My daughter's phone was just pick-pocketed on a Rome subway. Help

No, thank you, I’m well aware. But I can get a Visa card (or others) that do not allow that. And I have. Then the card works through Apple Pay, but not on any vanilla NFC reader. You really need to stop treating others like they’re idiots. There is not one size fits all here. Nuance is important. Blanket statements that are only later qualified when called out are just not really helpful. As @jimthing pointed out, there already appears to be a lot of misinformation out there on this.

I don’t care for bickering or pissing contests, I’m done with this part of the discussion.

1 Like

What I would be more concerned with is the 1password app. How easy would it be for a thief to hack a password with 20 characters if the phone was taken offline before it was set as stolen?

You’re completely missing my point. When you put a card in Apple Pay and tap your phone on a reader, that transaction uses NFC and it works even if the phone has no network connectivity.

If a thief manages to get your passcode and cuts it off from the network before the “is lost” signal gets to it, he can use that passcode and any NFC-based card reader to use all of the cards in Apple Pay.

1 Like

How would they get your password?
Again, this idea they could use grey hacking tools is pretty far-fetched and remote, given the costs and hassle involved. And the time-down on 6+digits attempts, would take ages. All without ever going online, even by accident, what… like fiddling around in a faraday bag or something over all the days/weeks/months of time.

Thieves want the device for quick/easy money – despite a blocked device only being good for parts for the typical lowbrow thieves, and the few better thieves might be able to wipe and resell (as per Glen said above).
They can’t be bothered to “grey-hack” your device, given in most likelihood there are lots of flaws in doing so, and the data wouldn’t be current.

If they want card info, they’d go on the dark web, and buy them by the hundred: a million times more cost effective returns.

Put it this way, my stolen device is still on my account from Sep.2020, and no spending has appeared on any of the 7-10 cards in Apple Wallet. Despite me attempting to be spear-phished by the thieves for my Apple ID logins. That tells you a lot about (mostly opportunist) thieves.

2 Likes

And now we’re repeating ourselves. Law enforcement already has tools that successfully hacks phones to extract passcodes.

I refuse to believe that these devices have never even once been used for illicit activity. And I don’t believe Apple or anyone else who claims that a system is 100% secure and 100% bug free. Everything can be hacked, even if there isn’t yet a published exploit.

1 Like

I agree. Those gray hacking tools are something that would only be used by nation-states or targeted high net worth individuals (like if someone stole Jeff Bezos’ phone). A random phone stolen on the subway (even by organized crime ring in Rome) is just looking for an easy buck.

They might be sophisticated enough to pull the sim card instantly to disable networking, and could try some simple password guesses to see if a lame 4-digit password is used, but if not, they’d just give up and sell the phone for parts for $20 or whatever they can get, and move on.

It’s just like locks and burglary alarms on your house – just a sticker that claims you have an alarm is 99% as effective as a real alarm, since 99% of thieves will just move to the house next door which has no security – these guys are looking for low-hanging fruit with poor security. Turn on alphanumeric passcodes on your newish iphone (old iPhones have more security loopholes) and use at least 6 characters and you should be safe enough.

2 Likes

The only card that may still be active after a phone is put in Lost mode is the Express Transit Card. From the Apple Support page on Lost Mode::

What happens when you mark a device as lost?

  • Apple Pay is disabled for your device. Any credit or debit cards set up for Apple Pay, student ID cards, and Express Transit cards are removed from your device. Credit, debit, and student ID cards are removed even if your device is offline. Express Transit cards are removed the next time your device goes online. See Use Wallet & Apple Pay.

See the the Lost Mode support page for the other effects of going into Lost Mode.

3 Likes

That’s what Apple writes, and it makes no sense whatsoever.

If you mark a phone as lost, but the signal has not yet reached the phone because it’s off-line (the “Pending” state), then there is no possible way for the phone to know it is lost. It won’t be deleting or disabling anything until it can reconnect to the network.

As others have remarked, when an Apple Pay Transaction is made, the the local reader does not determine whether the payment is accepted; the transaction goes to a server that connects the device to your account. When you put the iPhone is lost mode, the the device code is no longer in the list of acceptable devices at the server level, causing the transaction to be rejected.

You will note the exception for the Express Transit service. I assume that is because the Apple Pay connection to the various transit operator’s servers is more indirect.

2 Likes

This is also covered in Apple’s Platform Security documentation. Rendering cards unusable with Apple Pay - Apple Support

Users can suspend Apple Pay on iPhone, iPad, and Apple Watch by placing their devices in Lost Mode using Find My. Users also have the ability to remove and erase their cards from Apple Pay using Find My, iCloud.com, or directly on their devices using the Wallet app. On Apple Watch, cards can be removed using iCloud settings, the Apple Watch app on iPhone, or directly on the watch. The ability to make payments using cards on the device is suspended or removed from Apple Pay by the card issuer or respective payment network, even if the device is offline and not connected to a cellular or Wi-Fi network. Users can also call their card issuer to suspend or remove cards from Apple Pay.

I’d also consider the last sentence: you can call the credit card provider and have them disable Apple Pay without having to issue a new credit card.

3 Likes

“As alleged, the defendants were members of an international smuggling ring that used a network of operators here and in Russia to circumvent U.S. export laws and regulations,” stated Acting United States Attorney DuCharme. “With today’s arrests, the network has been disabled thanks to the outstanding work of the Eastern District of New York prosecutors who worked tirelessly alongside our agency partners to closely scrutinize the goods and individuals that transit our international borders.”

“ Given the value of devices and the gains to be made, reports suggest that sophisticated, organized crime is behind some of the larger-scale theft. The cost to phone-theft victims is considerable, as is the cost to the industry, with OEMs, MNOs, MNVOs, distributors, supply chain players and retailers all bearing the impact.

There is such a massive global market for stolen smartphones, that one company in the US accepted so many stolen iPhones and iPads (to ship overseas) it needed an armored truck to deliver the cash used to pay for them all.

Organised crime gangs appear to be are involved at various levels:

  • Trafficking stolen devices in bulk to eastern Europe to be stripped of private information and reconditioned.
  • Shipping stolen devices in bulk for sale in countries, such as Nigeria, where device blacklisting is not used.
  • Stealing from the supply chain. Devices are being stolen while in transit from the manufacturer to the warehouse to the retailer.
  • Stealing from retail stores, sometimes by insiders from “back of house” where devices are being prepped for sale.”

“Organized crime is very much involved in this,” Roberson said. “There’s a criminal world. A chain.”

In some cases, the phones are shipped overseas and used there.

Others end up on eBay where they can be sold for hundreds of dollars.

Stolen phones also often are sold for parts, or even ground up into their basic materials.

Cellphone theft sometimes leads to identity theft if the victim stores important information on the device, Roberson said.

While Roberson said thieves can always find at least some value from a stolen phone, he agreed with Chicago police who said that Apple’s Find My iPhone or AndroidLost can make theft less attractive by locking out other users.

“ Tracing the movement of devices once they are stolen can be a challenge. As reported in an earlier report produced by the MDTP WG, the relationship between mobile phones, subscribers, and operators makes this difficult to track.
The MDTP WG observes that broader international efforts are essential to stemming mobile device theft. Mobile device theft is “an intrinsically transnational issue as stolen phones can be moved easily across borders to avoid detection, often being connected to organized crime.”34 Given this, the MDTP WG attempted to obtain information during our conversations that would assist with identifying where devices stolen in the United States go. Most of the countries expressed an interest in attempting to locate and share data on this point, but as of today, the MDTP WG has not obtained any additional information.”

https://transition.fcc.gov/bureaus/oet/tac/tacdocs/reports/2018/11.30.18-MDTP-WG-Report-and-Recommendations.pdf

1 Like

Unless it really does need an internet connection to use the wallet?

Another option is that the phone may use some heuristics to decide to phone home periodically, such as after every reboot, or after an extended offline period. I feel like apple software does things like this already: sometimes I’m inexplicably asked to renter my iCloud credentials.

As you can imagine this detail is key to me. Her phone went off the grid (in find my) pretty promptly. I did mark lost mode, but that still says pending. According to Apple, that would reach the phone if it gained internet access OR if it got plugged into a Mac or pc and tried to be activated.

Something in me wants to stare at Find My for the rest of my life hoping our long lost child comes home to papa. But mostly I know it never will. Still, I will keep it in (pending) lost mode just to lock them out.

Oh duh that makes sense. Your phone doesn’t have to be on the net but their system does, and theirs can do the checking.

1 Like

anecdotally, my partner left her iPad Mini in an airport waiting for a flight. We put it “Lost Mode”, notified the airline, and then months went past, until we assumed it was gone forever. Literally six months later, American Airlines contacted us about the iPad, and FedExed it to our office. The battery was dead, but once I charged it back up, it returned to normal.

Obviously a different scenario than pickpockets in Rome, but the system can work.

1 Like

I think what we’re running into here in part is personal variation in levels of risk. It’s very likely that Apple’s protections are good and that the thieves won’t be able to access the credit cards, but we know that nothing is guaranteed. So if you’re highly risk averse, you’ll cancel your credit cards. If you’re less so, you’re more likely to assume Apple’s protections are sufficient. Neither is right or wrong—they’re just different reactions based on personal beliefs about the world.

I would note, however, that not canceling the cards does have one benefit. If any fraudulent transactions come through, you’ll know that Apple’s protections were insufficient, whereas if the cards are never used, Apple’s protections probably held up. The only downside is that there might be a problem contesting fraudulent transactions if you didn’t report the cards as potentially compromised. :slight_smile:

4 Likes

Much of that info is old/out of date (The Verge, 2013), and/or comes from a security firm trying to get you to buy their services (Trustonic, 2019), who provide little in the way of specifics on the actualities of the matter – instead opting for generalisations about phone theft and ‘potential’ ID theft from them. That doesn’t make it so.

Additionally, much of the relevant parts (i.e. not the irrelevant parts concerned with theft from supply chain, et al.) is merely saying what I quoted Glenn as mentioning: thieves may be able to wipe and resell devices. That’s not the same as getting any of the info off up to date devices, circa mid-2021.

While Roberson said thieves can always find at least some value from a stolen phone, he agreed with Chicago police who said that Apple’s Find My iPhone or AndroidLost can make theft less attractive by locking out other users.

^Precisely.

But as @ace says, risk is in the mind of the beholder. So if you really want to cancel cards, that is of course your prerogative. :wink:

Absolutely yes. This was actually my first suggestion. Some banks (like Citibank Bank Of America) let you do this from their web interface. You can log in, see all the virtual cards on your account (including ApplePay) and selectively delete them.

I haven’t seen this on other banks, but maybe you can call their customer service people.

Definitely better than canceling the primary card number, if you have the option.

1 Like

Where do you do this? I’ve got two Citibank cards I’ve added to my Apple Wallet, but I can’t see them anywhere in Citibank’s web interface, including under the Virtual Numbers section.

I apologize. I misremembered. It’s not Citibank but Bank of America that offers this.

From the BofA web site, click on your card to get to its page. Then click the “Information & Services” tab. Scroll down a bit and look for the “Digital Wallets & Virtual Cards” paragraph in the “Features” section. Click on “Edit Settings” below that paragraph.

From there, you can see all of the Apple Pay, Google Pay and Samsung Pay virtual cards associated with the account. From there, you can lock, unlock and delete the virtual cards.

2 Likes

Ok, I found it for my BofA cards. I didn’t know that was available, thanks!