder if they’d bother, or just ransom the phone.
When Joanna Stern first released her story I had a similar point of view (as can be read above in this thread). I am not so sure any longer.
@mjtsai just posted this (well worth reading, like always short, precise and on point):
https://mjtsai.com/blog/2023/04/20/iphone-thieves-locking-users-out-of-their-apple-accounts/
Apple could “solve” this issue by disallowing the possession of a phone and the knowledge of its passcode from being sufficient to change an AppleID password. If they were to do that, they’d have to devise another method of AppleID recovery. I wonder if any other method would result in fewer people being locked out of their iCloud accounts.
As long as these vulnerabilities exists carrying my iPhone is no different than carrying a wallet containing all my money and a card listing all of my usernames & passwords. All of Apple’s security and privacy features are worthless if I find myself threatened with physical harm if I don’t hand over my phone and passcode.
At this point, IMO, the only solution is to delete all my banking/credit card apps and remove any passwords stored in Keychain.
2 Likes
So, the same person who is threatening you, could also kidnap you, or some from your family, to get the same result!
But it is, for the most people in the world, fortunately very unlikely to get actually into a situation like that!
1 Like
I think that’s a treat situation that’s out of scope for this issue. If someone has the ability to cause you physical harm, they almost certainly have the abliity to compel you to do all kinds of things that would cause (at least) the loss of your money.
Which is most likely, a couple of punks stopping you while you are walking to your car in a parking lot or someone committing a federal offense?