How a Passcode Thief Can Lock You Out of Your iCloud Account, Possibly Permanently

For me, even if setting up a Screen Time passcode isn’t an impregnable defense, doing so is a good idea becaue it could buy me enough time to wipe my phone before a thief figured out how to bypass the passcode.

1 Like

Adam

Do I recall correctly that this problem would disappear if Apple required that you enter the current Apple ID password before you can change it?

Norbert

1 Like

Quick correction: this change happened in 16.4.1. I have a device with 16.4 and verified that I could change the Apple ID password with a screen time passcode restriction on the account knowing only the Apple ID itself and the device passcode. So, this was an undocumented change in 16.4.1.

1 Like

Precisely my logic with the additional thought that if it might be too much hassle for them, they may choose to just discard.

OK, I just spent a bunch of time testing this carefully, and while it may be better, it’s not fixed.

Let’s assuming the thief has your iPhone and your passcode, but you’ve turned on a Screen Time passcode and locked account changes but not set a recovery key. The thief can find your email address and phone number from email and Settings > Phone.

Then, if they work through the steps to turn off the Screen Time passcode, saying Forgot Passcode when prompted, entering your email address when prompted, and then tapping Forgot Apple ID or Password, they’ll be able to reset the Apple ID password using just the passcode and turn off the Screen Time password in the same step.

The confusion, I think, is that there’s a branch in the logic at one point, and if they follow the other branch, they’ll be prompted for your trusted phone number or recovery key. The problem occurs at the Screen Time Passcode Recovery screen:

  • If they enter your email address in the Apple ID field here, tap OK, and then get the password field, they can then tap Forgot Apple ID or Password and continue with the passcode to reset the password. In other words, the most obvious approach is the least secure.

  • If, instead of entering your email address right away, they tap Forgot Apple ID or Password first, and then enter the email address, they’ll go into the more secure password reset flow that tells them to continue on your other Apple devices. If they say they can’t get to them, they’ll be asked for your trusted phone number, which they can find out easily. But that doesn’t end up working out, at least in my testing.

When I entered that, I was prompted for the passcode again, but entering it threw me to the Don’t Know Your Passcode screen that was warning my account would be locked for several days. At that point, I bailed—who knows what would happen if I locked my account like this. But I very much got the sense that a thief wouldn’t be able to change the password that way.

I’m being a little waffly here because I only tested a few times—I was just too leery of locking my account or messing something else up entirely. But I’ll report this to Apple and see if anything comes back.

All that said, if you both turn on the Screen Time passcode and set a recovery key, you’re safe. There’s no way to turn off the Screen Time passcode without having access to the recovery key.

4 Likes

That seems incorrect in my case. I have both a recovery key set and a screen time passcode and I can still go through and change the Apple ID password with the procedure you listed. (I just, in fact, actually changed it - and very shortly afterward realized that this meant that my Sonos stopped playing music because I had to reauthorize my Apple Music account.)

Having a screen time passcode with account changes disallowed makes it harder to find the Apple ID address on the device, but not impossible.

1 Like

Darn it, I think you’re right. That was my starting condition, and when I assumed it worked, it was before I discovered that there was a difference with when you enter the email address in the Screen Time Passcode Recovery screen. I have screenshots showing that the recovery key is required, but I’m pretty sure that’s in the branch where you enter the email address AFTER tapping Forgot Apple ID or Password.

I’ve set up to replicate now, and while I don’t actually want to change my Apple ID password again (it invalidates my app-specific passwords and causes all sorts of cascading alerts on different devices), I’m getting the screen to change the Apple ID password without being prompted for the recovery key first.

1 Like

Any ideas about how to backup your iPhone photos if you don’t have a Mac?

I’m sure there will be other suggestions, but iMazing is cross-platform and gives you a lot of control over backing up and configuring iOS devices.

1 Like
1 Like

On a Windows PC, you are expected to install iTunes and use it for all of your iPhone backup/sync operations: Transfer photos and videos from your iPhone or iPad to your Mac or PC - Apple Support

To get iTunes, go to https://www.apple.com/itunes/ . If you’re on a Mac, that page presents you with a request to upgrade macOS, but there is a link to click on to get to the download page for the Windows version:

Windows users can also install it from the Microsoft Store.

Well, of course iCloud Backup also backs up photos whenever the device backs up, unless you have iCloud Photo Library turned on. In that case you can sync with Windows computers using Apple’s iCloud for Windows.

Online cloud file sync service apps like Dropbox also offer to sync your photos to their services, but IIRC when I tried this, it wasn’t the most reliable sync.

Let me restate: Any ideas about how to backup your iPhone photos if you don’t own any sort of (traditional, Mac or PC) computer?

Obviously iCloud is not a solution if the issue is that you have been locked out.

So far Dropbox has been proposed but not as a reliable solution.

Picture Keeper is a flash drive / app that lets you export your photos; the flash drive has a lightning end and a USB end. https://picturekeeper.com/

I’ve used this when I’ve been on vacation on a small cruise ship that had internet connectivity occasionally, but blocked iCloud sync when it did. It worked pretty well.

I think the issue raised regarding Dropbox’s “reliability” for iPhone photo backup involves background uploading, and this would apply to any non-Apple piece of software.

In short, Apple does not allow third party apps to run indefinitely in the background. Third party apps can request temporary “background” access to resources from iOS, but it is almost impossible to predict exactly when iOS will grant such access and the duration of that access. In part, this is intended to prevent apps from draining the battery or taking too much bandwidth without the user being aware of it, especially when resources are low.

I do use Dropbox to make an independent copy of my photos to the Dropbox cloud. I consider it a valuable part of my personal data protection strategy. I’ve gotten into the habit of opening Dropbox on my iPhone once a day or so. When it is opened, any photos that have not automatically uploaded to Dropbox “in the background” will start uploading immediately. It’s not perfect, but it is significantly better than nothing. No Mac or PC required.

2 Likes

Sure wish this had come out last week!
An additional way they accessed my account. They bought a new iPhone, used my Apple ID, changed the phone numbering proceeded to drain accounts. They took over $30,000 before all the banks locked my accounts, even though I called them the night it happened. The also made significant purchases from Best Buy, using two different banks.It took 5 days of calls with Apple support to finally get a Senior Advisor who tried all the normal actions to get my account back.
After all failed, she said that she could block the account, keeping them out of the account as well. Hopefully that worked.
Now the hard part is trying to establish a new account. To delete all the devices in your account, you must fill out a form for each device, using the serial number and the DATE OF PURCHASE! Who keeps that with their serial numbers? To get them from Apple, you must take your device into the store to have proof that you own them. Now I have to take in 3 iMacs and 3 iPads back to the Apple Store before I can begin rebuilding my devices. On top of this, I can find no way to get Apple to credit me with all the Applications I have bought. I have been an Apple since 1978 when I bought the first iMac SE, am a minor investor and get no joy from the company.
Final tip is lock all ATM and Debit cards. Unlock when you use it, then lock it back up immediately.

1 Like

Another issue is that using my iMac, we were unable to get to the Recovery Key input area. Must have tried over 20 time to get to the location that the Apple instruction say to use (while screen sharing with apple) and there was no way to input the data. What’s the point of have a Recovery Key if its worthless.

Guess Apple needs to fix this then…but in reality I’m not sure it’s a serious problem since if you have any recent iPhone it’s got biometric ID of some sort…I get asked maybe once a week for my passcode by mine and it’s never happened that I recall away from home because that’s where I am the most. Still…it would be good to have a guaranteed method just in case…more security is usually better…at least up to a point.

Yeah, this is a pretty targeted attack, but the number of people that the Wall Street Journal has identified as falling victim to it suggests to me that a non-trivial percentage of iPhone users are either not using the biometrics or are having trouble with them, such that they enter their passcodes frequently. I actually audited my iPhone use for a week and confirmed that I was asked only once for the passcode, which jives with Apple’s claims that it will happen every 6.5 days regardless. I even have a friend who refuses to use Face ID because he think it’s sharing his facial features with Apple. I couldn’t convince him that he was wrong and that Face ID is far safer than tapping in the passcode repeatedly. Even after the WSJ article came out.

I’m so sorry to hear about this, @opiecook! Do you have a sense of how the thief got your Apple ID password? (From the way you describe it, it doesn’t sound like they stole your existing iPhone and passcode.)