How a Passcode Thief Can Lock You Out of Your iCloud Account, Possibly Permanently

I’m sure there will be other suggestions, but iMazing is cross-platform and gives you a lot of control over backing up and configuring iOS devices.

1 Like
1 Like

On a Windows PC, you are expected to install iTunes and use it for all of your iPhone backup/sync operations: Transfer photos and videos from your iPhone or iPad to your Mac or PC - Apple Support

To get iTunes, go to https://www.apple.com/itunes/ . If you’re on a Mac, that page presents you with a request to upgrade macOS, but there is a link to click on to get to the download page for the Windows version:

Windows users can also install it from the Microsoft Store.

Well, of course iCloud Backup also backs up photos whenever the device backs up, unless you have iCloud Photo Library turned on. In that case you can sync with Windows computers using Apple’s iCloud for Windows.

Online cloud file sync service apps like Dropbox also offer to sync your photos to their services, but IIRC when I tried this, it wasn’t the most reliable sync.

Let me restate: Any ideas about how to backup your iPhone photos if you don’t own any sort of (traditional, Mac or PC) computer?

Obviously iCloud is not a solution if the issue is that you have been locked out.

So far Dropbox has been proposed but not as a reliable solution.

Picture Keeper is a flash drive / app that lets you export your photos; the flash drive has a lightning end and a USB end. https://picturekeeper.com/

I’ve used this when I’ve been on vacation on a small cruise ship that had internet connectivity occasionally, but blocked iCloud sync when it did. It worked pretty well.

I think the issue raised regarding Dropbox’s “reliability” for iPhone photo backup involves background uploading, and this would apply to any non-Apple piece of software.

In short, Apple does not allow third party apps to run indefinitely in the background. Third party apps can request temporary “background” access to resources from iOS, but it is almost impossible to predict exactly when iOS will grant such access and the duration of that access. In part, this is intended to prevent apps from draining the battery or taking too much bandwidth without the user being aware of it, especially when resources are low.

I do use Dropbox to make an independent copy of my photos to the Dropbox cloud. I consider it a valuable part of my personal data protection strategy. I’ve gotten into the habit of opening Dropbox on my iPhone once a day or so. When it is opened, any photos that have not automatically uploaded to Dropbox “in the background” will start uploading immediately. It’s not perfect, but it is significantly better than nothing. No Mac or PC required.

2 Likes

Sure wish this had come out last week!
An additional way they accessed my account. They bought a new iPhone, used my Apple ID, changed the phone numbering proceeded to drain accounts. They took over $30,000 before all the banks locked my accounts, even though I called them the night it happened. The also made significant purchases from Best Buy, using two different banks.It took 5 days of calls with Apple support to finally get a Senior Advisor who tried all the normal actions to get my account back.
After all failed, she said that she could block the account, keeping them out of the account as well. Hopefully that worked.
Now the hard part is trying to establish a new account. To delete all the devices in your account, you must fill out a form for each device, using the serial number and the DATE OF PURCHASE! Who keeps that with their serial numbers? To get them from Apple, you must take your device into the store to have proof that you own them. Now I have to take in 3 iMacs and 3 iPads back to the Apple Store before I can begin rebuilding my devices. On top of this, I can find no way to get Apple to credit me with all the Applications I have bought. I have been an Apple since 1978 when I bought the first iMac SE, am a minor investor and get no joy from the company.
Final tip is lock all ATM and Debit cards. Unlock when you use it, then lock it back up immediately.

1 Like

Another issue is that using my iMac, we were unable to get to the Recovery Key input area. Must have tried over 20 time to get to the location that the Apple instruction say to use (while screen sharing with apple) and there was no way to input the data. What’s the point of have a Recovery Key if its worthless.

Guess Apple needs to fix this then…but in reality I’m not sure it’s a serious problem since if you have any recent iPhone it’s got biometric ID of some sort…I get asked maybe once a week for my passcode by mine and it’s never happened that I recall away from home because that’s where I am the most. Still…it would be good to have a guaranteed method just in case…more security is usually better…at least up to a point.

Yeah, this is a pretty targeted attack, but the number of people that the Wall Street Journal has identified as falling victim to it suggests to me that a non-trivial percentage of iPhone users are either not using the biometrics or are having trouble with them, such that they enter their passcodes frequently. I actually audited my iPhone use for a week and confirmed that I was asked only once for the passcode, which jives with Apple’s claims that it will happen every 6.5 days regardless. I even have a friend who refuses to use Face ID because he think it’s sharing his facial features with Apple. I couldn’t convince him that he was wrong and that Face ID is far safer than tapping in the passcode repeatedly. Even after the WSJ article came out.

I’m so sorry to hear about this, @opiecook! Do you have a sense of how the thief got your Apple ID password? (From the way you describe it, it doesn’t sound like they stole your existing iPhone and passcode.)

The best I can figure out is that we had been in Oakland area for a wedding couple of weeks ago. My iPad was left in my room, with finger ID security. However the hotel had my email account, my phone number and my address. Either that was enough for the scammer to order a new phone on my account or they had a device that could copy my locked device. There is no way they could have figured out my Apple password, as it was a sequence of unreadable letters and numbers.
I have been on the phone with Apple and various credit card companies constantly since the 18th and it’s not over yet. They are trying to use Zelle and I finally got that locked. I did get good news yesterday. Schwab was able to stop all the money transfers they attempted. I’m now at a point I I want to know what’s on any of my accounts, I have to call in, as I have blocked all on-line access to my accounts.
BTW I have sent your article to almost everyone I know. Thanks for publishing, as it wasn’t early enough for me but I don’t want anyone else to encounter the same issue. I still haven’t gotten my computer back to where I can use it properly.

1 Like

Adobe has a cloud storage option for photos in their ecosystem. If you have or get Lightroom CC, you can download the iOS app and give it access to your iPhone photos, which will then be copied into Adobe’s cloud.

This of course requires buying into Adobe’s ecosystem, but it might be worth it, depending on your situation. I’ve found it to be fairly reliable. YMMV.

1 Like

One reason may be what I’ve experienced ever since I first bought a biometrics enabled Apple device: it has never accepted my fingerprint for Touch ID. It accepted the setup of that feature, but every time I’ve attempted to use it, it refuses to recognize my fingerprint. I’ve deleted its database and started the setup from scratch many times. Although it claims the set up is satisfactorily completed and working great, it still won’t recognize my “touch”. So I’ve just given up on it.

I also have a great deal of trouble getting an iPhone screen to accept swipes. I’m guessing my fingertips are just too calloused to get the devices to recognize my attempts at input.

Could the iPad’s screen have revealed your passcode with smudges?

Otherwise, there could be an interesting vulnerability related to a new iPhone being able to be added to an Apple account if email and phone number are known. I can’t quite imagine how that would work, but that’s not to say there isn’t some sort of hole in the process.

I don’t use a passcode on it, it has finger print verification. I agree that using the new phone attack seems very unusual, but unless there was someone on the inside that was working with them, I can not think of how this was accomplished. All I can say, is I wouldn’t wish this on my worst enemy.

I, obviously, only know what has been posted here about the attack. But my guess is that the account takeover was made possible through phishing, either online or through a phone call, and/or SIM swapping. The timing of the hotel stay may simply be a coincidence.

In any case, the overall situation is horrifying and I hope @opiecook is able to get everything sorted out and fixed soon.

Is it possible they pulled the sim and duplicated it? I never even thought of that possibility.

It’s impossible not to have a passcode, and even if you use Touch ID, you’ll be prompted for your passcode every so often.

Not inconceivable, I suppose, but the SIM only defines your cellular plan and is unrelated to the overall device security.

Some sort of phishing attack could be related—if the user can be fooled into entering their Apple ID password into a malicious Web page, that’s a major problem. In theory, there should be additional checks (@opiecook, do you have two-factor authentication turned on for your Apple ID?).