Nothing more than I did before. First of all, those headlines, videos, reports are clickbait. I don’t say that this isn’t true but what is the conclusion? Just don’t loose your phone and use a better passcode. I mean she admitted in the video that she just had her iPhone lying around in a public place without paying attention. Then she put in the passcode without paying attention to her surroundings. This is just… would you go to an ATM, enter the passcode while a person is looking over your shoulder and then let your credit card / bank card laying around carelessly on a bar? I dont think so.
If you let the key of your house on the stairs in front of your house you can lock yourself in as much as you want, it won’t help.
The only thing I’m curious about: Aren’t bank accounts in the US protected by 2FA? In my country every banking app has a second app with 2FA and either you have to unlock it with faceID or with a separate password. It wouldn’t be possible to unlock it with your AppleID or Pin.
Please not. I disagree with the idea of implementing stricter security measures on phones due to the carelessness of some individuals who leave their phones unattended in public. It is unlikely that such measures would improve their behavior. Additionally, it is unfair for all users to suffer the inconvenience of constant pop-ups or additional security measures because of the actions of a few careless individuals.
Do they choose to use SMS or are they forced to by their banks? If they choose to do so, it’s their fault, imho. SMS Pins got forbidden where I live. I’m glad, it is not a secure system and can easily be abused.
This is not just carelessness, but targeted attacks on individuals.
I really think you’ve missed the point of the video. It’s highlighting that a pin to unlock your phone should not be able to change your apple ID password.
There are also a whole swathe of people who use iPhones with pins that are simple, not because they’re ignorant, but because they have disabilities or struggle with remembering complex passwords.
This is trying to mitigate the increasing targeted attacks on people.
Apple allowing the iphone pin to change the ownership of an apple ID is ludicrous. This does need to change, not because some people might not be as cautious as others, but because this is a security design flaw.
Is this really increasing, or is it just spreading more due to social media!?
And it does not really matter, if your Passcode could change something, or not!
Those people who are being reckless with their passcode, are doing the same with their passwords, so the vulnerability would not change for those people.
But it is of course a very nice “excuse” for those, who do not care for their privacy, and expect always others to take care of that!
The “blame the user” vibe is strong in this thread. I’m not sure every person who has ever had their passcode observed and then phone stolen while out is stupid, reckless, or lazy.
Yes, I try to practice good security hygiene, but those who think it could never happen to you have more self-confidence than I.
To the question above - yes, in the US many financial institutions only offer SMS as a two-factor option. I use Authy and rotating codes wherever possible but…Authy is on my phone. If someone steals it and knows where to look, they have the 2F codes as well.
I just tried to log in to my bank account w/out FaceID - it defaults to asking for the bank password. That’s stored in 1Password, which is also set to FaceID. When no FaceID is present, the only option is to manually enter my 1PW master password. There is no option for just switching from FaceID over to my iPhone passcode witihout first entering my app-specific password.
This is all still true even when logged in to my iPhone via passcode.
My conclusion is that this isn’t an Apple problem, it’s an app developer problem. Examples:
Bank and 1PW apps are secure from this hack.
Fastmail app is not secure, by default. While 2FA is on to prevent a thief from changing my password, my device is already ‘trusted’ so they could use my email address for all sorts of password reset shennanigans. Simply put this behind a FaceID prompt and the problem goes away.
As an added layer of security, I did change my unlock passcode to alpha-numeric. Not as convenient, but since I use FaceID I won’t have to do it that often. Other than that it’s all about situational awareness.
Just want to point out that someone with your passcode can reset your FaceID and use his/her face instead of yours to unlock stuff.
Some apps, like 1Password, have implemented code that recognizes FaceID was reset and will ask you for your password before enabling you to log into it. Many more, unfortunately, don’t.
That’s yet one more thing to point out developers should be doing a better job in designing security UX, even at the OS level.
One could also hack a “second passcode” via Screen Time (othird-partyarty app such as AppBlock) to block some critical apps. It is only one more deterrence, though, but may de worth it to someone.
I feel the same about this and other threads on the same topic here. But I think we, as a community, do better if we try to keep a positive attitude and just ignore comments that are not helpful. Let’s just hope positive comments prevail and the community stays sane.