My iCloud account still has the old version of 2-Step Verification, the one with the old secret questions system. Whenever I attempt to go into any settings in my iCloud account, it asks for 2 random answers of the 3 tied to my account, in addition to entering the passcode for the account change itself. Apple needs to bring back this extra verification in some form, an extra verification that pops up when attempting to access the iCloud account settings sub-menus.
There's an easy fix. Just use Face ID in public. Why use passcode when there are prying eyes everywhere? What's the point of Face ID if you don't want to use it?
@@reardelt Some people aren't tech savvy enough to use it, others might not want to give their face to Apple. Also there are a number of things that can trigger Face ID to be disabled and the device requires the passcode to unlock, and there are some apps that can ask for a passcode entry but not Face ID. Every person's circumstance is different, and there are a number of people who might, at one point or another, need to enter their passcode in public. Those are who these attackers target. Apple needs to bring back asking for verification to access sensitive Apple ID settings from Apple devices.
The other thing that is important is to take a screen shot of the “about” page, specifically the IMEI number(s) and keep that on some one else’s phone. This is the number that the cell system uses to track where your phone. You send this number to the Police and they can see where your phone is and block it out of the cell system. This used to be a thing we all should do but it is forgotten. I am going to do what the previous commenter said too.
The IMEI number should be printed on a sticker on the box the phone shipped with. At least that’s how it used to be, I’m not sure if phones still have their EMEIs printed on the box
Also, I have complained to Apple for ages that it makes no sense for a two factor code to be sent in a message to the device you request it on. It *should* be sent to your other devices excluding the one its requested on. Implementation of this would be easy - either a special category of message or, since they read the messages (are they encrypted?) so the system can know its a 2fa code they can pre-empt and disable delivery for such a message to the requesting device.
@@rorybraxton it isnt safe because the device could be stolen and broken into. Its tough for people who have only one apple device admittedly but many people have several. And given that Apple knows what devices you have it would be easy to work around for those people that *do* have multiple apple devices. In fact it would encourage people to buy additional devices, which you might not like bu5 apple surely would. You can blame people for not being deterministic automatons of course but that wont improve anything or change anybody.
@@josephfredbill that’s an insanely dumb idea. You would never be able to do anything on the go if you don’t have your iPad or MacBook with you. 2fa is there to prevent people from remotely hacking your account. Leaking your passwords and having your phone snatched is a very very rare occurrence and not fully preventable
@@rorybraxton so those who do have them stolen are unimportant because most people who called you hadnt had them stolen ? I dont mean to be rude but what you have written does no credit to Apple for who they choose to employ. Is that your logic - that what you dont see doesnt exist ? Dont answer that - there’s no point in this interchange. You just want to be right - well logic and analysis does not support you.
@@rorybraxton so why are you arguing that being able to have 2FA codes sent not to the device on which they were requested where a user has more than one device on the grounds that “having your phone snatched is a very very rare occurrence” - your words. 1. Its not rare, 2. Its not an unimportant case. Sure users forget passwords, so what - that doesnt make 1 and 2 in my statement here false. Ok I just noticed there are two people here - I quoted you here from @astra1360’s response.
@@rorybraxton my apologies for reading @astra1360’s response as if it were yours. I agree its a tough problem. I still think that Apple could have a user-election (ie preference) to not have 2FA codes sent to the device on which it is requested where a user wants that. To @astra1360 - your response I percieve as both rude AND ignorant. If you want to choose to take that risk then do so but there is no need to impose it on everyone.
This is why Apple has brought in security keys for changing the Apple ID - to give a secure alternative for iPhone apps. But until it’s better supported by banks, it is rather expensive just for the Apple ID. Also it’s designed for adding to your keyring. Why would you need or encourage someone to carry it on their person when it is best kept safe away from the iPhone?
Apple should bring back Touch ID as a secondary unlock system which can be on the side button, similar to the 10th gen iPad top button. Maybe starting with iPhone 15. Passcode should be used only as a last resort and that too when you are not in a crowd.
Yeah I've thought this for a while now. I know that the technology isn't there yet for under-display Face or Touch ID, but why not built into the power button?
@@levintage I don't think it is an insurmountable problem. Apple - the master of design - would have to do some testing and then provide the specs to the case manufacturers. And perhaps have the side button project 1 mm or so further out.
Fully support your suggestions. My rule of thumb is not to use passcode ever when in a public place. Even udring Covid I would rather wait for login until out of a group of strangers then while in it. What I do not understand is: to access passwords on Safari on the computer you need the admin password but you do not on the phone. Why not use the admin password also on the phone
great video tom! thank you for making such great content for us. I wanted to share an idea though... we do need an app lock feature on iPhones and there should be a feature that asks for a passcode whenever you try to turn off your iPhone. That way, if your phone is stolen and if you have an E-SIM, it would be nearly impossible for the thief to turn off your iPhone. And because of this you can easily trace the location of your iPhone. :).
Hard reset on devices is extremely important since occasionally these devices lock up or freeze. Without the ability to hard reset the device it's essentially bricked. Also any smart thief would drop the phone in a faraday bag making it invisible until the battery runs out or simply take out the battery.
Thanks for highlighting this. Lost a phone on a train some years back and, as far as I'm aware, it wasn't actually compromised as I've always used a 10 character alphanumeric code. By the time I'd got home to check, whoever had picked it up had already switched it off as Find My couldn't locate it (and never did subsequently). Battery was fully charged when I left home so switching it off it was a deliberate attempt to avoid detection.
Fair, but this may offer a false sense of security. If I’m not mistaken, the WSJ piece mentioned that the thieves may have recorded the victim entering their passcode. So length and complexity will be of little deterrence/consequence. Just a heads up!
@@super-ibby But lets be honest, if you are so consumed in your phone that you don't notice people around you recording you then at that point I mean, oh well. I mean yeah it's bad but you have to have some sort of awareness around you. Also this whole issue can be solved by just using Face or Touch ID while in public. Why are people so against biometric forms of identification
I have a security background and as recently migrating from Android phone to iPhone. I noticed this vulnerability right away. Fortunately, I have always relied on third-party software for backup storage and password management, so will continue this approach. Made me acutely aware that now I have a target on my back as an iPhone user. Best thing to do is be very discrete about where and when you use this device - and change login method based on your vulnerability. Before going to a bar or on vacation, change to fingerprint or face recognition - you can always change it back later.
Glad you made this Apple security warning. I am shocked that Apple is not doing anything to change it. Why not use a two device identification to prevent ID theft. The 2nd device would have the deciding authentication confirmation factor. Or call Apple to give verbal answers to preset authentication questions.
@@dornus336 There’s a very simple way to implement a solution: don’t allow to change the iCloud password unless you have a secondary device or answer a security question. That’s how it should be from the beginning. Yes, a thief can still rob your iphone and if they get to see your PIN code, they could get to the main screen, but they wouldn’t be able to lock you from your account or your photos and would not be able to unlock yourself from your own device. A friend of mine suffered this same kind of attack while on holidays and lost everything. All his photos and digital life connected to it, and Apple said to him they could do nothing to help him. That would really piss me off as I have more than 600GB of photos and videos and many personal documents there too, plus a lot of purchased apps. Security experts say that your security is only as safe as your weakest point. A simple 6 numbers code is a really weak point for your whole iCloud account.
Apple has added the option to add physical keys that are required to change your Apple ID password. This is the highest security you can add. It’s not promoted though but I’ve added 2 security keys to my phone.
11:38 You have better options for storing data. Apps like Scanner Pro (I just happen to use this one myself) allow for additional passcodes, so your scans are safe. Also, Disk Decipher is a great option to have encrypted storage on your phone - or your NAS - that also works on your computer! Makes sharing sensitive data easy and safe!
Biggest thing, and not that hard of a change, the access code to your Apple Device should be for access only. Not for changing passwords or settings. And Settings > Password should be behind a code/password/biometric that is NOT the access code. BTW - a lot of this also affects Android. You’re not safe there either.
Thank you for this informative video. I don’t imagine such a situation happening to me but I can never truly predict the future. I do alway use face id because of how convenient it is but it harms no one to take extra precautions to prevent the worst from happening.
Another way to prevent this from happening or at least a method to slow them down is as follows. Open Settings - Screen Time - Content & Privacy Restrictions - scroll down to Allow Changes - select don’t allow changes to passwords & account changes. Remember these guys probably know what they are doing but this should buy you enough time to be able to lock your phone and report it as stolen from the find my app. Hopefully this doesn’t happen to anyone here but it’s never to late to take these precautions.
Great channel you have here Tom, and this video is very informative. A chain is only as strong as its weakest link, and Apple have one here, but surely to limit the damage that can be caused is to request your current Apple ID password if you want to change your Apple ID rather than the pin number you use to unlock your phone. That way at least you will not loose control of your Apple ID and you will still be able to remotely wipe the phone. Nobody enters thier Apple ID password in public, so that would render having your pin number useless as the legitimate owner will still be able to wipe their phone. Simple fix for Apple I would have thought unless I am missing something. Clive
@@wisdomyaw03 Well keep it safe somewhere else and you can always retrieve if you forgot. I would rather that than have all my personal info and bank accounts compromised
@@clivewuest8529 Well, while it's a great point, the thief in this case would still be able to access your icloud because they could login from the web, obtain SMS verification code sent to the same phone and change the password.
@@wisdomyaw03 mmm. Good point. Oh well prevention better than cure. Never enter your password in public at any time then and make is 6 digits or alpha numeric
@@clivewuest8529 That's 💯 exactly the point. The problem starts from your primary phone unlock password/passcode. The moment it leaves you, all your digital life is exposed. While we hope that in the future more advanced methods of preventing such occurrences are made, it's our duty to safeguard out own passwords.
Many thanks for yet another calmly and concisely articulated informative video. How do you feel about using Screen Time -content and privacy restrictions - to allow/don't allow passcode changes and account changes as a security measure to be followed by iPhone owners until Apple figures out a way to sort out this issue?
I love Face ID, but my only complaint is that we cannot set the number of face ID failures before having to enter the passcode. it’s very easy to have a friend look at your screen and trigger one or two failures of face ID simply by accident. It seems it should be easy for Apple to have a setting where we can determine the number of face ID failures up to maybe four. That way it would be highly unlikely. We would need to enter the passcode in almost any situation.
@@alexthemtaandr211weatherfa2 it is turned on. But if you get two failures, then you have to put your code in. It would be nice if Apple would allow us to determine the number of face ID failures.
@@cnyphotovideo apple allows four consecutive cloud password failures because your device won't let you use it, if you think you're trying enter the correct password and and its not accepting it.clear website data from all websites, then clear your device catch and possibly reset the default keyboard and don't use a second party one, use a external or hardware keyboard and see if the password is accepted, if not go to apple id website and go to account recovery and verify your recovery contacts and emails, enter the passcode for all device on your account and enter the correct apple password on all devices and use the tfa codes from your recovery email or phone number.
*Excellent presentation!* 🎥👍 _Hi Tom, I'm interested in what you think of these ideas..._ 1. Why don't Apple simply have a setting option where the phone needs double verification! (Face ID and Pin Code). It may be a slight inconvenience, but ladies whom get targeted most if they go to night clubs, can simply enable the feature before they go out. 2. The other idea is if they own an Apple Watch, that the watch has a feature that if the phone is a distance more than say 20 feet away; that the phone will instantly "Lock Screen". (no matter what mode it's in). What do you think? 😊
I set my iCloud sign in on a YubiKey. I also go into Screen Time and set not allow to account changes and a few other things and set up a different pin for screen time. That locks out my profile on device unless they know that pin.
Thank you for this very useful information. It confirms some things that I already suspected ( I have /do no banking info on phone or in the cloud) & made solid suggestions about safety.
That's my approach as well. My phone is a Samsung, which I use ONLY for phoning and texting. My iPad is used only for emails and net surfing ...and my email programme is accessed via my browser, and I have to sign in and out of it every time. I don't carry ANY important data on either device. I do online banking, but ONLY from my desktop Mac at home. I don't use iCloud for anything at all. I try to keep my devices as separate from each other as possible. Apple doesn't like this, of course, and is constantly 'reminding' me to sign into the Cloud, to enable 2-factor authentication, etc. I've resisted thus far. I think we've fallen too easily into the 'convenience' thing. I prefer not to keep all my eggs in one basket.
Some fixes: to change iCloud password and pincode apple must mask for the password instead of only the pincode. Or have an alternative more secure secondary pin thats only required when one wants to change critical details like pin and iCloud password.
Hope below steps will be useful to prevent the iPhone password change or iCloud password change even if someone knows your iPhone pin: Part A: Update you iPhone to latest iOS: Part B: Set screen time password: 1. Go to Settings > Screen Time. 2. Set screen time password. Part C: Lock password and account change: 1. Launch the Settings app. 2. Tap Screen Time → Content and Privacy Restrictions. 3. Toggle on Content & Privacy Restrictions. 4. Now, scroll down to the ALLOW CHANGES menu and choose Passcode Changes. 5. Select the Don’t Allow option. 6. Similarly, tap the Back button to go to the previous interface. Then repeat the same exercise for Account Changes.
It would be helpful to have passcode numbers actively change their positions to make it more difficult to ID the numbers. I saw this years ago at a parking lot entrance.
I didn’t know an alpha numeric option is available! Thank you! Also, memorize a couple passwords. You memorize your home address and phone number. Memorize a couple key passwords. If it’s not in your key chain then they have zero access.
yep; totally agree! I have very early on chosen an alphanumeric code with more than 12 digits & ciphers with special characters! It is sometimes a ‘bummer’ when my biometric doesn’t work, but I feel it’s worth it! I also use a password manager rather than putting all my ‘eggs’ in keychain, but nevertheless use it now and again! I also use Proton mail and Signal on my phone! I try to maintain a step before to ensure to make as difficult as possible to not get ‘Virtually’ mugged! But I am well aware these are just improved steps to keep up to speed! Thanks for your Videos, I have picked up many tips from your channel! 👍😎
Thank you very much. You’re really something. Your videos make difference. This is so very important and a lot of people need to listen/hear what you say. Please continue your good work. ❤️
Some phones allow set up lock SIM card if you completely power phone off, even if you entered passcode. - I dont know if there‘s a workaround. - I think you are out of luck if forget the unlock code. Inconvenient in emergency but at least some phones allow emergency calling by use of power or other buttons. - All possibilities depend on your phone, type of SIM or e-SIM, and operating system of device.
The incident you spoke of were the girl had her phone snatched was down to her not being careful enough when inputting her passcode, it’s not difficult to do so without letting others see you inputting.
This comment is going to be quite long, so bear with me if interested. I don’t know why wouldn’t Apple send confirmation for changing Apple ID password on the other connected device. Sure, some only have one device. Then let people create “trusted” back up Apple devices with other Apple IDs while creating your Apple account. For example a friend’s or a family member’s phone or mac. Otherwise user may be presented a special code which they need to print in physical form and keep save. Options are limitless. Again, quite surprised that such privacy-caring company has made such an obvious and severe weakness.
I have thought of this for a while. I have the same concern with my MacBook. I think the solution would be very simple if Apple were willing to do it. Have one code to unlock your phone and a second code to do everything else within your phone.
It sounds simple and would likely resolve a lot of issues, but most Apple customers are too stupid and lazy for even one passcode/password. I work with them every day and I promise you that most customers wouldn’t bother to create another passcode or be able to remember it, and even if they do set it up they will eventually forget it anyway. Then they call us and complain about how Apple locked them out of their account or device, and threaten to sue. No matter how secure a device is, you can’t fix the largest flaw: the user.
I made video on this too! Love your channel. The Wall Street Journal also has a great video on how they use the recovery key to permanently lock your recovery key. This happened to over 40 of my friends at our local bar, we identified the thieves but they never got arrested and made hundreds of thousands of dollars. This is very common and serious.
How about a video of why Apple will not help the victims. This happened to me. Thieves somehow got the pass code and after they got what they wanted (in about 60 seconds) reported it as lost. Despite, repeated open cases with apple and reps sounding very sympatric, willing to provide anything they want, and screen shots of my information etc etc. They keep denying my request to unlock the phone. Last attempt, supervisor said she was putting it in as high priority. I never even got a rejection email on the last attempt. No Apple ID, no way to change password as trusted device number is changed to thief's number. Ohh and get this, even though i can show them a screen shot of my Apple ID, they say it never existed, cant find any record of it.
I was just hacked about an hour ago and again 6 X prior. Nothing to do with my I phone however theft via phone,computer and more are only getting worse seemingly by the day Be safe ☮️
When I am in a public place near to other people I never unlock my phone. Also, I very rarely take my phone out of its locking holster when near to other people. There are people who who devised ways to fool the face and finger print ID. For any phone, if someone gets hold of your phone and they know the password this is a huge issue. Because they have your phone they can use the two step authentication with the phone number.
Also using a security screen protector helps also as you can’t see from even a short distance . I have one and love it. Someone next to you can’t see your screen.
Thank you for this video. I do use Face ID but for other things I may key in an alphanumeric code. I will now make sure I shield these “events” from prying eyes.
3:43 this is a little tip. you can use screen time to completely hide the FaceID page using a screen time passcode (which can be different from your main passcode) and go into content restrictions, scroll down, and change passcode changes. to disallow. plus, you can lock out the Apple ID settings by disabling account changes from this same page
It’s also possible to enable screentime with a passcode and then under ‘restrictions’ to not allow passcode changes and / or account changes. That way you will have an extra layer of security in the form of a passcode that is different from the iPhone’s passcode.
What I don’t like is that once you have the passcode you can easily access the “keychain” where all your bank & social Media log in info is located. I think Apple should move that feature or tab somewhere else behind the actual Apple ID password not in plain sight.
Very good video - thanks. Possible solution for Apple (which you may have better access to than most subscribers to your channel) - change the position of each character on the numeric keyboard for the passcode each time it is accessed. I have seen this done on a POS device which needed a PIN code. Would stop most people from copying the passcode as it is often the pattern of what is pressed rather than the number itself that is memorised. An easy software fix which would stop a percentage of these cases from arising (wouldn’t stop the person who can remember a six digit passcode by numbers though 😕)
You forgot to mention that you can protect your password by turning on two factor verification. Then when Apple ID is changed a code is sent to another Apple device i.e iPad and Mac which then has to be entered into the iPhone to authorise the charge.
That isn't accurate I'm afraid, which is why I didn't say this in the video. Two factor authentication does exist on the iPhone, and you should indeed be using it, but this particular hack (inputting the passcode in the Apple ID section of Settings) allows you to bypass 2FA altogether. 2FA is for signing in on other devices, but not for changing the iCloud password in this way, hence why this particular topic is such an issue.
Great video. I use FaceID or the fingerprint scanner on my iPad mini for this exact reason. Apple does need to give users the option to have additional layers of security enabled before an Apple ID password can be changed. Just a device password is not enough enough. This story is a perfect example of what can happen if that password is able to be changed too easily. If you don’t know the old password, the only way it should be able to be reset is with a link sent to the iCloud email or at an Apple Store with government ID. It is smart to have a strong password and if you ever have to enter it in public, never enter it in a crowd and be hyper aware of who is around you.
I use Face ID exclusively but there are very few instances that Face ID fails for whatever reason and the phone prompts for the passcode. While I'm cautious about letting anyone see me enter it but dang I never realized how much damage someone could do knowing it. This is most certainly eye opening. Wow!
You can use screen time passcode to lock access to icloud settings and passcode settings, as well as a lot of other useful stuff. definitely recommend setting up screen time.
Disabling passcode outright would be the best option as even in the rare case FaceID fails to work, connecting to a computer with ITunes where the iPhone has been backed up before will allow for full restore up to the backup date? I think on balance, the benefits of enhanced security & the avoidance of the pain of having to enter excessively long passcodes having to very rare instance of having to restore the iPhone to the latest backup date
I did NOT have my iPhone stolen but I did have my iCloud account taken over by someone. It was a big mess. The tips in this video are spot on, especially toward the end. It's a bitter pill to swallow and it just stinks.
That’s absolutely helpful info however I feel like it’s also teaching bad people how to do it. So scary how vulnerable we are. Thank you, but you are correct, this help us create a more secure password.
Based of this video, I think for security purposes they should require you to input ur Apple ID password instead of passcode. or they should deem things such as disabling Face ID suspicious and when they change Apple ID password, they should require you to input their Apple ID password. In my opinion I think this would be the best option.
I am new to the iPhone was just wondering if it was possible to make it so that you only need a pass code to wake up the phone but a biometric access settings?
Thank you very much for your videos, especially this one. I thought I was more secure than I am with my poor passcode. Regarding secure files, I keep an encrypted disk image for my financial files. But I realize I want more of my files to be protected now. If I move files from my iCloud documents into a disk image file, then delete them from the unencrypted documents folder, what happens to the backups? Would someone be able to get my deleted sensitive files from backups in iCloud? I encrypt my Time Machine backups, and use an encrypted external drive when I can. What about my own backups in Time Machine? How long will my deleted files be recoverable there? Can I delete a file explicitly from my backups? Thanks again.
A security alternative would be if you can change passcode just after 1 hour or a confirmation of a second device or a 3rd what ever level of security you want.
My passcode for years now has been a whole sentence and my friends always thought I was just being over protective, now there is this threat and they see more of a reason to have a longer password.
Mine is my favorite singer, my friends all know my favorite singer because I talk about her all the time. If I wrong one of them and they get my phone it’s all over, I can’t burn any bridges.
One thing I don't understand is why apple don't create an option "instant lock my phone" based on a special code recovery with the Apple Watch and the Bluetooth ?
In addition to my question 2 down… would it be better to disable Passcode entirely? I used to have the option to ask for Passcode 10 minutes later, etc… now I only get the option for Passcode to be required ‘Immediately’ (which I really don’t like.
📧 Want a FREE weekly dose of Tech News, Hints and Tips? Sign up for my newsletter!
eepurl.com/h7MWfv
My iCloud account still has the old version of 2-Step Verification, the one with the old secret questions system. Whenever I attempt to go into any settings in my iCloud account, it asks for 2 random answers of the 3 tied to my account, in addition to entering the passcode for the account change itself.
Apple needs to bring back this extra verification in some form, an extra verification that pops up when attempting to access the iCloud account settings sub-menus.
There's an easy fix. Just use Face ID in public. Why use passcode when there are prying eyes everywhere? What's the point of Face ID if you don't want to use it?
@@reardelt Some people aren't tech savvy enough to use it, others might not want to give their face to Apple. Also there are a number of things that can trigger Face ID to be disabled and the device requires the passcode to unlock, and there are some apps that can ask for a passcode entry but not Face ID. Every person's circumstance is different, and there are a number of people who might, at one point or another, need to enter their passcode in public. Those are who these attackers target.
Apple needs to bring back asking for verification to access sensitive Apple ID settings from Apple devices.
@@Damariobros well. Face Id cannot be disabled unless you specifically disable it. There are no apps that reject using Face iD
Nine minutes into the video he says to go to settings, Face ID and passcode, change e passcode. My iPhone doesn’t have that. Why?
The other thing that is important is to take a screen shot of the “about” page, specifically the IMEI number(s) and keep that on some one else’s phone. This is the number that the cell system uses to track where your phone. You send this number to the Police and they can see where your phone is and block it out of the cell system.
This used to be a thing we all should do but it is forgotten.
I am going to do what the previous commenter said too.
The IMEI number should be printed on a sticker on the box the phone shipped with. At least that’s how it used to be, I’m not sure if phones still have their EMEIs printed on the box
@@jbcentral1545 Not everyone holds on to the original box too, unfortunately.
Also, I have complained to Apple for ages that it makes no sense for a two factor code to be sent in a message to the device you request it on. It *should* be sent to your other devices excluding the one its requested on. Implementation of this would be easy - either a special category of message or, since they read the messages (are they encrypted?) so the system can know its a 2fa code they can pre-empt and disable delivery for such a message to the requesting device.
@@rorybraxton it isnt safe because the device could be stolen and broken into. Its tough for people who have only one apple device admittedly but many people have several. And given that Apple knows what devices you have it would be easy to work around for those people that *do* have multiple apple devices. In fact it would encourage people to buy additional devices, which you might not like bu5 apple surely would. You can blame people for not being deterministic automatons of course but that wont improve anything or change anybody.
@@josephfredbill that’s an insanely dumb idea. You would never be able to do anything on the go if you don’t have your iPad or MacBook with you. 2fa is there to prevent people from remotely hacking your account. Leaking your passwords and having your phone snatched is a very very rare occurrence and not fully preventable
@@rorybraxton so those who do have them stolen are unimportant because most people who called you hadnt had them stolen ? I dont mean to be rude but what you have written does no credit to Apple for who they choose to employ. Is that your logic - that what you dont see doesnt exist ? Dont answer that - there’s no point in this interchange. You just want to be right - well logic and analysis does not support you.
@@rorybraxton so why are you arguing that being able to have 2FA codes sent not to the device on which they were requested where a user has more than one device on the grounds that “having your phone snatched is a very very rare occurrence” - your words. 1. Its not rare, 2. Its not an unimportant case. Sure users forget passwords, so what - that doesnt make 1 and 2 in my statement here false. Ok I just noticed there are two people here - I quoted you here from @astra1360’s response.
@@rorybraxton my apologies for reading @astra1360’s response as if it were yours. I agree its a tough problem. I still think that Apple could have a user-election (ie preference) to not have 2FA codes sent to the device on which it is requested where a user wants that. To @astra1360 - your response I percieve as both rude AND ignorant. If you want to choose to take that risk then do so but there is no need to impose it on everyone.
The problem is not the passcode, but that you can reset your apple-ID with it rather than to type in your apple-ID password.
That's because in the event that you forget you AppleID password you can still be able to access it
@@wisdomyaw03 in case you forgot, Apple should send you a link to change your password to your email. Like the rest of the sane world is doing.
@@wisdomyaw03 so instead of an SMS, it should be an email.
@@asadullahilyas There is the option for email as well but it's still coming to the same phone, right? So the point still stands
This is why Apple has brought in security keys for changing the Apple ID - to give a secure alternative for iPhone apps. But until it’s better supported by banks, it is rather expensive just for the Apple ID. Also it’s designed for adding to your keyring.
Why would you need or encourage someone to carry it on their person when it is best kept safe away from the iPhone?
Apple should bring back Touch ID as a secondary unlock system which can be on the side button, similar to the 10th gen iPad top button. Maybe starting with iPhone 15. Passcode should be used only as a last resort and that too when you are not in a crowd.
Yeah I've thought this for a while now. I know that the technology isn't there yet for under-display Face or Touch ID, but why not built into the power button?
It wouldn't work with a case though
Good point, although depends on the case (I have a Pitaka case that leaves the side buttons exposed).
@@levintage I don't think it is an insurmountable problem. Apple - the master of design - would have to do some testing and then provide the specs to the case manufacturers. And perhaps have the side button project 1 mm or so further out.
Adding TouchID to the iPhone doesn't prevent this situation by any means
Fully support your suggestions. My rule of thumb is not to use passcode ever when in a public place. Even udring Covid I would rather wait for login until out of a group of strangers then while in it.
What I do not understand is: to access passwords on Safari on the computer you need the admin password but you do not on the phone. Why not use the admin password also on the phone
Scary indeed! Thank you so much for this video and your suggestions. Especially not being aware of the problem is the biggest danger.
great video tom! thank you for making such great content for us. I wanted to share an idea though... we do need an app lock feature on iPhones and there should be a feature that asks for a passcode whenever you try to turn off your iPhone. That way, if your phone is stolen and if you have an E-SIM, it would be nearly impossible for the thief to turn off your iPhone. And because of this you can easily trace the location of your iPhone. :).
Hard reset on devices is extremely important since occasionally these devices lock up or freeze. Without the ability to hard reset the device it's essentially bricked. Also any smart thief would drop the phone in a faraday bag making it invisible until the battery runs out or simply take out the battery.
Thanks for highlighting this. Lost a phone on a train some years back and, as far as I'm aware, it wasn't actually compromised as I've always used a 10 character alphanumeric code. By the time I'd got home to check, whoever had picked it up had already switched it off as Find My couldn't locate it (and never did subsequently). Battery was fully charged when I left home so switching it off it was a deliberate attempt to avoid detection.
Fair, but this may offer a false sense of security. If I’m not mistaken, the WSJ piece mentioned that the thieves may have recorded the victim entering their passcode. So length and complexity will be of little deterrence/consequence. Just a heads up!
@@super-ibby I believe he said they record the PIN, and that complexity IS a deterrent because it's much harder to get a 10+ alphanumeric code right
@@super-ibby But lets be honest, if you are so consumed in your phone that you don't notice people around you recording you then at that point I mean, oh well. I mean yeah it's bad but you have to have some sort of awareness around you. Also this whole issue can be solved by just using Face or Touch ID while in public. Why are people so against biometric forms of identification
@@mathmanchris666 because of the “Illuminati” lol
They also could’ve put your phone in a faraday cage or aluminum foil to block its Find My signal while still trying to hack into your phone
Just a simple security question to a well chosen answer would do the trick
I have a security background and as recently migrating from Android phone to iPhone. I noticed this vulnerability right away. Fortunately, I have always relied on third-party software for backup storage and password management, so will continue this approach. Made me acutely aware that now I have a target on my back as an iPhone user. Best thing to do is be very discrete about where and when you use this device - and change login method based on your vulnerability. Before going to a bar or on vacation, change to fingerprint or face recognition - you can always change it back later.
Wait could you explain it ?
Glad you made this Apple security warning. I am shocked that Apple is not doing anything to change it.
Why not use a two device identification to prevent ID theft. The 2nd device would have the deciding authentication confirmation factor. Or call Apple to give verbal answers to preset authentication questions.
and how exactly should this work when you only have a single iphone?
@@dornus336 There’s a very simple way to implement a solution: don’t allow to change the iCloud password unless you have a secondary device or answer a security question. That’s how it should be from the beginning. Yes, a thief can still rob your iphone and if they get to see your PIN code, they could get to the main screen, but they wouldn’t be able to lock you from your account or your photos and would not be able to unlock yourself from your own device. A friend of mine suffered this same kind of attack while on holidays and lost everything. All his photos and digital life connected to it, and Apple said to him they could do nothing to help him. That would really piss me off as I have more than 600GB of photos and videos and many personal documents there too, plus a lot of purchased apps. Security experts say that your security is only as safe as your weakest point. A simple 6 numbers code is a really weak point for your whole iCloud account.
So if I only use my iPad at home how do I set it up as the device to have the deciding authentication?
Or just make you input your AppleID password to change your password and to add new biometrics.
Apple has added the option to add physical keys that are required to change your Apple ID password. This is the highest security you can add. It’s not promoted though but I’ve added 2 security keys to my phone.
11:38 You have better options for storing data. Apps like Scanner Pro (I just happen to use this one myself) allow for additional passcodes, so your scans are safe. Also, Disk Decipher is a great option to have encrypted storage on your phone - or your NAS - that also works on your computer! Makes sharing sensitive data easy and safe!
Great video Tom! IMO, In order to change your iPhone passcode, Apple should require you to enter your Apple ID password.
You can choose that in settings!
@@SisterFromAnotherPlanet Where?
Wouldn't make a difference if your AppleID password is in your keychain, which it is for most people.
@@jamesosullivan7969 Mine only fills in with Face ID.
Odd for them to not require the existing password in full to change it.
Biggest thing, and not that hard of a change, the access code to your Apple Device should be for access only. Not for changing passwords or settings. And Settings > Password should be behind a code/password/biometric that is NOT the access code. BTW - a lot of this also affects Android. You’re not safe there either.
For Android it depends on the OEM. Samsung have countermeasures for a lot of these.
Thanks for making valuable educational content! Really appreciate you, man.
Thank you for this informative video. I don’t imagine such a situation happening to me but I can never truly predict the future. I do alway use face id because of how convenient it is but it harms no one to take extra precautions to prevent the worst from happening.
Another way to prevent this from happening or at least a method to slow them down is as follows.
Open Settings - Screen Time - Content & Privacy Restrictions - scroll down to Allow Changes - select don’t allow changes to passwords & account changes.
Remember these guys probably know what they are doing but this should buy you enough time to be able to lock your phone and report it as stolen from the find my app.
Hopefully this doesn’t happen to anyone here but it’s never to late to take these precautions.
Really good. A real eye opener and will be taking action this weekend.
Great channel you have here Tom, and this video is very informative. A chain is only as strong as its weakest link, and Apple have one here, but surely to limit the damage that can be caused is to request your current Apple ID password if you want to change your Apple ID rather than the pin number you use to unlock your phone. That way at least you will not loose control of your Apple ID and you will still be able to remotely wipe the phone. Nobody enters thier Apple ID password in public, so that would render having your pin number useless as the legitimate owner will still be able to wipe their phone. Simple fix for Apple I would have thought unless I am missing something. Clive
What if you've forgotten your AppleID password?
@@wisdomyaw03 Well keep it safe somewhere else and you can always retrieve if you forgot. I would rather that than have all my personal info and bank accounts compromised
@@clivewuest8529 Well, while it's a great point, the thief in this case would still be able to access your icloud because they could login from the web, obtain SMS verification code sent to the same phone and change the password.
@@wisdomyaw03 mmm. Good point. Oh well prevention better than cure. Never enter your password in public at any time then and make is 6 digits or alpha numeric
@@clivewuest8529 That's 💯 exactly the point. The problem starts from your primary phone unlock password/passcode. The moment it leaves you, all your digital life is exposed. While we hope that in the future more advanced methods of preventing such occurrences are made, it's our duty to safeguard out own passwords.
Many thanks for yet another calmly and concisely articulated informative video. How do you feel about using Screen Time -content and privacy restrictions - to allow/don't allow passcode changes and account changes as a security measure to be followed by iPhone owners until Apple figures out a way to sort out this issue?
Screen time passcode reset resets also Apple ID password so.... quite useless
I love Face ID, but my only complaint is that we cannot set the number of face ID failures before having to enter the passcode. it’s very easy to have a friend look at your screen and trigger one or two failures of face ID simply by accident. It seems it should be easy for Apple to have a setting where we can determine the number of face ID failures up to maybe four. That way it would be highly unlikely. We would need to enter the passcode in almost any situation.
Turn on the required attention feature and random faces won't trigger it
@@alexthemtaandr211weatherfa2 it is turned on. But if you get two failures, then you have to put your code in. It would be nice if Apple would allow us to determine the number of face ID failures.
Seems like an easy solution, don’t allow anyone else to be using your phone.
@@cnyphotovideo apple allows four consecutive cloud password failures because your device won't let you use it, if you think you're trying enter the correct password and and its not accepting it.clear website data from all websites, then clear your device catch and possibly reset the default keyboard and don't use a second party one, use a external or hardware keyboard and see if the password is accepted, if not go to apple id website and go to account recovery and verify your recovery contacts and emails, enter the passcode for all device on your account and enter the correct apple password on all devices and use the tfa codes from your recovery email or phone number.
you can quite simply click the lock button and then swipe up again...
It’s nice to see a video of what was in the proper weekly
It's not something I'm going to make a habit of, but I came away from writing last week's newsletter thinking 'this really needs a video'...
@@ProperHonestTech Well your videos are fine either way and it’s always so exciting when your newsletter comes out on fridays
I found this video extremely helpful and i will be using the Face ID from now on going forward. Thank you
*Excellent presentation!* 🎥👍
_Hi Tom, I'm interested in what you think of these ideas..._
1.
Why don't Apple simply have a setting option where the phone needs double verification! (Face ID and Pin Code). It may be a slight inconvenience, but ladies whom get targeted most if they go to night clubs, can simply enable the feature before they go out.
2.
The other idea is if they own an Apple Watch, that the watch has a feature that if the phone is a distance more than say 20 feet away; that the phone will instantly "Lock Screen". (no matter what mode it's in). What do you think? 😊
Absolutely excellent video!! Extremely useful essential tips. Thank you.
I set my iCloud sign in on a YubiKey. I also go into Screen Time and set not allow to account changes and a few other things and set up a different pin for screen time. That locks out my profile on device unless they know that pin.
Thank you for this very useful information. It confirms some things that I already suspected ( I have /do no banking info on phone or in the cloud) & made solid suggestions about safety.
That's my approach as well. My phone is a Samsung, which I use ONLY for phoning and texting. My iPad is used only for emails and net surfing ...and my email programme is accessed via my browser, and I have to sign in and out of it every time. I don't carry ANY important data on either device. I do online banking, but ONLY from my desktop Mac at home. I don't use iCloud for anything at all. I try to keep my devices as separate from each other as possible. Apple doesn't like this, of course, and is constantly 'reminding' me to sign into the Cloud, to enable 2-factor authentication, etc. I've resisted thus far.
I think we've fallen too easily into the 'convenience' thing. I prefer not to keep all my eggs in one basket.
Great video, very well put together and explained, thanks!
thanks for the sharing. just realize this weak point at my device
7:18- you hit the nail on the head there. So true
Thanks for the amazing content. Finding it very helpful!!
Enjoyed your video, your thoughts on security keys?
So use the faceID an passcode would be the best correct!??
Some fixes: to change iCloud password and pincode apple must mask for the password instead of only the pincode.
Or have an alternative more secure secondary pin thats only required when one wants to change critical details like pin and iCloud password.
Hope below steps will be useful to prevent the iPhone password change or iCloud password change even if someone knows your iPhone pin:
Part A: Update you iPhone to latest iOS:
Part B: Set screen time password:
1. Go to Settings > Screen Time.
2. Set screen time password.
Part C: Lock password and account change:
1. Launch the Settings app.
2. Tap Screen Time → Content and Privacy Restrictions.
3. Toggle on Content & Privacy Restrictions.
4. Now, scroll down to the ALLOW CHANGES menu and choose Passcode Changes.
5. Select the Don’t Allow option.
6. Similarly, tap the Back button to go to the previous interface. Then repeat the same exercise for Account Changes.
It would be helpful to have passcode numbers actively change their positions to make it more difficult to ID the numbers. I saw this years ago at a parking lot entrance.
I didn’t know an alpha numeric option is available! Thank you! Also, memorize a couple passwords. You memorize your home address and phone number. Memorize a couple key passwords. If it’s not in your key chain then they have zero access.
yep; totally agree! I have very early on chosen an alphanumeric code with more than 12 digits & ciphers with special characters! It is sometimes a ‘bummer’ when my biometric doesn’t work, but I feel it’s worth it! I also use a password manager rather than putting all my ‘eggs’ in keychain, but nevertheless use it now and again! I also use Proton mail and Signal on my phone! I try to maintain a step before to ensure to make as difficult as possible to not get ‘Virtually’ mugged! But I am well aware these are just improved steps to keep up to speed! Thanks for your Videos, I have picked up many tips from your channel! 👍😎
Thank you very much. You’re really something. Your videos make difference. This is so very important and a lot of people need to listen/hear what you say. Please continue your good work. ❤️
I use Screentime restiction. Works like a charm
Some phones allow set up lock SIM card if you completely power phone off, even if you entered passcode. - I dont know if there‘s a workaround. - I think you are out of luck if forget the unlock code. Inconvenient in emergency but at least some phones allow emergency calling by use of power or other buttons. - All possibilities depend on your phone, type of SIM or e-SIM, and operating system of device.
When your iPhone is open, how do you safeguard your "open iCloud" from hackers?
The incident you spoke of were the girl had her phone snatched was down to her not being careful enough when inputting her passcode, it’s not difficult to do so without letting others see you inputting.
Sound advice! Thank you!
My wife is going through this now. It's horrible
This comment is going to be quite long, so bear with me if interested. I don’t know why wouldn’t Apple send confirmation for changing Apple ID password on the other connected device. Sure, some only have one device. Then let people create “trusted” back up Apple devices with other Apple IDs while creating your Apple account. For example a friend’s or a family member’s phone or mac. Otherwise user may be presented a special code which they need to print in physical form and keep save. Options are limitless. Again, quite surprised that such privacy-caring company has made such an obvious and severe weakness.
I have thought of this for a while. I have the same concern with my MacBook. I think the solution would be very simple if Apple were willing to do it.
Have one code to unlock your phone and a second code to do everything else within your phone.
This is the best and simplest solution. I can't believe Apple has not thought about it.
It sounds simple and would likely resolve a lot of issues, but most Apple customers are too stupid and lazy for even one passcode/password. I work with them every day and I promise you that most customers wouldn’t bother to create another passcode or be able to remember it, and even if they do set it up they will eventually forget it anyway. Then they call us and complain about how Apple locked them out of their account or device, and threaten to sue. No matter how secure a device is, you can’t fix the largest flaw: the user.
Exact same thing happened to me. Past six months have been awful. No escaping as I try securing old iCloud
I made video on this too! Love your channel. The Wall Street Journal also has a great video on how they use the recovery key to permanently lock your recovery key. This happened to over 40 of my friends at our local bar, we identified the thieves but they never got arrested and made hundreds of thousands of dollars. This is very common and serious.
How about a video of why Apple will not help the victims. This happened to me. Thieves somehow got the pass code and after they got what they wanted (in about 60 seconds) reported it as lost. Despite, repeated open cases with apple and reps sounding very sympatric, willing to provide anything they want, and screen shots of my information etc etc. They keep denying my request to unlock the phone. Last attempt, supervisor said she was putting it in as high priority. I never even got a rejection email on the last attempt. No Apple ID, no way to change password as trusted device number is changed to thief's number. Ohh and get this, even though i can show them a screen shot of my Apple ID, they say it never existed, cant find any record of it.
Good data and advice, thanks!
Scary, but really helpful!
I was just hacked about an hour ago and again 6 X prior. Nothing to do with my I phone however theft via phone,computer and more are only getting worse seemingly by the day
Be safe ☮️
A probable solution might be to allow locking apps / settings with a different passcode.
My apps require Face ID, you can add that.
When I am in a public place near to other people I never unlock my phone. Also, I very rarely take my phone out of its locking holster when near to other people. There are people who who devised ways to fool the face and finger print ID.
For any phone, if someone gets hold of your phone and they know the password this is a huge issue. Because they have your phone they can use the two step authentication with the phone number.
Also using a security screen protector helps also as you can’t see from even a short distance . I have one and love it. Someone next to you can’t see your screen.
Brilliant and important video
Apple can put lock on settings like different digit code or Face ID
Thank you for this video. I do use Face ID but for other things I may key in an alphanumeric code. I will now make sure I shield these “events” from prying eyes.
How about an option to always require apple id/face id to get into settings. I know it might be annoying, but that would drastically help.
Thank You! 👍🏻
I’ve been using a six digit code on mine for years.
3:43 this is a little tip. you can use screen time to completely hide the FaceID page using a screen time passcode (which can be different from your main passcode) and go into content restrictions, scroll down, and change passcode changes. to disallow. plus, you can lock out the Apple ID settings by disabling account changes from this same page
Amazing content. Everyone’s worst nightmare experience
Use screen time passcode and limit some restrictions. Enable when going out. Disable when home
Wym by limit some restrictions? This is my first iphone been a week
It’s also possible to enable screentime with a passcode and then under ‘restrictions’ to not allow passcode changes and / or account changes. That way you will have an extra layer of security in the form of a passcode that is different from the iPhone’s passcode.
Very informative video, hopefully people will listen to you.
Is it a good idea to use both Face ID and passcode as iPhone security?
What I don’t like is that once you have the passcode you can easily access the “keychain” where all your bank & social Media log in info is located.
I think Apple should move that feature or tab somewhere else behind the actual Apple ID password not in plain sight.
Very good video - thanks.
Possible solution for Apple (which you may have better access to than most subscribers to your channel) - change the position of each character on the numeric keyboard for the passcode each time it is accessed. I have seen this done on a POS device which needed a PIN code. Would stop most people from copying the passcode as it is often the pattern of what is pressed rather than the number itself that is memorised. An easy software fix which would stop a percentage of these cases from arising (wouldn’t stop the person who can remember a six digit passcode by numbers though 😕)
what do you think of the new 'stolen device protection?
You forgot to mention that you can protect your password by turning on two factor verification. Then when Apple ID is changed a code is sent to another Apple device i.e iPad and Mac which then has to be entered into the iPhone to authorise the charge.
That isn't accurate I'm afraid, which is why I didn't say this in the video. Two factor authentication does exist on the iPhone, and you should indeed be using it, but this particular hack (inputting the passcode in the Apple ID section of Settings) allows you to bypass 2FA altogether. 2FA is for signing in on other devices, but not for changing the iCloud password in this way, hence why this particular topic is such an issue.
Thanks for the great and important video. I changed everything here, based in your recommendations. I really appreciated it!
Great video. I use FaceID or the fingerprint scanner on my iPad mini for this exact reason. Apple does need to give users the option to have additional layers of security enabled before an Apple ID password can be changed. Just a device password is not enough enough. This story is a perfect example of what can happen if that password is able to be changed too easily. If you don’t know the old password, the only way it should be able to be reset is with a link sent to the iCloud email or at an Apple Store with government ID. It is smart to have a strong password and if you ever have to enter it in public, never enter it in a crowd and be hyper aware of who is around you.
I use Face ID exclusively but there are very few instances that Face ID fails for whatever reason and the phone prompts for the passcode. While I'm cautious about letting anyone see me enter it but dang I never realized how much damage someone could do knowing it. This is most certainly eye opening. Wow!
You can use screen time passcode to lock access to icloud settings and passcode settings, as well as a lot of other useful stuff. definitely recommend setting up screen time.
Disabling passcode outright would be the best option as even in the rare case FaceID fails to work, connecting to a computer with ITunes where the iPhone has been backed up before will allow for full restore up to the backup date? I think on balance, the benefits of enhanced security & the avoidance of the pain of having to enter excessively long passcodes having to very rare instance of having to restore the iPhone to the latest backup date
I did NOT have my iPhone stolen but I did have my iCloud account taken over by someone. It was a big mess. The tips in this video are spot on, especially toward the end. It's a bitter pill to swallow and it just stinks.
Thanks I really appreciate your site and only wish I’d come across it so much earlier! Your information and advisory comments are truly invaluable.
Thank you very much!
You could also use screen time to add another “different” passcode to access Face ID and your Apple ID account to change the password.
2:21 ur actually right. Kind of, but the green screen is used by the 12 Pro instead.
Thanks for the information ☺️ What if I use Advanced Data Protection? Wouldn’t that help a lot?
That’s absolutely helpful info however I feel like it’s also teaching bad people how to do it. So scary how vulnerable we are. Thank you, but you are correct, this help us create a more secure password.
Based of this video, I think for security purposes they should require you to input ur Apple ID password instead of passcode. or they should deem things such as disabling Face ID suspicious and when they change Apple ID password, they should require you to input their Apple ID password. In my opinion I think this would be the best option.
Issue is if your password is stored in your keychain it adds no more security...
Why not give both option fingerprint and Face ID
Very good video! Lots of people need to watch.
Thanks for letting us know. Can’t wait to try this on somebody
You can now use an alpha numeric passcode which allows you to have more robust and longer codes. Longer to get in to but more secure.
I am new to the iPhone was just wondering if it was possible to make it so that you only need a pass code to wake up the phone but a biometric access settings?
Thank you very much for your videos, especially this one. I thought I was more secure than I am with my poor passcode.
Regarding secure files, I keep an encrypted disk image for my financial files. But I realize I want more of my files to be protected now.
If I move files from my iCloud documents into a disk image file, then delete them from the unencrypted documents folder, what happens to the backups? Would someone be able to get my deleted sensitive files from backups in iCloud?
I encrypt my Time Machine backups, and use an encrypted external drive when I can. What about my own backups in Time Machine? How long will my deleted files be recoverable there? Can I delete a file explicitly from my backups?
Thanks again.
Haven’t looked into it yet, but would using a physical security key for your I’d have helped here?
Yeah and it just got added to ios
Would it be better to use FaceID only, and disable Passcode?
Question: can a wiped stolen phone be activated in the U.S. if the phone and IMEI have reported ?
A security alternative would be if you can change passcode just after 1 hour or a confirmation of a second device or a 3rd what ever level of security you want.
Really
My passcode for years now has been a whole sentence and my friends always thought I was just being over protective, now there is this threat and they see more of a reason to have a longer password.
Mine is my favorite singer, my friends all know my favorite singer because I talk about her all the time. If I wrong one of them and they get my phone it’s all over, I can’t burn any bridges.
@@tjwash2 lol, keep those bridges intact my friend 😂
Thank you. This scared me😮. But I got valuable info from you. Thank you. I will use this I have a tinted screen cover on my iPhone too.
One thing I don't understand is why apple don't create an option "instant lock my phone" based on a special code recovery with the Apple Watch and the Bluetooth ?
Scary stuff. Thanks making adjustments.
Is there a reason why you don't mention the restriction on account settings and FaceID and code that you can setup in the screen time settings?
In addition to my question 2 down… would it be better to disable Passcode entirely? I used to have the option to ask for Passcode 10 minutes later, etc… now I only get the option for Passcode to be required ‘Immediately’ (which I really don’t like.