I have mine in 1Password plus recorded in an encrypted disk image on one of my Macs. If you use an encrypted Note using a passphrase (rather than using your device passcode and biometrics to unlock), that would not be readable.
Also, going back to the WSJ recommendations: if you use iCloud Keychain and fall victim to this PIN surfing attack, locking out the ability to change the Apple ID password with a screen time passphrase isn’t much of a protection if the Apple ID passphrase is stored in the iCloud Keychain. They can just log in to the Apple ID with another device, use your phone as a trusted device to approve the new log in, and then change the password there.
The article does point out that using a third party password manager that has a separate passphrase is much more secure.
Perhaps Apple should think about some way to protect iCloud Keychain (with a separate PIN perhaps) that allows unlock with biometrics and times out after a period of time. Perhaps one of the screen time restrictions, so it’s optional and not a default behavior?
You can via “Find Devices” on watch, but the idiotic thing is Lost Mode can be turned off with just the device’s passcode, so if the thieves have that (like in the original WSJ article), this won’t be of much use.
Well that was illuminating. I had no idea of how many of the old undeleted temporary note photos I have on my phone have sensitive data. I found one page of a tax return from a couple of years ago, several hand written passwords, too many sales receipts, accidental screenshots, photos of monitors with more than the window I was aiming at…
But I also discovered that using search won’t find everything. It seems to be better at words than pictures, but I’m still finding plenty that need to be deleted as I look through everything by hand. The worst so far is a screenshot from when I was looking at my Apple Card number. (I have double back tap set to do screenshots, and also the habit of drumming on the phone while doing things. Oops.)
Yeah, I added this yesterday after the initial posting of the article. I played with it a bit and it was so utterly annoying that I can’t see many people seeing it as worth the tradeoff in standard use (but possibly worthwhile for a limited period, such as a trip). I had hoped that it would prompt for the Screen Time passcode when you went to change the Apple ID password, for instance, which would be fine, but instead it blocks all access to all account settings, and the only way to regain access is to disable the Account Changes setting. (After which you’d have to re-enable it again.)
Sure, and I pointed out that physical security is important, but lax physical security just reinforces the need for protecting the passcode even more.
I don’t think there’s any claim in the article that these crimes are happening more frequently in the past, just that the reporters have just now assembled all the stories and technical underpinnings. My conclusion was that law enforcement has only recently started to put all these crimes into the same statistical bucket. It’s possible that the article will cause more police departments to realize what’s happening. As far as numbers, they’re not hard statistics, but the relevant quotes would seem to be these, and while they come from police, I’m not sure where else they could come from.
“Once you get into the phone, it’s like a treasure box,” said Alex Argiro, who investigated a high-profile theft ring as a New York Police Department detective before retiring last fall.
He said there have been hundreds of these sorts of crimes in the city in the past two years. “This is growing,” he said. “It is such an opportunistic crime. Everyone has financial apps.”
Minnesota prosecutors say Mr. Thompson, age 42, was a victim of a theft ring that accumulated nearly $300,000 by stealing iPhones and their passcodes from at least 40 victims.
Similar cases have been reported in Austin, Denver, Boston and London.
Mr. Argiro, the New York City detective who participated in the investigation of Mr. Umberger’s death before retiring in September, said authorities came to believe he was the victim of a group of thieves that target New York bar-goers, launder money via apps and then resell the phones. This particular group is believed to be responsible for more than 30 incidents, he added.
I don’t think this will make any difference to the passcode attacks because it only affects cellular usage and only after a restart or SIM swap. Apple says:
To protect your SIM card from others using it for phone calls or cellular data, you can use a SIM PIN. Then, every time you restart your device or remove the SIM card, your SIM card will automatically lock and you’ll see “Locked SIM” in the status bar.
If you rely on Dashlane, I can’t see that you’d lose any functionality if you turn iCloud Keychain off. And, as long as the passwords you have in iCloud Keychain are also in Dashlane (which was my situation), there’s no harm in deleting them.
Ben Evans on Twitter reminds us of the already existing content and privacy restrictions in "Screen Time " settings that provide a layer of protection to your Apple ID and Passcode.
Enable a passcode for Screen Time
Settings\Screen Time\Screen Time Passcode
Note - just don’t use the passcode of your device. Also store a copy of the new pin somewhere safe
Restrict Access to Passcode
Settings\Screen Time\Content and Privacy Restrictions\Allow Changes\Passcode Changes\Don’t allow
Restrict Access to Apple ID
Settings\Screen Time\Content and Privacy Restrictions\Allow Changes\Account Changes\Don’t allow
When you implement the changes, the settings for Apple ID and FaceTime (Passcode) will be greyed out.
Workflow.
Whilst “don’t allow” is set you will not be able to access the Apple ID and iCloud settings on you device. The same applies for FaceTime settings.
When you do need access to these areas, just go into Screen Time and adjust the above settings to “allow”.
You will be prompted for your Screen Time PIN when this happens. Also remember to reset this to “Don’t allow” when done.
Future State
It make senses that Apple provides a more elegant approach to managing your system settings on iOS/IPadOS similar to the padlock approach, or better, on the MacBook.
The entire article is framed as if this is a new and increasing threat: cases are “piling up in police stations around the country.” "“This is growing,” he said. “It is such an opportunistic crime. Everyone has financial apps.” There has been a “recent spate of thefts.”
The problem is not using cops for insight, it’s when that is the only insight. The stories & quotes are anecdotal and played for maximum drama, but without any underlying evidence that shows this is a serious and widespread issue.
To give an example of what I mean, both the FBI Crime Data Reporter and the NYPD’s CompStat dashboard show robberies and burglaries down substantially year over year, both nationwide and in NYC.* Does that mean that there couldn’t be a wave of iPhone robberies like in the story? No, but it does make the picture a bit more complex and was something the journalists needed to have included.
I don’t feel any of this discussion is unwarranted and I don’t sense any “panic” or overt sensationalism. It’s become fashionable these days to discredit sources just because they’re related to LE, but I don’t buy into that. Joanna Stern is, as usual, very serious and points out who is most likely affected by this, ending her segment with concrete steps people can take to protect against such attacks. @ace’s article is very similar and also most appropriately points out what next steps Apple needs to take to limit potential damage from such an attack. I’m very glad the story broke and was treated in the way it has been. I learned something and reconsidered some of my digital habits (even though I’m unlikely part of the “target demographic”). And judging by the replies here, several others have also benefited in similar ways. IMHO this has so far been an excellent exercise in prevention.
As it turns out, there is a way to bypass this - a horrible security bug by Apple in my opinion. Adam, I’ll post the procedure to follow if you want - I’m not sure that it’s a big secret, and I have a strong feeling that people who would be inclined to steal people’s phones already know of this workaround - but if you prefer to keep it off the Discourse, I’ll keep it to myself.
Basically it allows you to change the Apple ID password. You do need to know the Apple ID itself, but that’s generally findable in Settings / App Store, or in the iTunes Store app at the bottom, or just guessing one of the email addresses on the phone itself.
(I have a feeling that this a procedure that kids follow whose parents have put a screen time PIN on their devices to get around restrictions. But, maybe not.)
And I try so hard to avoid being fashionable. In any case, your point is not accurate for my comments since the additional sources I’m suggesting using are both law enforcement.
As to overt sensationalism, the WSJ article absolutely is sensationalizing it. The headlines alone – “A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life: The passcode that unlocks your phone can give thieves access to your money and data; ‘it’s like a treasure box’” – are impressive clickbait.
If you delete everything from iCloud Keychain, nothing, as long as you keep the passwords stored elsewhere so you can still reference them.
If you delete them from Keychain Access (on your Mac) or Passwords (on your iDevice), you’ll probably have issues. Your known Wi-Fi networks passwords are stored there, as are your Mail.app account passwords. Yes, you can also store them in a password manager, but your Mac can’t automatically access those like it can the ones in Keychain, so you’d have to enter them yourself to connect to networks or check email. Also, most of the com.apple.XXXX entries are AppleID tokens for various apps, and will just reappear after you sign back in to your AppleID, so the only thing you get from deleting them is that you have to sign back in.
If you’ve been using iCloud Keychain, many of the entries will be irrelevant to your Mac, as they’re shared from your iDevice(s), and probably can be safely deleted. But don’t delete them from Keychain Access before turning off iCloud Keychain, or they’ll be deleted everywhere, and some of them may be critical on your device.
Generally speaking, unless you know something you see in Keychain Access is risky or outdated, it’s probably best to leave it alone. If it looks suspicious but you don’t know or aren’t sure what it is, Google it before deleting it. (If it looks suspicious and you do know what it is, that’s different.)
EDIT: Be sure to turn off iCloud Keychain before deleting anything from either Keychain Access or Passwords.
Thanks. Everything I need is in a password manager and in a separate password protected file. However, I’ll just leave Keychain as is for now. I have half a century IT experience and do not find this exactly obvious, no wonder inexperienced users get into trouble.
One additional factor to consider in this particular attack vector is the fact that possessing an unlocked iPhone will typically result in the thief having access to both email and SMS. Even without access to a third-party password manager, having access to either / both of those (but especially email) will typically allow for most password reset processes.
I would think to completely avoid the possibility of having financial accounts being accessible from a stolen phone + passcode would involve either not being logged into an email app with an account connected to the related accounts (perhaps only accessing those accounts through an incognito tab), or to use an email app which has a separate authentication (i.e. that doesn’t fall back to the phone passcode) step before emails can be accessed.
Same story for text message authentication — using a Google Voice number only accessed through the web interface would prevent the attacker from being able to successfully reset any passwords that way.
Not directly related to the topic, but the ability to recognize and grab text is quite good lately. Yesterday I took a photo of my home router, at a bad angle, in bad light, and grabbed Japanese text for a light I didn’t recognize and was able to paste it into Google Translate and find out what it meant. Pretty amazing.
I keep credit card and password info in PasswordWallet. Maybe it’s older than 1Password, but I find it quite easy to use to enter passwords when I need it. Syncing between devices sometimes requires a manual sync step though. The developer is quite helpful whenever I have had problems.
Apple allows a user to remove or change the screen time passcode using the Apple ID and then mstarting the “forgot pwd “ flow in screen time. Thief must know the Apple ID email which can be obtained if the user has a Family set up (just under iCloud name at the top of settings) or by opening email apps.
At the end the ID gets reseted again with the passcode.
This way locking with screentime is completely useless.
Also using the new hardware keys is useless. I tried it, via screen time , delete screen time code, lost ID, they won’t ask for the keys.
Also interesting, if you use the new hardware keys. If you know the device pin , you can just remove the keys. The os won’t ask for the keys or any password.
Didn’t Apple stop this, so that even turning-off the phone doesn’t stop Find My tracking now – as literally doing any of these was stopping the point of the service. Sure I guess if the thief stops cellular service somehow then that’s it (one reason to use eSIM, as that can’t be physically removed), but at least turning the phone off (with the extra battery they keep in reserve), isn’t meant to stop Find My.
Right, for relatively newer phones. (Since iPhone 11 I think?)
But accessing the control center from the lock screen and turning on airplane mode will stop find my from sharing your location (unless the person who has the phone brings it to a place where WiFi will connect.) And the attack I was mentioning - somebody in a crossroad, or a sidewalk, actively using an unlocked phone, stolen from their hand by a passing bicycle or scooter - the phone is unlocked. The thief doesn’t know the passcode, but they can turn on airplane mode, turn off wifi, etc., quite quickly as long as they do so before the device display times out.
If the phone never connects to a network, find my won’t reveal the location. Thankfully these people are protected from this particular attack mentioned in the WSJ - changing the Apple ID from the device - because they don’t know the passphrase.