My daughter's phone was just pick-pocketed on a Rome subway. Help

Apparently Boost Mobile doesn’t offer eSIM support yet.

On the Settings->Cellular, there are lines for toggling the SIM and eSIM. Apparently, the big change now is that only one could be toggled on at a time, but now, both can. There is also a switch for the Default Voice Line. As I only the eSIM currently has a active account with a cell carrier, I can’t play with the dual options.

I had my phone stolen here in London last year (~Sep 2020). Luckily home insurance covered it, though still had an excess to pay (£150).

Find My isn’t much good for tracing nor any kind of attempt at getting it back. So forget about it for that. (Find My is essentially of use for lost, not stolen, devices.)

However, do NOT remove the device from her iCloud account, as this gives the thieves an easier life: it’d be the same as you removing the phone from her account to sell it on to a new user, so said new user could use their own iCloud credentials on it.

Also, don’t bother closing bank cards. Waste of time. If they’re in Apple Pay/Wallet, they’re secure by their very nature.

Finally, as per other’s above, be wary of spear-phishing SMS’s pretending to be Apple related, asking for her to login to fake Find My/Apple websites, because “Your iPhone has been found, login here to locate it: url”.
I had several of those for two months afterwards. Hence keeping the device on my iCloud account to screw the professional thieves!

I wonder what happens to them from here though? As per Glenn said, they may have a special way of completely wiping and thus unlocking for reuse to sell on. Or presumably they sell for parts, at a fraction of the devices’ actual value. Utter losers steal phones now.

Yes. They can’t get your original card number, even if they can unlock the phone. But if they can unlock it, they could use the stored device-specific card.

Some banks (but sadly, not all) provide a mechanism on their web site where you can log in and disable virtual cards (like Apple Pay) without having access to the device. If yours allows this, you should definitely do it, just to be safe.

If you go on to eBay you can buy locked-out phones. They can’t be re-activated, but repair shops may use them as cheaper sources for genuine screens and otherwise impossible-to-get chips.

I have no idea how many of these are stolen vs. recycled, but I suspect its not an insignificant number.

1 Like

The point is they CANNOT unlock it, period.
(Hence your mention of Ebay sales of locked-out phones.)

Therefore they can’t get any card info or device-specific card info. And the device-specific card info is never fully viewable on the phone, either. It’s stored in the physical secured enclave too, making access nigh-on impossible.


On Thu, Apr 29, 2021, at 6:07 PM, jimthing wrote: “The point is they CANNOT unlock it, period.”

If the thefts are organized enough, there’s a good chance that the fence will have access to known jailbreaks, or police-level gear such as Graykey that bypass the “ten-wrong guesses cause the phone to erase” (assuming that’s even enabled). If it’s a 6 digit pin, it would only take them a few days or less to unlock it. A ten digit password (letters and numbers) would take about 25 years (currently–probably not that long three years from now).

The original Graykey won’t work against newer phones, but GrayShift is still in business selling to police and people who manage to appear to be police, and all OSes will always have security bugs, and shops such as Graykey and Cellebrite pay big money for zero-day bugs. (Though Cellebrite didn’t bother to invest in their own security, much to everyone’s current amusement.)

Even without unlocking skills or gear, if the thieves manage to scam the owner or the owners family or friends, they could get enough personal data to take good guesses and maybe succeed within the ten try limit. People do not choose good passcodes/passwords, they choose memorable ones–birthdates, phone numbers, pet names. Then they talk about all of that stuff on twitter, facebook, and everywhere else.

Always use the best security you can manage–and assume that it will fail so have a backup plan. Getting new credit cards and changing all passwords (especially the Apple ID password) is a lot less trouble than the potential alternatives.


What I do is set my PIN to a custom number of digits. This requires you to tap OK after entering the PIN. That way it’s still easy to enter using the number keypad when unlocking, but if someone were trying to brute force it, they won’t even know how many digits they need to enter, making it harder to crack. (And of course I use random numbers not related to my birthday, etc.)

1 Like

I disagree. Apple would have you believe that it is impossible to break into a locked phone, but law enforcement agencies have tools that do it all the time. I refuse to believe that these tools have never once fallen into the wrong hands (assuming you believe there even can be “right hands” for a tool like this.) And there are always bugs which get exploited.

Yes, a thief, even with the lock code, can’t read your card number, but he can use the phone to make purchases. Hence the need to cancel cards - either the virtual card, if your bank gives you the ability, or the real card, if that’s your only option.

1 Like

No they can’t. Sorry, but that’s just not true; they CANNOT “use the phone to make purchases” as the device is marked in Find My as lost, and remained there as it’s never been removed.

Misinformation on this is literally everywhere. Thieves may be able to wipe the device, but breaking into an up to date OS device is super unlikely: the options to do so would be unobtainable for 99.99% of organisations, never mind thieves (organised, but mostly not!), due to the shear costs involved. And as said before, the card info is stored in the secure enclave anyway, adding yet another physical+sw barrier to stealing such data.

Even after all of that, bank ac’s/cc’s cover card misuse, as a result of someone breaking features that should be deemed as “secure”, which they want you to use – because they’re actually MORE secure than using your vanilla debit/cc in the very first place. They can’t turn around and say, 'oh, you used secure Apply Pay to make payments, and the security was breached through no fault of yours, so we’re going to have you pay those costs and effect your credit score, sir/madam.’ It’s literally the opposite of what most countries card laws say (eg. UK ‘Section 75’ cover, et al. ‘Section 170’ in the US, AFAIR), so they be laughed out of any court in the developed world.

So you go ahead and cancel all of those cards you have, and re-enter the info all over again onto all your Apple Pay devices, Paypal, and/or everywhere else cards are stored – all wasting a great deal of time. Me, I won’t be.


Great comments.

Just so I’m clear. Are people talking about Apple Card, any card in your wallet, or cards that are somehow affiliated with your phone in some other fashion?

I’m not sure if my daughter was using Apple Pay. But her bank portal showed a phone association, so I removed that. Was that Apple Pay? Or just a two factor authentication device? Or?? I don’t know.

But anyway, those three scenarios would appear to answer these questions differently right? Whether your card can be used or even the number stolen…

Well, if we assume they somehow got your passcode, doesn’t that also mean they can use that passcode to authenticate ApplePay purchases? When I’m wearing a mask, FaceID fails and I’m asked to enter my passcode instead. As soon as I do that, viola purchase goes through. So are you saying, as soon as a device is marked as lost it breaks that device’s ApplePay server-side?

That’s exactly what they’re saying, and they’re correct.

1 Like

As said, Find My has it as lost, so no.

ANY card in your Apple Wallet/Apple Pay.

1 Like

Indeed. I see that is the case. Thank you.

In that case I suppose the take away message here is to activate lost mode ASAP.

Mmm, the only thing on that Apple list I have issues with is step # 7:

" Remove your missing device from your account.

If you have AppleCare+ with Theft and Loss, do not remove your lost iPhone from your account until your claim has been approved.

Go to to remove the missing device from your list of trusted devices."

I didn’t remove the device from my account, as if you do, it’s the same as doing so on selling/giving-away your device: anyone can turn it on, and set it up fresh with their Apple ID.

TBH, I wish Apple would explain this properly. This advice only mentions ACare+ users. They don’t make it absolutely clear what happens to a device after you do step 7 – AFAIU, anyone ‘finding’ the device after this and turning it on would be able to enter their Apple ID and use it.


Once the device gets the signal that it is lost, yes. If the thieves manage to cut if off from the network before that signal gets through, then the phone won’t know it is lost and those lockouts won’t be active.

Apple Pay (via NFC) doesn’t require a live network connection in order to function, so it could be used, even with the phone’s networking physically disabled.

Midwestern trust overridden by common sense. You are of course correct

1 Like

So now we’re down to NFC. I’d say that’s quite a stark difference from blanket statement about canceling all cards you were making up there. Seriously, sometimes more research/listening and less pontification would serve us all well.

Bottom line, @jimthing was right all along and the really crucial thing to do is mark lost. Once that has been done, apart from NFC worries (eg. my transit pass which I can block separately) there is no need to go overboard with blanket canceling all CCs or DCs.

So you have no problem with someone using your stolen credit card if it’s via NFC? Do you think thieves can’t access a contactless card reader?

Let’s not shift goal posts. NFC appears to be a valid concern. However, blanket canceling all cards is unwarranted.

Why? Are you not aware of the fact that when you use your Visa card at a tap-to-pay terminal, the transaction is performed using NFC?

It’s not just for your transit card.